[Samba] Samba randomly fail to convert SID to GID
Bastien HERMITTE
bhermitte at b2pweb.com
Wed May 22 16:46:11 UTC 2024
Hello, and thank you for your help !
SID S-1-5-21-1429651927-1816029351-2509125846-1333 (GID 10008) is a
security group :
[root at mysrv ~]# wbinfo --gid-info=10008
SAMDOM\lr_events:x:10008:
Regards,
Bastien
Le 22/05/2024 à 16:43, Rowland Penny via samba a écrit :
> On Tue, 21 May 2024 15:06:08 +0200
> Bastien HERMITTE via samba<samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> We have a Samba file server configured to authenticate on Samba AD.
>>
>> Permissions on share are set through ACL, and mapped drives are
>> mounted by a GPO with condition (ex: if user is member of group
>> 'share1' then share 'share1' is mounted automatically at session
>> opening).
>>
>> Everything seems to be working but some users complains about some
>> mapped drivers not reachable, randomly (mounted but with red cross,
>> and error message when opening). I've experienced this problem on my
>> workstation too.
>>
>> When the user reboot or close/reopen the session, the problem is
>> gone.
>> When restarting smb/nmb on file server, problem is gone too.
>>
>> After enabling debug logs and digging, I've found this message when
>> problem occurs :
>> [2024/05/21 10:03:10.664800, 10, pid=2420748, effective(0, 0),
>> real(0, 0), class=auth]
>> ../../source3/auth/auth_util.c:629(create_local_token) Could not
>> convert SID S-1-5-21-1429651927-1816029351-2509125846-1333 to gid,
>> ignoring it
>>
>> Here there is only group with SID
>> S-1-5-21-1429651927-1816029351-2509125846-1333 but sometimes there is
>> several groups concerned.
>>
>> The conversion is OK when launched manually with wbinfo command, and
>> report correct GID :
>> [root at mysrv ~]# wbinfo -Y
>> S-1-5-21-1429651927-1816029351-2509125846-1333 10008
>>
>> The samlogon cache seems OK :
>> [root at mysrv ~]# net cache samlogon show
>> S-1-5-21-1429651927-1816029351-2509125846-1238
>> Name: SAMDOM\myuser
>> SID 0: S-1-5-21-1429651927-1816029351-2509125846-1238
>> SID 1: S-1-5-21-1429651927-1816029351-2509125846-513
>> SID 2: S-1-5-21-1429651927-1816029351-2509125846-1333
>> SID 3: S-1-5-21-1429651927-1816029351-2509125846-1337
>> SID 4: S-1-5-21-1429651927-1816029351-2509125846-1345
>> SID 5: S-1-5-21-1429651927-1816029351-2509125846-1339
>> SID 6: S-1-5-21-1429651927-1816029351-2509125846-2109
>> SID 7: S-1-5-21-1429651927-1816029351-2509125846-1340
>> SID 8: S-1-5-21-1429651927-1816029351-2509125846-2107
>> SID 9: S-1-5-21-1429651927-1816029351-2509125846-2776
>> SID 10: S-1-5-21-0-0-0-497
>>
>> The list of group from wbinfo is correct too :
>> [root at mysrv ~]# wbinfo -r SAMDOM\\myuser
>> 10000
>> 10008
>> 10009
>> 10020
>> 10004
>> 10038
>> 10005
>> 10033
>> 10050
>> 3001
>>
>> When the problem occur, I can see in syslog :
>> May 21 12:33:00 mysrv smbd_audit[2420748]: chdir_current_service:
>> vfs_ChDir(/home/events) failed: Permission denied. Current token:
>> uid=10054, gid=10000, 12 groups: 10000 10009 10020 10004 10038 10005
>> 10033 10050 3003 3004 3005 3001
>>
>> So the group with ID 10008 is missing because it has failed to
>> convert, and so the user can't access the share.
>>
>> I can't figure why the conversion fails randomly.
>>
>> File server is Rocky Linux 8.9 (up to date), with Samba 4.18.6 from
>> Rocky Linux default repository.
>> Below is my smb.conf
>> /[global]
>> security = ADS
>> workgroup = SAMDOM
>> realm = SAMDOM.MYDOMAIN.COM
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config SAMDOM:backend = ad
>> idmap config SAMDOM:schema_mode = rfc2307
>> idmap config SAMDOM:range = 10000-999999
>> idmap config SAMDOM:unix_nss_info = no
>>
>> template shell = /sbin/nologin
>> template homedir = /home/users/%U
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = no
>>
>> username map = /etc/samba/user.map
>>
>> server string = //MYDOMAIN //Samba File Server
>> netbios name = SHARE
>>
>> log file = /var/log/samba/%m.log
>> log level = 10 auth_audit:6 auth_json_audit:6
>> max log size = 0
>>
>> min protocol = SMB2
>>
>> # Disable printing
>> printcap name = /dev/null
>> load printers = no
>> disable spoolss = yes
>> printing = bsd
>>
>> # Workaround for regression caused by fix for CVE-2020-25717
>> # See:
>> https://lists.samba.org/archive/samba/2021-November/238521.html
>> min domain uid = 0
>>
>> vfs objects = full_audit recycle acl_xattr fruit
>> streams_xattr
>>
>> full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
>> full_audit:success = mkdirat renameat unlinkat pwrite
>> full_audit:failure = none
>> full_audit:facility = LOCAL5
>> full_audit:priority = NOTICE
>>
>> recycle:repository = /home/corbeille/%S
>> recycle:directory_mode = 0775
>> recycle:keeptree = yes
>> recycle:versions = yes
>> recycle:touch = yes
>> recycle:touch_mtime = yes
>> recycle:maxsize = 500000000
>> recycle:exclude = *.tmp ~$* *.~?? ._* *.DS_Store .~*
>>
>> map acl inherit = yes
>> store dos attributes = yes
>> dos filemode = yes
>> dos filetimes = yes
>>
>> # fruit parameters :
>> fruit:metadata = stream
>> fruit:model = MacSamba
>> fruit:posix_rename = yes
>> fruit:veto_appledouble = no
>> fruit:nfs_aces = no
>> fruit:wipe_intentionally_left_blank_rfork = yes
>> fruit:delete_empty_adfiles = yes
>>
>> [users]
>> path = /home/users
>> read only = no
>> [share1]
>> path= /home///share1/
>> / read only = no
>> [share2]
>> path = /home///share2/
>> / read only = no
>> ...
>>
>>
>> /After hours of research I've run out of ideas...
>> Can someone help me ?
>>
>> I can provides more informations if needed.
>>
>> Thanks in advance.
>>
>> Regards,
>> Bastien
>>
> OK, I am nowhere near to being an expert on 'C', but it appears that
> the 'Could not convert SID' message is only printed at a level 10 log
> and if the Unix ID isn't an ID_TYPE_GID and ID_TYPE_BOTH, so what
> actually is the RID 1333, not its number, its name ?
>
> Rowland
>
More information about the samba
mailing list