Problem
Some of your users do not get access to files or folders even though the ACLs and permissions are correct. They can map the share but when going into a folder they get “permission denied”.
Environment
Not all users and not all folders are affected.
Additionally, you will notice in the permission dialog (on Windows) entries like »Unix-Group 5001« or »Unix-User 506« instead of the assigned domain names.
Trying with smbclient to list the folders content fails, too:
root@ucs1:~$ samba-tool domain exportkeytab --principal=USER@$(ucr get kerberos/realm) test.keytab
Export one principal to test.keytab
root@ucs1:~$ kinit -t test.keytab USER@$(ucr get kerberos/realm)
root@ucs1:~$ smbclient -k "//$(hostname -f)/SHARE"
Try "help" to get a list of possible commands.
smb: \> cd FOLDER
smb: \FOLDER\> ls
NT_STATUS_ACCESS_DENIED listing \FOLDER\*
Solution
Restart winbind on the UCS host by
root@ucs:$ net cache flush
root@ucs:$ systemctl restart winbind
Investigation
Check ACLs of the folder in question, note the “group_sid” of “S-1-22-2-5001” which indicates something wrong with Linux-Windows mapping.
root@ucs1:~$ samba-tool ntacl get FOLDER
security_descriptor: struct security_descriptor
revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
type : 0x9004 (36868)
0: SEC_DESC_OWNER_DEFAULTED
[...]
1: SEC_DESC_SELF_RELATIVE
owner_sid : *
owner_sid : S-1-5-21-3077948595-2234059106-450932641-1772
group_sid : *
group_sid : S-1-22-2-5001
[...]
The gid to SID mapping fails and only shows a short SID which indicates something is wrong.
root@ucs1:~$ wbinfo --gid-to-sid 5001
S-1-22-2-5001
Getting the correct SID:
root@data1:~$ wbinfo --name-to-sid "Domain Users"
S-1-5-21-3077948595-2424059106-765932641-523 SID_DOM_GROUP (2)
And using this SID trying to get the mapping to Linux groups results in an error:
root@data1:~$ wbinfo --sid-to-gid S-1-5-21-3077948595-2424059106-765932641-523
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Restarting winbind as noted above fixes the issue.