samba - Nov 2022 - samba crashes windows explorer (while trying to view file permissions)

...

So, this boils down to, so far:

This (problematic, fresh) domain:

# wbinfo -s S-1-5-21-880456541-1649917288-23935232-513
PZ\Domain Users 2
# wbinfo -Y S-1-5-21-880456541-1649917288-23935232-513
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-880456541-1649917288-23935232-513 to gid

On another, working, domain:

# wbinfo -s S-1-5-21-411424318-379842365-2075518510-513
TLS\Domain Users 2
# wbinfo -Y S-1-5-21-411424318-379842365-2075518510-513
100

idmap.ldb seems to be having similar information (besides
the domain sid ofcourse)


and now.. after quite some time, without me doing anything,
it shows (on the bad domain):

# wbinfo -Y S-1-5-21-880456541-1649917288-23935232-513
3004

I think this comes from my attempts to add something in
there:

#       idmap config * : backend = tdb
#       idmap config * : range = 3000-3099

which I commented out quite some time ago. Or not - I recreated
the domain with these commented out, so it is again unclear
where it got the 3000 number from.

But still (different id, 512 instead of 513):

# wbinfo -Y S-1-5-21-880456541-1649917288-23935232-512
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-880456541-1649917288-23935232-512 to gid

What Is Going On?

Does anyone know if this beast *ever* work? This is a
*fresh* domain, just created...

/mjt

On 19/11/2022 14:16, Michael Tokarev via samba wrote:
> ...
> 
> So, this boils down to, so far:
> 
> This (problematic, fresh) domain:
> 
> # wbinfo -s S-1-5-21-880456541-1649917288-23935232-513
> PZ\Domain Users 2
> # wbinfo -Y S-1-5-21-880456541-1649917288-23935232-513
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-880456541-1649917288-23935232-513 to gid
> 
> On another, working, domain:
> 
> # wbinfo -s S-1-5-21-411424318-379842365-2075518510-513
> TLS\Domain Users 2
> # wbinfo -Y S-1-5-21-411424318-379842365-2075518510-513
> 100
> 
> idmap.ldb seems to be having similar information (besides
> the domain sid ofcourse)
> 
> 
> and now.. after quite some time, without me doing anything,
> it shows (on the bad domain):
> 
> # wbinfo -Y S-1-5-21-880456541-1649917288-23935232-513
> 3004
> 
> I think this comes from my attempts to add something in
> there:
> 
> #?????? idmap config * : backend = tdb
> #?????? idmap config * : range = 3000-3099
> 
> which I commented out quite some time ago. Or not - I recreated
> the domain with these commented out, so it is again unclear
> where it got the 3000 number from.
Neither have I, the 'idmap config' lines, up until now, have never 
worked on a DC, but something could have changed and I suppose they 
could have started working, but if they have, it will be a
bug.
> 
> But still (different id, 512 instead of 513):
> 
> # wbinfo -Y S-1-5-21-880456541-1649917288-23935232-512
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-880456541-1649917288-23935232-512 to gid
Ah, '512' is Domain Admins and you definitely do not want that group to 
have a 'GID'. It needs to 'own' things in Sysvol and to do this,
it is
mapped to 'ID_TYPE_BOTH' in idmap.ldb (that is,it is both a group and a 
user) and if you give it a gidNumber attribute, it becomes just a group 
and you break Sysvol.
> 
> What Is Going On?
> 
> Does anyone know if this beast *ever* work? This is a
> *fresh* domain, just created...
> 
> /mjt
> 
I do not know if your 'beast' has ever worked correctly, but it should
do.

I suggest you compare your working DC with your non working DC and see 
if something is different.

Rowland