samba - Jul 2020 - Shares stopped working for groups

Hi,
I have a ClearOS 7.8 system which is running 
samba-4.10.4-11.el7_8.x86_64, and it upgraded to this just over a week 
ago (probably not relevant). A couple of days ago all the group shares 
failed. I discovered that if I switched them to the built-in group 
"allusers" the share worked fine. It fails for any user-defined group 
but it used to work. Samba is running as a PDC and the configs, 
including one share are:

    [root at server ~]# testparm -s
    Load smb config files from /etc/samba/smb.conf
    NOTE: Service profiles is flagged unavailable.
    Loaded services file OK.
    'winbind separator = +' might cause problems with group membership.

    Server role: ROLE_DOMAIN_PDC

    # Global parameters
    [global]
     ??????? add machine script = /usr/sbin/samba-add-machine "%u"
     ??????? domain logons = Yes
     ??????? domain master = Yes
     ??????? guest account = guest
     ??????? interfaces = lo enp8s0f0
     ??????? ldap admin dn = cn=manager,ou=Internal,dc=sha,dc=lan
     ??????? ldap connection timeout = 8
     ??????? ldap group suffix = ou=Groups,ou=Accounts
     ??????? ldap idmap suffix = ou=Idmap
     ??????? ldap machine suffix = ou=Computers,ou=Accounts
     ??????? ldap ssl = no
     ??????? ldap suffix = dc=sha,dc=lan
     ??????? ldap user suffix = ou=Users,ou=Accounts
     ??????? log file = /var/log/samba/%L-%m
     ??????? logon drive = H:
     ??????? logon home = \\%L\%U
     ??????? logon path      ??????? logon script = logon.cmd
     ??????? max log size = 0
     ??????? ntlm auth = ntlmv1-permitted
     ??????? passdb backend = ldapsam:ldap://127.0.0.1
     ??????? passwd chat = *password:* %n\n *password:* %n\n *successfully.*
     ??????? passwd chat timeout = 10
     ??????? passwd program = /usr/sbin/userpasswd %u
     ??????? preferred master = Yes
     ??????? printcap name = /etc/printcap
     ??????? security = USER
     ??????? server string = ClearOS Server
     ??????? template homedir = /home/%U
     ??????? template shell = /sbin/nologin
     ??????? unix password sync = Yes
     ??????? username map = /etc/samba/smbusers
     ??????? utmp = Yes
     ??????? winbind enum groups = Yes
     ??????? winbind enum users = Yes
     ??????? winbind expand groups = 1
     ??????? winbind separator = +
     ??????? winbind use default domain = Yes
     ??????? wins support = Yes
     ??????? workgroup = SHA
     ??????? idmap config * : ldap_user_dn    
cn=manager,ou=Internal,dc=sha,dc=lan
     ??????? idmap config * : ldap_base_dn = ou=Idmap,dc=sha,dc=lan
     ??????? idmap config * : ldap_url = ldap://127.0.0.1
     ??????? idmap config * : range = 20000000-29999999
     ??????? idmap config * : backend = ldap
     ??????? include = /etc/samba/flexshare.conf

    [test]
     ??????? comment = test
     ??????? create mask = 0664
     ??????? directory mask = 0775
     ??????? path = /var/flexshare/shares/test
     ??????? read only = No
     ??????? valid users = @%D\admin @admin
     ??????? veto files = /.flexshare*/


If I try using smbclient I get:

    [root at server shares]# smbclient //localhost/test -c 'ls' -U
clearcenter
    Enter SHA\clearcenter's password:
    tree connect failed: NT_STATUS_ACCESS_DENIED


If I change the valid users to the "allusers" group and change the 
folder permissions, it works fine.

I get:

    [root at server ~]# wbinfo --group-info='staff'
    failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
    Could not get info for group staff


    [root at server ~]# wbinfo --group-info='allusers'
   
allusers:x:63000:flexshare,clearcenter,zschladen,fferri,myantzi,echarron,kjohnson,printer,debacker,mmcleod,dseydoux,shiggins,email-archive,guest

    [root at server shares]# net groupmap list
    allusers (S-1-5-21-1661951805-1908507638-2940817366-63000) -> allusers
    Guests (S-1-5-32-546) -> guests
    dropbox_plugin (S-1-5-21-1661951805-1908507638-2940817366-60000) ->
    dropbox_plugin
    imap_plugin (S-1-5-21-1661951805-1908507638-2940817366-60001) ->
    imap_plugin
    openvpn_plugin (S-1-5-21-1661951805-1908507638-2940817366-60002) ->
    openvpn_plugin
    print_server_plugin
    (S-1-5-21-1661951805-1908507638-2940817366-60003) -> print_server_plugin
    smtp_plugin (S-1-5-21-1661951805-1908507638-2940817366-60004) ->
    smtp_plugin
    user_certificates_plugin
    (S-1-5-21-1661951805-1908507638-2940817366-60005) ->
    user_certificates_plugin
    Domain Admins (S-1-5-21-1661951805-1908507638-2940817366-512) ->
    domain_admins
    Domain Users (S-1-5-21-1661951805-1908507638-2940817366-513) ->
    domain_users
    Domain Guests (S-1-5-21-1661951805-1908507638-2940817366-514) ->
    domain_guests
    Domain Computers (S-1-5-21-1661951805-1908507638-2940817366-515) ->
    domain_computers
    Administrators (S-1-5-32-544) -> administrators
    Users (S-1-5-32-545) -> users
    Power Users (S-1-5-32-547) -> power_users
    Account Operators (S-1-5-32-548) -> account_operators
    Server Operators (S-1-5-32-549) -> server_operators
    Print Operators (S-1-5-32-550) -> print_operators
    Backup Operators (S-1-5-32-551) -> backup_operators
    executive (S-1-5-21-1661951805-1908507638-2940817366-60006) -> executive
    staff (S-1-5-21-1661951805-1908507638-2940817366-60007) -> staff
    visitors (S-1-5-21-1661951805-1908507638-2940817366-60008) -> visitors
    admin (S-1-5-21-1661951805-1908507638-2940817366-60009) -> admin


One of the Samba logs goes:

    [2020/07/16 05:29:48.583319,? 1]
    ../../source3/smbd/service.c:359(create_connection_session_info)
     ? create_connection_session_info: user 'clearcenter' (from session
    setup) not permitted to access this share (test)


I notice the messages log gives:

    Jul 16 04:34:28 server winbindd[21471]: [2020/07/16
    04:34:28.069299,? 0]
    ../../source3/winbindd/idmap_ldap.c:85(get_credentials)
    Jul 16 04:34:28 server winbindd[21471]:? get_credentials: Unable to
    fetch auth credentials for cn=manager,ou=Internal,dc=sha,dc=lan in *


I have tried clearing the winbindd_cache.tdb and gencache.tdb but am 
wary of clearing anything else without instruction.

Please can you help me?

Thanks,

Nick

On 17/07/2020 19:57, Nick Howitt via samba wrote:
> Hi,
> I have a ClearOS 7.8 system which is running 
> samba-4.10.4-11.el7_8.x86_64, and it upgraded to this just over a week 
> ago (probably not relevant). A couple of days ago all the group shares 
> failed. I discovered that if I switched them to the built-in group 
> "allusers" the share worked fine. It fails for any user-defined
group
> but it used to work. Samba is running as a PDC and the configs, 
> including one share are:
>
> If I change the valid users to the "allusers" group and change
the
> folder permissions, it works fine.
>
>
>
> ?? [root at server ~]# wbinfo --group-info='allusers'
> ?? allusers:x:63000:
Interesting, you have: idmap config * : range = 20000000-29999999

So where is '63000' coming from ?
>
> ?? Jul 16 04:34:28 server winbindd[21471]: [2020/07/16
> ?? 04:34:28.069299,? 0]
> ?? ../../source3/winbindd/idmap_ldap.c:85(get_credentials)
> ?? Jul 16 04:34:28 server winbindd[21471]:? get_credentials: Unable to
> ?? fetch auth credentials for cn=manager,ou=Internal,dc=sha,dc=lan in *
>
>
> I have tried clearing the winbindd_cache.tdb and gencache.tdb but am 
> wary of clearing anything else without instruction.
Have you run these commands :

smbpasswd -w <ldap password>
net idmap set secret '*' <ldap password>

ClearOS is in for an interesting time when they upgrade to version 8, no 
Openldap or smbldap-tools, or to put it another way, can I suggest you 
jump distro and upgrade to AD.

Rowland

I messed up on my reply yesterday.

On 17/07/2020 21:05, Rowland penny via samba wrote:
>
> On 17/07/2020 19:57, Nick Howitt via samba wrote:
>> Hi,
>> I have a ClearOS 7.8 system which is running 
>> samba-4.10.4-11.el7_8.x86_64, and it upgraded to this just over a 
>> week ago (probably not relevant). A couple of days ago all the group 
>> shares failed. I discovered that if I switched them to the built-in 
>> group "allusers" the share worked fine. It fails for any
user-defined
>> group but it used to work. Samba is running as a PDC and the configs, 
>> including one share are:
>>
>> If I change the valid users to the "allusers" group and
change the
>> folder permissions, it works fine.
>>
>>
>>
>> ?? [root at server ~]# wbinfo --group-info='allusers'
>> ?? allusers:x:63000:
>
> Interesting, you have: idmap config * : range = 20000000-29999999
>
> So where is '63000' coming from ?
>
No idea. This is how the O/S is provided and it was probably designed 
when John Terpestra was helping out.
>>
>> ?? Jul 16 04:34:28 server winbindd[21471]: [2020/07/16
>> ?? 04:34:28.069299,? 0]
>> ?? ../../source3/winbindd/idmap_ldap.c:85(get_credentials)
>> ?? Jul 16 04:34:28 server winbindd[21471]:? get_credentials: Unable to
>> ?? fetch auth credentials for cn=manager,ou=Internal,dc=sha,dc=lan in *
>>
>>
>> I have tried clearing the winbindd_cache.tdb and gencache.tdb but am 
>> wary of clearing anything else without instruction.
>
> Have you run these commands :
>
> smbpasswd -w <ldap password>
> net idmap set secret '*' <ldap password>
Yes and it does not make any difference. How do I proceed with
debugging?
>
> ClearOS is in for an interesting time when they upgrade to version 8, 
> no Openldap or smbldap-tools, or to put it another way, can I suggest 
> you jump distro and upgrade to AD.
>
The dev's are aware and I am not sure which way they will take the 
product. Personally I really want to have AD DC compatibility and think 
it would be good for business, but it may be onerous for small 
installations and non-Windows environments.

Nick