[Samba] Samba randomly fail to convert SID to GID

Wed May 22 14:43:36 UTC 2024

On Tue, 21 May 2024 15:06:08 +0200
Bastien HERMITTE via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> We have a Samba file server configured to authenticate on Samba AD.
> 
> Permissions on share are set through ACL, and mapped drives are
> mounted by a GPO with condition (ex: if user is member of group
> 'share1' then share 'share1' is mounted automatically at session
> opening).
> 
> Everything seems to be working but some users complains about some 
> mapped drivers not reachable, randomly (mounted but with red cross,
> and error message when opening). I've experienced this problem on my 
> workstation too.
> 
> When the user reboot or close/reopen the session, the problem is
> gone.
> When restarting smb/nmb on file server, problem is gone too.
> 
> After enabling debug logs and digging, I've found this message when 
> problem occurs :
> [2024/05/21 10:03:10.664800, 10, pid=2420748, effective(0, 0),
> real(0, 0), class=auth]
> ../../source3/auth/auth_util.c:629(create_local_token) Could not
> convert SID S-1-5-21-1429651927-1816029351-2509125846-1333 to gid,
> ignoring it
> 
> Here there is only group with SID 
> S-1-5-21-1429651927-1816029351-2509125846-1333 but sometimes there is 
> several groups concerned.
> 
> The conversion is OK when launched manually with wbinfo command, and 
> report correct GID :
> [root at mysrv ~]# wbinfo -Y
> S-1-5-21-1429651927-1816029351-2509125846-1333 10008
> 
> The samlogon cache seems OK :
> [root at mysrv ~]# net cache samlogon show 
> S-1-5-21-1429651927-1816029351-2509125846-1238
> Name: SAMDOM\myuser
> SID  0: S-1-5-21-1429651927-1816029351-2509125846-1238
> SID  1: S-1-5-21-1429651927-1816029351-2509125846-513
> SID  2: S-1-5-21-1429651927-1816029351-2509125846-1333
> SID  3: S-1-5-21-1429651927-1816029351-2509125846-1337
> SID  4: S-1-5-21-1429651927-1816029351-2509125846-1345
> SID  5: S-1-5-21-1429651927-1816029351-2509125846-1339
> SID  6: S-1-5-21-1429651927-1816029351-2509125846-2109
> SID  7: S-1-5-21-1429651927-1816029351-2509125846-1340
> SID  8: S-1-5-21-1429651927-1816029351-2509125846-2107
> SID  9: S-1-5-21-1429651927-1816029351-2509125846-2776
> SID 10: S-1-5-21-0-0-0-497
> 
> The list of group from wbinfo is correct too :
> [root at mysrv ~]# wbinfo -r SAMDOM\\myuser
> 10000
> 10008
> 10009
> 10020
> 10004
> 10038
> 10005
> 10033
> 10050
> 3001
> 
> When the problem occur, I can see in syslog :
> May 21 12:33:00 mysrv smbd_audit[2420748]:  chdir_current_service: 
> vfs_ChDir(/home/events) failed: Permission denied. Current token: 
> uid=10054, gid=10000, 12 groups: 10000 10009 10020 10004 10038 10005 
> 10033 10050 3003 3004 3005 3001
> 
> So the group with ID 10008 is missing because it has failed to
> convert, and so the user can't access the share.
> 
> I can't figure why the conversion fails randomly.
> 
> File server is Rocky Linux 8.9 (up to date), with Samba 4.18.6 from 
> Rocky Linux default repository.
> Below is my smb.conf
> /[global]
>          security = ADS
>          workgroup = SAMDOM
>          realm = SAMDOM.MYDOMAIN.COM
> 
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
>          idmap config SAMDOM:backend = ad
>          idmap config SAMDOM:schema_mode = rfc2307
>          idmap config SAMDOM:range = 10000-999999
>          idmap config SAMDOM:unix_nss_info = no
> 
>          template shell = /sbin/nologin
>          template homedir = /home/users/%U
> 
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind use default domain = no
> 
>          username map = /etc/samba/user.map
> 
>          server string = //MYDOMAIN //Samba File Server
>          netbios name = SHARE
> 
>          log file = /var/log/samba/%m.log
>          log level = 10 auth_audit:6 auth_json_audit:6
>          max log size = 0
> 
>          min protocol = SMB2
> 
>          # Disable printing
>          printcap name = /dev/null
>          load printers = no
>          disable spoolss = yes
>          printing = bsd
> 
>          # Workaround for regression caused by fix for CVE-2020-25717
>          # See: 
> https://lists.samba.org/archive/samba/2021-November/238521.html
>          min domain uid = 0
> 
>          vfs objects = full_audit recycle acl_xattr fruit
> streams_xattr
> 
>          full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
>          full_audit:success = mkdirat renameat unlinkat pwrite
>          full_audit:failure = none
>          full_audit:facility = LOCAL5
>          full_audit:priority = NOTICE
> 
>          recycle:repository = /home/corbeille/%S
>          recycle:directory_mode = 0775
>          recycle:keeptree = yes
>          recycle:versions = yes
>          recycle:touch = yes
>          recycle:touch_mtime = yes
>          recycle:maxsize = 500000000
>          recycle:exclude = *.tmp ~$* *.~?? ._* *.DS_Store .~*
> 
>          map acl inherit = yes
>          store dos attributes = yes
>          dos filemode = yes
>          dos filetimes = yes
> 
>          # fruit parameters :
>          fruit:metadata = stream
>          fruit:model = MacSamba
>          fruit:posix_rename = yes
>          fruit:veto_appledouble = no
>          fruit:nfs_aces = no
>          fruit:wipe_intentionally_left_blank_rfork = yes
>          fruit:delete_empty_adfiles = yes
> 
> [users]
>          path = /home/users
>          read only = no
> [share1]
>          path= /home///share1/
> /        read only = no
> [share2]
>          path = /home///share2/
> /        read only = no
> ...
> 
> 
> /After hours of research I've run out of ideas...
> Can someone help me ?
> 
> I can provides more informations if needed.
> 
> Thanks in advance.
> 
> Regards,
> Bastien
> 

OK, I am nowhere near to being an expert on 'C', but it appears that
the 'Could not convert SID' message is only printed at a level 10 log
and if the Unix ID isn't an ID_TYPE_GID and ID_TYPE_BOTH, so what
actually is the RID 1333, not its number, its name ?

Rowland