[Samba] samba crashes windows explorer (while trying to view file permissions)

Michael Tokarev mjt at tls.msk.ru
Sat Nov 19 15:57:52 UTC 2022

19.11.2022 18:35, Rowland Penny via samba wrote:
>> and now.. after quite some time, without me doing anything,
>> it shows (on the bad domain):
>> # wbinfo -Y S-1-5-21-880456541-1649917288-23935232-513
>> 3004
>> I think this comes from my attempts to add something in
>> there:
>> #       idmap config * : backend = tdb
>> #       idmap config * : range = 3000-3099
>> which I commented out quite some time ago. Or not - I recreated
>> the domain with these commented out, so it is again unclear
>> where it got the 3000 number from.
> Neither have I, the 'idmap config' lines, up until now, have never worked on a DC, but something could have changed and I suppose they could have 
> started working, but if they have, it will be a bug.

These lines has been commented out at the time when I re-created
the domain.

I can't find where this 3004 number comes from.  I can't find it
neither in winbindd_cahe.tdb nor in idmap.ldb.

I checked a few other SIDs:

# wbinfo -Y S-1-5-21-880456541-1649917288-23935232-512
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-880456541-1649917288-23935232-512 to gid
# wbinfo -Y S-1-5-21-880456541-1649917288-23935232-513
# wbinfo -Y S-1-5-21-880456541-1649917288-23935232-514
# wbinfo -Y S-1-5-21-880456541-1649917288-23935232-515
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-880456541-1649917288-23935232-515 to gid

The same question arises: WHAT IS GOING ON? Where it is getting
these numbers from?  Once again: it is a freshly created domain!


# fgrep -r 3000013 /var/lib/samba/
grep: /var/lib/samba/private/idmap.ldb: binary file matches

# record 10
dn: CN=S-1-5-21-880456541-1649917288-23935232-514
cn: S-1-5-21-880456541-1649917288-23935232-514
objectClass: sidMap
objectSid: S-1-5-21-880456541-1649917288-23935232-514
xidNumber: 3000013
distinguishedName: CN=S-1-5-21-880456541-1649917288-23935232-514

So it *did* configure this one automatically.  But why not the others?

# fgrep -r 3004 /var/lib/samba/
grep: /var/lib/samba/private/sam.ldb.d/DC=PZ,DC=CORPIT,DC=RU.ldb: binary file matches
grep: /var/lib/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=PZ,DC=CORPIT,DC=RU.ldb: binary file matches

Okay, it was actually my experiment to add uidNumber for "Domain Users" group.
After some time (and multiple net cache flush runs) it finally get this info.

> Ah, '512' is Domain Admins and you definitely do not want that group to have a 'GID'. It needs to 'own' things in Sysvol and to do this, it is mapped 
> to 'ID_TYPE_BOTH' in idmap.ldb (that is,it is both a group and a user) and if you give it a gidNumber attribute, it becomes just a group and you break 
> Sysvol.

To me it looks like I *have* to assign a gidNumber, or else it doesn't work -
see above.  For Domain Users group, to which I assigned 3004 uidNumber,
wbinfo -Y return this uidNumber.  But for other domain groups, it can't
find the gid.  For all but the -514 one, for which it did assign a xidNumber
in idmap.db.


I *think* this is "winbind nss info = rfc2307" setting.   With this one,
I *have* to configure gidNumbers for every group in the AD.  But these
groups are *not* propagated into winbindd even after multiple reload-config and
net cache flush, some *time* have to pass...

hwell.. let's see...


More information about the samba mailing list