Joseph Dickson
2016-Apr-12 14:17 UTC
[Samba] failed to find NT AUTHORITY domain log message during backup windows
On Mon, Apr 11, 2016 at 6:10 PM, Jonathan Hunter <jmhunter1 at gmail.com> wrote:> It sounds as though there are files on your servers owned by a UID or GID > (most probably a GID) that is not in /etc/group, and is being looked up and > "reverse resolved" to 'NT AUTHORITY\Authenticated Users', but this somehow > doesn't map back the other way, i.e. from a name to a GID. > > Can you narrow it down and perhaps use the 'find' command to see what > UID/GID this is?On a hunch, I tried a getfacl on a directory and triggered the error that way. Here is the result of the getfacl: # getfacl . # file: . # owner: root # group: EVOLVETSI\134domain\040users user::rwx user:root:rwx user:EVOLVETSI\134domain\040admins:rwx group::--- group:5004:r-x group:EVOLVETSI\134domain\040admins:rwx group:EVOLVETSI\134domain\040users:--- mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:EVOLVETSI\134domain\040admins:rwx default:group::--- default:group:EVOLVETSI\134domain\040admins:rwx default:group:EVOLVETSI\134domain\040users:--- default:mask::rwx default:other::--- It looks like the group:5004:r-x permission is the one causing the issue.. Some more getent digging: # getent group 5001 BUILTIN\users:x:5001: # getent group 5002 # getent group 5003 # getent group 5004 # getent group 5005 and the relevant idmap lines from my config: idmap config * : backend = tdb idmap config * : range = 5000-25000 idmap config EVOLVETSI : backend = rid idmap config EVOLVETSI : range = 1000000 - 1999999 Any idea where I should look next? Thank you! -- *Joseph Dickson*
Jonathan Hunter
2016-Apr-13 22:58 UTC
[Samba] failed to find NT AUTHORITY domain log message during backup windows
Hi Joseph, Some good digging here :) On 12 April 2016 at 15:17, Joseph Dickson <jdickson at evolvetsi.com> wrote:> On a hunch, I tried a getfacl on a directory and triggered the error that > way. Here is the result of the getfacl: > [...] > It looks like the group:5004:r-x permission is the one causing the issue.. > > Some more getent digging: > > # getent group 5001 > BUILTIN\users:x:5001: > # getent group 5002 > # getent group 5003 > # getent group 5004 > # getent group 5005 > > [...]Any idea where I should look next?> > I would personally look into the 'net cache list' command, and see whatthat contains for group 5004. Perhaps that, plus some combination of that and 'wbinfo --uid-info=5004' might shed some more light..? Cheers Jonathan
Joseph Dickson
2016-Apr-13 23:17 UTC
[Samba] failed to find NT AUTHORITY domain log message during backup windows
Jonathan, I would personally look into the 'net cache list' command, and see what> that contains for group 5004. Perhaps that, plus some combination of that > and 'wbinfo --uid-info=5004' might shed some more light..?Output below.. I'm not really sure what I'm looking at, other than I know S-1-5-11 is the well known SID for Authenticated Users... root at smbfs1:~# net cache list | grep 5004 Key: IDMAP/GID2SID/5004 Timeout: Wed Apr 20 15:47:50 2016 Value: S-1-5-11 Key: IDMAP/SID2XID/S-1-5-11 Timeout: Wed Apr 20 15:47:50 2016 Value: 5004:G root at smbfs1:~# wbinfo --uid-info=5004 failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for uid 5004 root at smbfs1:~# wbinfo --gid-info=5004 failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for gid 5004 Any thoughts on what this could mean? -- *Joseph Dickson*