[Samba] samba crashes windows explorer (while trying to view file permissions)

Rowland Penny rpenny at samba.org
Sat Nov 19 15:35:23 UTC 2022 


On 19/11/2022 14:16, Michael Tokarev via samba wrote:
> ...
> 
> So, this boils down to, so far:
> 
> This (problematic, fresh) domain:
> 
> # wbinfo -s S-1-5-21-880456541-1649917288-23935232-513
> PZ\Domain Users 2
> # wbinfo -Y S-1-5-21-880456541-1649917288-23935232-513
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-880456541-1649917288-23935232-513 to gid
> 
> On another, working, domain:
> 
> # wbinfo -s S-1-5-21-411424318-379842365-2075518510-513
> TLS\Domain Users 2
> # wbinfo -Y S-1-5-21-411424318-379842365-2075518510-513
> 100
> 
> idmap.ldb seems to be having similar information (besides
> the domain sid ofcourse)
> 
> 
> and now.. after quite some time, without me doing anything,
> it shows (on the bad domain):
> 
> # wbinfo -Y S-1-5-21-880456541-1649917288-23935232-513
> 3004
> 
> I think this comes from my attempts to add something in
> there:
> 
> #       idmap config * : backend = tdb
> #       idmap config * : range = 3000-3099
> 
> which I commented out quite some time ago. Or not - I recreated
> the domain with these commented out, so it is again unclear
> where it got the 3000 number from.

Neither have I, the 'idmap config' lines, up until now, have never 
worked on a DC, but something could have changed and I suppose they 
could have started working, but if they have, it will be a bug.
> 
> But still (different id, 512 instead of 513):
> 
> # wbinfo -Y S-1-5-21-880456541-1649917288-23935232-512
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-880456541-1649917288-23935232-512 to gid

Ah, '512' is Domain Admins and you definitely do not want that group to 
have a 'GID'. It needs to 'own' things in Sysvol and to do this, it is 
mapped to 'ID_TYPE_BOTH' in idmap.ldb (that is,it is both a group and a 
user) and if you give it a gidNumber attribute, it becomes just a group 
and you break Sysvol.

> 
> What Is Going On?
> 
> Does anyone know if this beast *ever* work? This is a
> *fresh* domain, just created...
> 
> /mjt
> 

I do not know if your 'beast' has ever worked correctly, but it should do.

I suggest you compare your working DC with your non working DC and see 
if something is different.

Rowland

More information about the samba mailing list