[Samba] User cannot access member server share by name, only by IP

Rowland Penny rpenny at samba.org
Fri Dec 2 18:45:50 UTC 2022 


On 02/12/2022 18:11, Luke Barone via samba wrote:
> I think I found the issue, just not the resolution.
> 
> While researching, I tried to flush the winbind cache. This looked to work
> until this morning. The Staff group for the domain has an ID of 70012 (for
> those paying attention - not part of the domain range, but part of the *
> range) on the ACL of the folder, but 101109 when I run `id` while logged in
> as a user of that group (and their user ID appears to be 70010!). When I
> login as another user in the group, it shows as 70012 in the `id` command
> though! The user's ID in this case is 101471.
> 
> Obviously there is an issue with how the usernames are mapped. What I need
> to know is how do I move past this? Can I manually change the uid being
> reported on the member server for these users to be in the 100_000 range?
> Or am I at the whim of winbind?
> 
> On Tue, Nov 29, 2022 at 2:32 PM Luke Barone <lukebarone at gmail.com> wrote:
> 
>> To add to this: On the file server, I see this line repeated constantly
>> for the computer the user is working on:
>>
>> [2022/11/29 14:23:36.559926,  0]
>> ../../source3/smbd/service.c:166(chdir_current_service)
>>    chdir_current_service: vfs_ChDir(/usr/local/share/Staff) failed:
>> Permission denied. Current token: uid=70010, gid=100513, 8 groups: 100513
>> 101109 70011 101202 70002 70003 70010 70001
>>
>> I'm feeling that's wrong, given the range in the config file. Is this
>> something that can be repaired, or do I have to wipe and redo the
>> account(s)?
>>
>> On Tue, Nov 29, 2022 at 2:18 PM Luke Barone <lukebarone at gmail.com> wrote:
>>
>>> I have 2 DCs and a member server, all running on Debian Bullseye, version
>>> 4.13.13-Debian. Recently, some users cannot access folders that are being
>>> shared on the member server.
>>>
>>> I can run `su -s/bin/bash USERNAME`, then cd into the directory just
>>> fine. From the Windows workstation, it's not always working. Most recently,
>>> I was able to fix one share by flushing the winbind cache (net cache
>>> flush). The other main share they're using is fixed temporarily by mapping
>>> to the IP address vs the FQDN (or hostname). This is leading me to think
>>> this is a Kerberos issue.
>>>
>>> The Windows 10 computers are on the 21H2 patch level, which is working
>>> for other sites in our organization. Checking on both DCs, replication
>>> appears to be working (0 consecutive failures).
>>>
>>> I saw a previous message about users being part of a group for
>>> permissions, but it didn't seem to be my *exact* issue. Is it related? We
>>> only add users to the groups, then the groups have permissions on various
>>> shares.
>>>
>>> DC1 smb.conf (DC2 is the same):
>>>
>>> # Global parameters
>>> [global]
>>>          bind interfaces only = Yes
>>>          disable netbios = Yes
>>>          interfaces = lo enp1s0
>>>          ntlm auth = ntlmv1-permitted # needed for wireless
>>>          passdb backend = samba_dsdb
>>>          realm = DOMAIN.CA
>>>          server role = active directory domain controller
>>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbindd, ntp_signd, kcc, dnsupdate
>>>          winbind separator = /
>>>          workgroup = DOMAIN
>>>          rpc_server:tcpip = no
>>>          rpc_daemon:spoolssd = embedded
>>>          rpc_server:spoolss = embedded
>>>          rpc_server:winreg = embedded
>>>          rpc_server:ntsvcs = embedded
>>>          rpc_server:eventlog = embedded
>>>          rpc_server:srvsvc = embedded
>>>          rpc_server:svcctl = embedded
>>>          rpc_server:default = external
>>>          winbindd:use external pipes = true
>>>          idmap_ldb:use rfc2307 = yes
>>>          idmap config * : backend = tdb
>>>          map archive = No
>>>          vfs objects = dfs_samba4 acl_xattr
>>>
>>>
>>> [netlogon]
>>>          path = /var/lib/samba/sysvol/DOMAIN.ca/scripts
>>>          read only = No
>>>
>>>
>>> [sysvol]
>>>          path = /var/lib/samba/sysvol
>>>          read only = No
>>>
>>> Relevant section on file server:
>>> [global]
>>>          bind interfaces only = Yes
>>>          client signing = required
>>>          dedicated keytab file = /etc/krb5.keytab
>>>          disable netbios = Yes
>>>          interfaces = lo enp1s0
>>>          kerberos method = secrets and keytab
>>>          log file = /var/log/samba/%m.log
>>>          realm = DOMAIN.CA
>>>          security = ADS
>>>          server role = member server
>>>          server signing = required
>>>          template homedir = /home/DOMAIN/%U
>>>          username map = /etc/samba/user.map
>>>          winbind enum groups = Yes
>>>          winbind enum users = Yes
>>>          winbind refresh tickets = Yes
>>>          winbind separator = /
>>>          winbind use default domain = Yes
>>>          workgroup = DOMAIN
>>>          idmap config edge : range = 100000-199999
>>>          idmap config edge : backend = rid
>>>          idmap config * : range = 70000-99999
>>>          idmap config * : backend = tdb
>>>          map acl inherit = Yes
>>>          vfs objects = acl_xattr
>>>
>>>
>>> [Users]
>>>          path = /home/DOMAIN
>>>          read only = No
>>>
>>>
>>> [Staff]
>>>          path = /usr/local/share/Staff
>>>          read only = No
>>>
>>>
>>> [Office]
>>>          path = /usr/local/share/Office
>>>          read only = No
>>>
>>>
>>>

Why is 'staff' getting the GID '70012' ?
As you say, that range is meant for the default domain and 'staff' 
should be a DOMAIN group.

Is DOMAIN actually 'edge' as you have set in the 'idmap config' lines ? 
If it isn't, then change 'edge' to 'DOMAIN' and reload Samba or restart 
it, but beware, this will give all your users and groups ID's in the 
100000-199999 range (which is what they should have).

Rowland

More information about the samba mailing list