samba - Mar 2012 - Domain users are loosing there groups after some time.

Samba version : 3.6.3
Filesystem :    BTRFS
Clients :       XP, Win7
Log Level :     5


When we start our samba server everything works fine.
After a few days, some of our users are not allowed to connect to shares
anymore. When we restart the clients they can connect for a short time
and then say have the same problem again.

When we restart the server everything works fine for a few days again.
We set the "winbind offline logon = yes" and it slowed down the
process,
but didn't stop it.

After a long search i think i found the problem.

The user has "401217" as mapped ID,
and should be in the groups
  400513
  401612
  401609
  401611

But samba just put him into
  400513
  401612
  401611

So samba lost one group. And thats the reason the user is not allowed to
connect to the share, because only the group 401609 has a read permisson.

Any ideas how that could happen?


Here is a log of a "failed" login:


[2012/03/02 11:37:52.842978,  5]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (15):
    SID[  0]: S-1-5-21-1004336348-920026266-682003330-1217
    SID[  1]: S-1-5-21-1004336348-920026266-682003330-513
    SID[  2]: S-1-5-21-1004336348-920026266-682003330-1612
    SID[  3]: S-1-5-21-1004336348-920026266-682003330-1609
    SID[  4]: S-1-5-21-1004336348-920026266-682003330-1611
    SID[  5]: S-1-1-0
    SID[  6]: S-1-5-2
    SID[  7]: S-1-5-11
    SID[  8]: S-1-22-1-401217
    SID[  9]: S-1-22-2-400513
    SID[ 10]: S-1-22-2-401612
    SID[ 11]: S-1-22-2-401611
    SID[ 12]: S-1-22-2-70000
    SID[ 13]: S-1-22-2-70002
    SID[ 14]: S-1-22-2-70011
   Privileges (0x               0):
   Rights (0x               0):
[2012/03/02 11:37:52.843247,  5]
auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 401217
  Primary group is 400513 and contains 6 supplementary groups
  Group[  0]: 400513
  Group[  1]: 401612
  Group[  2]: 401611
  Group[  3]: 70000
  Group[  4]: 70002
  Group[  5]: 70011
[2012/03/02 11:37:52.843372,  5] smbd/uid.c:317(change_to_user_internal)
  Impersonated user: uid=(0,401217), gid=(0,400513)
[2012/03/02 11:37:52.843408,  4] smbd/vfs.c:780(vfs_ChDir)
  vfs_ChDir to /home/data
[2012/03/02 11:37:52.843443,  4] smbd/vfs.c:780(vfs_ChDir)
  vfs_ChDir to /home/data
[2012/03/02 11:37:52.843476,  3] smbd/service.c:190(set_current_service)
  chdir (/home/data) failed, reason: Keine Berechtigung
[2012/03/02 11:37:52.843509,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/process.c(1558) cmd=50 (SMBtrans2)
NT_STATUS_ACCESS_DENIED




Configuration parts that are maybe interresting:
smb.conf:


security = ADS

socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
nt acl support = yes
vfs objects = acl_xattr

winbind enum users = yes
        winbind enum groups = yes
        winbind offline logon = yes
        allow trusted domains = yes

        idmap config * : backend     = rid
        idmap config * : range       = 70000-99999
        idmap config * : base_rid    = 0

        idmap config A : backend     = rid
        idmap config A : range       = 400000-499999
        idmap config A : base_rid    = 0

        idmap config B : backend  = rid
        idmap config B : range    = 300000-399999
        idmap config B : base_rid = 0

and of course

> When we restart the clients they can connect for a short time
> and then say have the same problem again.
> 
should be
> When we restart the clients they can connect for a short time,
> and then they have the same problem again.
>

On 03/02/2012 5:39 AM, Benedikt Schindler wrote:
> Samba version : 3.6.3
> Filesystem :    BTRFS
> Clients :       XP, Win7
> Log Level :     5
>
>
> When we start our samba server everything works fine.
> After a few days, some of our users are not allowed to connect to shares
> anymore. When we restart the clients they can connect for a short time
> and then say have the same problem again.
>
> When we restart the server everything works fine for a few days again.
> We set the "winbind offline logon = yes" and it slowed down the
process,
> but didn't stop it.
>
> After a long search i think i found the problem.
>
> The user has "401217" as mapped ID,
> and should be in the groups
>    400513
>    401612
>    401609
>    401611
>
> But samba just put him into
>    400513
>    401612
>    401611
>
> So samba lost one group. And thats the reason the user is not allowed to
> connect to the share, because only the group 401609 has a read permisson.
>
> Any ideas how that could happen?
>
>
> Here is a log of a "failed" login:
>
>
> [2012/03/02 11:37:52.842978,  5]
> ../libcli/security/security_token.c:63(security_token_debug)
>    Security token SIDs (15):
>      SID[  0]: S-1-5-21-1004336348-920026266-682003330-1217
>      SID[  1]: S-1-5-21-1004336348-920026266-682003330-513
>      SID[  2]: S-1-5-21-1004336348-920026266-682003330-1612
>      SID[  3]: S-1-5-21-1004336348-920026266-682003330-1609
>      SID[  4]: S-1-5-21-1004336348-920026266-682003330-1611
>      SID[  5]: S-1-1-0
>      SID[  6]: S-1-5-2
>      SID[  7]: S-1-5-11
>      SID[  8]: S-1-22-1-401217
>      SID[  9]: S-1-22-2-400513
>      SID[ 10]: S-1-22-2-401612
>      SID[ 11]: S-1-22-2-401611
>      SID[ 12]: S-1-22-2-70000
>      SID[ 13]: S-1-22-2-70002
>      SID[ 14]: S-1-22-2-70011
>     Privileges (0x               0):
>     Rights (0x               0):
> [2012/03/02 11:37:52.843247,  5]
> auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 401217
>    Primary group is 400513 and contains 6 supplementary groups
>    Group[  0]: 400513
>    Group[  1]: 401612
>    Group[  2]: 401611
>    Group[  3]: 70000
>    Group[  4]: 70002
>    Group[  5]: 70011
> [2012/03/02 11:37:52.843372,  5] smbd/uid.c:317(change_to_user_internal)
>    Impersonated user: uid=(0,401217), gid=(0,400513)
> [2012/03/02 11:37:52.843408,  4] smbd/vfs.c:780(vfs_ChDir)
>    vfs_ChDir to /home/data
> [2012/03/02 11:37:52.843443,  4] smbd/vfs.c:780(vfs_ChDir)
>    vfs_ChDir to /home/data
> [2012/03/02 11:37:52.843476,  3] smbd/service.c:190(set_current_service)
>    chdir (/home/data) failed, reason: Keine Berechtigung
> [2012/03/02 11:37:52.843509,  3] smbd/error.c:81(error_packet_set)
>    error packet at smbd/process.c(1558) cmd=50 (SMBtrans2)
> NT_STATUS_ACCESS_DENIED
>
>
>
>
> Configuration parts that are maybe interresting:
> smb.conf:
>
>
> security = ADS
>
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
> nt acl support = yes
> vfs objects = acl_xattr
>
> winbind enum users = yes
>          winbind enum groups = yes
>          winbind offline logon = yes
>          allow trusted domains = yes
>
>          idmap config * : backend     = rid
>          idmap config * : range       = 70000-99999
>          idmap config * : base_rid    = 0
>
>          idmap config A : backend     = rid
>          idmap config A : range       = 400000-499999
>          idmap config A : base_rid    = 0
>
>          idmap config B : backend  = rid
>          idmap config B : range    = 300000-399999
>          idmap config B : base_rid = 0
Benedikt,

Check this bug - https://bugzilla.samba.org/show_bug.cgi?id=8676 - to 
see if any of these symptoms match those of your systems when the group 
loss happens.

Dale

Dear all,

I want to install solaris 8 samba server
kindly guide basic download version and
installation basic setup
Example : pkg add and patchad and download samba server.
















On 3/2/12, Benedikt Schindler <BeniSchindler at gmx.de>
wrote:
> Samba version : 3.6.3
> Filesystem :    BTRFS
> Clients :       XP, Win7
> Log Level :     5
>
>
> When we start our samba server everything works fine.
> After a few days, some of our users are not allowed to connect to shares
> anymore. When we restart the clients they can connect for a short time
> and then say have the same problem again.
>
> When we restart the server everything works fine for a few days again.
> We set the "winbind offline logon = yes" and it slowed down the
process,
> but didn't stop it.
>
> After a long search i think i found the problem.
>
> The user has "401217" as mapped ID,
> and should be in the groups
>   400513
>   401612
>   401609
>   401611
>
> But samba just put him into
>   400513
>   401612
>   401611
>
> So samba lost one group. And thats the reason the user is not allowed to
> connect to the share, because only the group 401609 has a read permisson.
>
> Any ideas how that could happen?
>
>
> Here is a log of a "failed" login:
>
>
> [2012/03/02 11:37:52.842978,  5]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (15):
>     SID[  0]: S-1-5-21-1004336348-920026266-682003330-1217
>     SID[  1]: S-1-5-21-1004336348-920026266-682003330-513
>     SID[  2]: S-1-5-21-1004336348-920026266-682003330-1612
>     SID[  3]: S-1-5-21-1004336348-920026266-682003330-1609
>     SID[  4]: S-1-5-21-1004336348-920026266-682003330-1611
>     SID[  5]: S-1-1-0
>     SID[  6]: S-1-5-2
>     SID[  7]: S-1-5-11
>     SID[  8]: S-1-22-1-401217
>     SID[  9]: S-1-22-2-400513
>     SID[ 10]: S-1-22-2-401612
>     SID[ 11]: S-1-22-2-401611
>     SID[ 12]: S-1-22-2-70000
>     SID[ 13]: S-1-22-2-70002
>     SID[ 14]: S-1-22-2-70011
>    Privileges (0x               0):
>    Rights (0x               0):
> [2012/03/02 11:37:52.843247,  5]
> auth/token_util.c:527(debug_unix_user_token)
>   UNIX token of user 401217
>   Primary group is 400513 and contains 6 supplementary groups
>   Group[  0]: 400513
>   Group[  1]: 401612
>   Group[  2]: 401611
>   Group[  3]: 70000
>   Group[  4]: 70002
>   Group[  5]: 70011
> [2012/03/02 11:37:52.843372,  5] smbd/uid.c:317(change_to_user_internal)
>   Impersonated user: uid=(0,401217), gid=(0,400513)
> [2012/03/02 11:37:52.843408,  4] smbd/vfs.c:780(vfs_ChDir)
>   vfs_ChDir to /home/data
> [2012/03/02 11:37:52.843443,  4] smbd/vfs.c:780(vfs_ChDir)
>   vfs_ChDir to /home/data
> [2012/03/02 11:37:52.843476,  3] smbd/service.c:190(set_current_service)
>   chdir (/home/data) failed, reason: Keine Berechtigung
> [2012/03/02 11:37:52.843509,  3] smbd/error.c:81(error_packet_set)
>   error packet at smbd/process.c(1558) cmd=50 (SMBtrans2)
> NT_STATUS_ACCESS_DENIED
>
>
>
>
> Configuration parts that are maybe interresting:
> smb.conf:
>
>
> security = ADS
>
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
> nt acl support = yes
> vfs objects = acl_xattr
>
> winbind enum users = yes
>         winbind enum groups = yes
>         winbind offline logon = yes
>         allow trusted domains = yes
>
>         idmap config * : backend     = rid
>         idmap config * : range       = 70000-99999
>         idmap config * : base_rid    = 0
>
>         idmap config A : backend     = rid
>         idmap config A : range       = 400000-499999
>         idmap config A : base_rid    = 0
>
>         idmap config B : backend  = rid
>         idmap config B : range    = 300000-399999
>         idmap config B : base_rid = 0
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hello.
I have the same problem with Samba 3.6.3
How did you solved it?
Thanks.

Hi Benedikt,

On 03/02/2012 12:39 PM CEST +02:00, Benedikt Schindler
wrote:
> Any ideas how that could happen?
We had a similar problem using Samba 3.5.8 and found out that it only
happens for SIDs of domain-local groups (SID_ALIAS type 4). We also
tried with the current Samba (version 3.6.0 at that time), but the issue
was present in that version too.

I reported that bug and the patch that fixes the issue for us here
https://bugzilla.samba.org/show_bug.cgi?id=8523

Regards,
Micha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.5.8-fix-local-group-lookup.diff
Type: text/x-patch
Size: 633 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20120316/a5025ff0/attachment.bin>