On Tue, 21 May 2024 15:06:08 +0200
Bastien HERMITTE via samba <samba at lists.samba.org> wrote:
> Hello,
>
> We have a Samba file server configured to authenticate on Samba AD.
>
> Permissions on share are set through ACL, and mapped drives are
> mounted by a GPO with condition (ex: if user is member of group
> 'share1' then share 'share1' is mounted automatically at
session
> opening).
>
> Everything seems to be working but some users complains about some
> mapped drivers not reachable, randomly (mounted but with red cross,
> and error message when opening). I've experienced this problem on my
> workstation too.
>
> When the user reboot or close/reopen the session, the problem is
> gone.
> When restarting smb/nmb on file server, problem is gone too.
>
> After enabling debug logs and digging, I've found this message when
> problem occurs :
> [2024/05/21 10:03:10.664800, 10, pid=2420748, effective(0, 0),
> real(0, 0), class=auth]
> ../../source3/auth/auth_util.c:629(create_local_token) Could not
> convert SID S-1-5-21-1429651927-1816029351-2509125846-1333 to gid,
> ignoring it
>
> Here there is only group with SID
> S-1-5-21-1429651927-1816029351-2509125846-1333 but sometimes there is
> several groups concerned.
>
> The conversion is OK when launched manually with wbinfo command, and
> report correct GID :
> [root at mysrv ~]# wbinfo -Y
> S-1-5-21-1429651927-1816029351-2509125846-1333 10008
>
> The samlogon cache seems OK :
> [root at mysrv ~]# net cache samlogon show
> S-1-5-21-1429651927-1816029351-2509125846-1238
> Name: SAMDOM\myuser
> SID? 0: S-1-5-21-1429651927-1816029351-2509125846-1238
> SID? 1: S-1-5-21-1429651927-1816029351-2509125846-513
> SID? 2: S-1-5-21-1429651927-1816029351-2509125846-1333
> SID? 3: S-1-5-21-1429651927-1816029351-2509125846-1337
> SID? 4: S-1-5-21-1429651927-1816029351-2509125846-1345
> SID? 5: S-1-5-21-1429651927-1816029351-2509125846-1339
> SID? 6: S-1-5-21-1429651927-1816029351-2509125846-2109
> SID? 7: S-1-5-21-1429651927-1816029351-2509125846-1340
> SID? 8: S-1-5-21-1429651927-1816029351-2509125846-2107
> SID? 9: S-1-5-21-1429651927-1816029351-2509125846-2776
> SID 10: S-1-5-21-0-0-0-497
>
> The list of group from wbinfo is correct too :
> [root at mysrv ~]# wbinfo -r SAMDOM\\myuser
> 10000
> 10008
> 10009
> 10020
> 10004
> 10038
> 10005
> 10033
> 10050
> 3001
>
> When the problem occur, I can see in syslog :
> May 21 12:33:00 mysrv smbd_audit[2420748]:? chdir_current_service:
> vfs_ChDir(/home/events) failed: Permission denied. Current token:
> uid=10054, gid=10000, 12 groups: 10000 10009 10020 10004 10038 10005
> 10033 10050 3003 3004 3005 3001
>
> So the group with ID 10008 is missing because it has failed to
> convert, and so the user can't access the share.
>
> I can't figure why the conversion fails randomly.
>
> File server is Rocky Linux 8.9 (up to date), with Samba 4.18.6 from
> Rocky Linux default repository.
> Below is my smb.conf
> /[global]
> ??????? security = ADS
> ??????? workgroup = SAMDOM
> ??????? realm = SAMDOM.MYDOMAIN.COM
>
> ??????? idmap config * : backend = tdb
> ??????? idmap config * : range = 3000-7999
> ??????? idmap config SAMDOM:backend = ad
> ??????? idmap config SAMDOM:schema_mode = rfc2307
> ??????? idmap config SAMDOM:range = 10000-999999
> ??????? idmap config SAMDOM:unix_nss_info = no
>
> ??????? template shell = /sbin/nologin
> ??????? template homedir = /home/users/%U
>
> ??????? winbind enum users = yes
> ??????? winbind enum groups = yes
> ??????? winbind use default domain = no
>
> ??????? username map = /etc/samba/user.map
>
> ??????? server string = //MYDOMAIN //Samba File Server
> ??????? netbios name = SHARE
>
> ??????? log file = /var/log/samba/%m.log
> ??????? log level = 10 auth_audit:6 auth_json_audit:6
> ??????? max log size = 0
>
> ??????? min protocol = SMB2
>
> ??????? # Disable printing
> ??????? printcap name = /dev/null
> ??????? load printers = no
> ??????? disable spoolss = yes
> ??????? printing = bsd
>
> ??????? # Workaround for regression caused by fix for CVE-2020-25717
> ??????? # See:
> https://lists.samba.org/archive/samba/2021-November/238521.html
> ??????? min domain uid = 0
>
> ??????? vfs objects = full_audit recycle acl_xattr fruit
> streams_xattr
>
> ??????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
> ??????? full_audit:success = mkdirat renameat unlinkat pwrite
> ??????? full_audit:failure = none
> ??????? full_audit:facility = LOCAL5
> ??????? full_audit:priority = NOTICE
>
> ??????? recycle:repository = /home/corbeille/%S
> ??????? recycle:directory_mode = 0775
> ??????? recycle:keeptree = yes
> ??????? recycle:versions = yes
> ??????? recycle:touch = yes
> ??????? recycle:touch_mtime = yes
> ??????? recycle:maxsize = 500000000
> ??????? recycle:exclude = *.tmp ~$* *.~?? ._* *.DS_Store .~*
>
> ??????? map acl inherit = yes
> ??????? store dos attributes = yes
> ??????? dos filemode = yes
> ??????? dos filetimes = yes
>
> ??????? # fruit parameters :
> ??????? fruit:metadata = stream
> ??????? fruit:model = MacSamba
> ??????? fruit:posix_rename = yes
> ??????? fruit:veto_appledouble = no
> ??????? fruit:nfs_aces = no
> ??????? fruit:wipe_intentionally_left_blank_rfork = yes
> ??????? fruit:delete_empty_adfiles = yes
>
> [users]
> ??????? path = /home/users
> ??????? read only = no
> [share1]
> ??????? path= /home///share1/
> /??????? read only = no
> [share2]
> ??????? path = /home///share2/
> /??????? read only = no
> ...
>
>
> /After hours of research I've run out of ideas...
> Can someone help me ?
>
> I can provides more informations if needed.
>
> Thanks in advance.
>
> Regards,
> Bastien
>
OK, I am nowhere near to being an expert on 'C', but it appears that
the 'Could not convert SID' message is only printed at a level 10 log
and if the Unix ID isn't an ID_TYPE_GID and ID_TYPE_BOTH, so what
actually is the RID 1333, not its number, its name ?
Rowland