Bug 11820 - group with id 4294967295 randomly allocated to AD users
group with id 4294967295 randomly allocated to AD users
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
x64 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-04-01 11:12 UTC by Pancho
Modified: 2016-04-04 21:03 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Pancho 2016-04-01 11:12:52 UTC
We run Samba (4.3.5) on CentOS 7x64 as an AD domain controller, and we have another CentOS 6x64 server that has been joined to the domain which provides a Samba (also 4.3.5) share to our AD users.

Fairly frequently (nearly every day), and with no clear reason I can ascertain, a random business user will complain: "I cannot access the shared drive"

On investigation I reliably find that, on the Linux server hosting the share, the following is the case:

# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
domain admins
domain guests
schema admins
domain users

# id problemusername
uid=10010 gid=10001(osdirector) groups=4294967295,10001(osdirector),10013(domain admins),10000(osdevelopment),10004(ossecurity),10005(osvpn),10014(domain users),2000(BUILTIN\administrators),2001(BUILTIN\users)

The groups obviously vary depending on problemusername, but in every case the first group in the list shows up as a non-existant group id of 4294967295

To correct the problem is simple, on the server hosting the share I simply type:

# net cache flush

Immediately re-running

# id problemusername
uid=10010 gid=10001(osdirector) groups=10001(osdirector),10013(domain admins),10000(osdevelopment),10004(ossecurity),10005(osvpn),10014(domain users),2000(BUILTIN\administrators),2001(BUILTIN\users)

ie, the identically list BUT WITHOUT the 4294967295 group, and hey presto problemusernameis again able to access the shared drive.

And so all is fine ....until another random user contacts me and says "I cannot access the shared drive"

Just for interest 4294967295 is not a random number as searching returns the following wikipedia entry https://en.wikipedia.org/wiki/4294967295