Problem: Some of Your Users Do not Get Access to Files Even Though the ACL and Permissions Are Correct

Problem

Some of your users do not get access to files or folders even though the ACLs and permissions are correct. They can map the share but when going into a folder they get “permission denied”.

Environment

Not all users and not all folders are affected.
Additionally, you will notice in the permission dialog (on Windows) entries like »Unix-Group 5001« or »Unix-User 506« instead of the assigned domain names.

Trying with smbclient to list the folders content fails, too:

root@ucs1:~$ samba-tool domain  exportkeytab --principal=USER@$(ucr get kerberos/realm) test.keytab
Export one principal to test.keytab
root@ucs1:~$ kinit -t test.keytab   USER@$(ucr get kerberos/realm)
root@ucs1:~$ smbclient -k "//$(hostname -f)/SHARE"
Try "help" to get a list of possible commands.
smb: \> cd FOLDER
smb: \FOLDER\> ls
NT_STATUS_ACCESS_DENIED listing \FOLDER\*

Solution

Restart winbind on the UCS host by

root@ucs:$ net cache flush
root@ucs:$ systemctl restart winbind 

Investigation

Check ACLs of the folder in question, note the “group_sid” of “S-1-22-2-5001” which indicates something wrong with Linux-Windows mapping.

root@ucs1:~$ samba-tool ntacl get FOLDER
   security_descriptor: struct security_descriptor
        revision                 : SECURITY_DESCRIPTOR_REVISION_1 (1)
        type                     : 0x9004 (36868)
               0: SEC_DESC_OWNER_DEFAULTED
[...]
               1: SEC_DESC_SELF_RELATIVE
        owner_sid                : *
            owner_sid                : S-1-5-21-3077948595-2234059106-450932641-1772
        group_sid                : *
            group_sid                : S-1-22-2-5001
[...]

The gid to SID mapping fails and only shows a short SID which indicates something is wrong.

root@ucs1:~$ wbinfo --gid-to-sid 5001
S-1-22-2-5001

Getting the correct SID:

root@data1:~$ wbinfo --name-to-sid "Domain Users"
S-1-5-21-3077948595-2424059106-765932641-523 SID_DOM_GROUP (2)

And using this SID trying to get the mapping to Linux groups results in an error:

root@data1:~$ wbinfo --sid-to-gid S-1-5-21-3077948595-2424059106-765932641-523
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND

Restarting winbind as noted above fixes the issue.

1 Like