[Samba] Samba randomly fail to convert SID to GID

Bastien HERMITTE bhermitte at b2pweb.com
Tue May 21 13:06:08 UTC 2024 

Hello,

We have a Samba file server configured to authenticate on Samba AD.

Permissions on share are set through ACL, and mapped drives are mounted 
by a GPO with condition (ex: if user is member of group 'share1' then 
share 'share1' is mounted automatically at session opening).

Everything seems to be working but some users complains about some 
mapped drivers not reachable, randomly (mounted but with red cross, and 
error message when opening). I've experienced this problem on my 
workstation too.

When the user reboot or close/reopen the session, the problem is
gone.
When restarting smb/nmb on file server, problem is gone too.

After enabling debug logs and digging, I've found this message when 
problem occurs :
[2024/05/21 10:03:10.664800, 10, pid=2420748, effective(0, 0), real(0, 
0), class=auth] ../../source3/auth/auth_util.c:629(create_local_token)
   Could not convert SID S-1-5-21-1429651927-1816029351-2509125846-1333 
to gid, ignoring it

Here there is only group with SID 
S-1-5-21-1429651927-1816029351-2509125846-1333 but sometimes there is 
several groups concerned.

The conversion is OK when launched manually with wbinfo command, and 
report correct GID :
[root at mysrv ~]# wbinfo -Y S-1-5-21-1429651927-1816029351-2509125846-1333
10008

The samlogon cache seems OK :
[root at mysrv ~]# net cache samlogon show 
S-1-5-21-1429651927-1816029351-2509125846-1238
Name: SAMDOM\myuser
SID  0: S-1-5-21-1429651927-1816029351-2509125846-1238
SID  1: S-1-5-21-1429651927-1816029351-2509125846-513
SID  2: S-1-5-21-1429651927-1816029351-2509125846-1333
SID  3: S-1-5-21-1429651927-1816029351-2509125846-1337
SID  4: S-1-5-21-1429651927-1816029351-2509125846-1345
SID  5: S-1-5-21-1429651927-1816029351-2509125846-1339
SID  6: S-1-5-21-1429651927-1816029351-2509125846-2109
SID  7: S-1-5-21-1429651927-1816029351-2509125846-1340
SID  8: S-1-5-21-1429651927-1816029351-2509125846-2107
SID  9: S-1-5-21-1429651927-1816029351-2509125846-2776
SID 10: S-1-5-21-0-0-0-497

The list of group from wbinfo is correct too :
[root at mysrv ~]# wbinfo -r SAMDOM\\myuser
10000
10008
10009
10020
10004
10038
10005
10033
10050
3001

When the problem occur, I can see in syslog :
May 21 12:33:00 mysrv smbd_audit[2420748]:  chdir_current_service: 
vfs_ChDir(/home/events) failed: Permission denied. Current token: 
uid=10054, gid=10000, 12 groups: 10000 10009 10020 10004 10038 10005 
10033 10050 3003 3004 3005 3001

So the group with ID 10008 is missing because it has failed to convert, 
and so the user can't access the share.

I can't figure why the conversion fails randomly.

File server is Rocky Linux 8.9 (up to date), with Samba 4.18.6 from 
Rocky Linux default repository.
Below is my smb.conf
/[global]
         security = ADS
         workgroup = SAMDOM
         realm = SAMDOM.MYDOMAIN.COM

         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config SAMDOM:backend = ad
         idmap config SAMDOM:schema_mode = rfc2307
         idmap config SAMDOM:range = 10000-999999
         idmap config SAMDOM:unix_nss_info = no

         template shell = /sbin/nologin
         template homedir = /home/users/%U

         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = no

         username map = /etc/samba/user.map

         server string = //MYDOMAIN //Samba File Server
         netbios name = SHARE

         log file = /var/log/samba/%m.log
         log level = 10 auth_audit:6 auth_json_audit:6
         max log size = 0

         min protocol = SMB2

         # Disable printing
         printcap name = /dev/null
         load printers = no
         disable spoolss = yes
         printing = bsd

         # Workaround for regression caused by fix for CVE-2020-25717
         # See: 
https://lists.samba.org/archive/samba/2021-November/238521.html
         min domain uid = 0

         vfs objects = full_audit recycle acl_xattr fruit streams_xattr

         full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
         full_audit:success = mkdirat renameat unlinkat pwrite
         full_audit:failure = none
         full_audit:facility = LOCAL5
         full_audit:priority = NOTICE

         recycle:repository = /home/corbeille/%S
         recycle:directory_mode = 0775
         recycle:keeptree = yes
         recycle:versions = yes
         recycle:touch = yes
         recycle:touch_mtime = yes
         recycle:maxsize = 500000000
         recycle:exclude = *.tmp ~$* *.~?? ._* *.DS_Store .~*

         map acl inherit = yes
         store dos attributes = yes
         dos filemode = yes
         dos filetimes = yes

         # fruit parameters :
         fruit:metadata = stream
         fruit:model = MacSamba
         fruit:posix_rename = yes
         fruit:veto_appledouble = no
         fruit:nfs_aces = no
         fruit:wipe_intentionally_left_blank_rfork = yes
         fruit:delete_empty_adfiles = yes

[users]
         path = /home/users
         read only = no
[share1]
         path= /home///share1/
/        read only = no
[share2]
         path = /home///share2/
/        read only = no
...


/After hours of research I've run out of ideas...
Can someone help me ?

I can provides more informations if needed.

Thanks in advance.

Regards,
Bastien

More information about the samba mailing list