I have a share with hide unreadable = yes. On this share I have project directories, which are visible according to the users group memberships. ~# ./failsmb Domain=[ANDOLAN] OS=[Unix] Server=[Samba 3.6.1] . D 0 Tue Dec 13 11:58:00 2011 .. D 0 Mon Jan 16 11:54:54 2012 Design Studies D 0 Mon Oct 17 22:48:32 2011 >-snip-< scans D 0 Tue Jan 31 14:33:08 2012 51637 blocks of size 33553920. 23513 blocks available ~# ./failsmb Domain=[ANDOLAN] OS=[Unix] Server=[Samba 3.6.1] NT_STATUS_ACCESS_DENIED listing \SB IT\* ~# cat failsmb (printf 'cd \"SB IT\"\n';printf 'ls\n')|smbclient //server/overzicht -U 'ecopy%password' Seems like the group memberships are not cached properly, because I can still see the initial directory list in the root directory. I'll do some more debugging tonight
Okay, apparently the critical time is exactly 120 seconds. So need to look for something that times out in exactly 120 seconds.
Damn, problem is not as easily reproducible anymore after a samba restart. At least I now have debugging symbols on this server. It seems that the unix user token gets corrupted.. When good: [2012/02/02 01:12:39.038017, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 10202 Primary group is 10023 and contains 11 supplementary groups Group[ 0]: 4294967295 Group[ 1]: 10003 Group[ 2]: 10064 Group[ 3]: 10065 Group[ 4]: 10067 Group[ 5]: 10068 Group[ 6]: 10070 Group[ 7]: 10071 Group[ 8]: 10072 Group[ 9]: 10073 Group[ 10]: 10111 When bad: [2012/02/02 01:07:54.515313, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 10202 Primary group is 10023 and contains 2 supplementary groups Group[ 0]: 4294967295 Group[ 1]: 10111 I'm just not sure what triggers it. I just know that it resets every 120 seconds and it seems to jump between various users (although consistent when not restarting samba).
I've also noticed that if samba 3.6.1 runs for a while, it starts rejecting authentications from workstation accounts.. a restart fixes that as well.. Looks like these problems may well be related. Server has debugging symbols now and as soon the problems come back and I get it reproducible again I will attach gdb..
Created attachment 7295 [details] log file for good access to directory
Created attachment 7296 [details] log file for bad access to directory
I can't still reproduce this for now.. these accounts seem to be working now. Can anyone look at the log files to see what I've missed? I already tried disabling the stat cache, that did not help.
Group[ 0]: 4294967295 This should be group 10000, "Domain users" -> rid 513. Wrong in both cases apparently.
Looks like the 2^32-1 group issue is not samba related, but related to corrupt indexes in openldap. Doesn't fully explain the 120 seconds though. I'll keep this bug updated.
Apparently, this was a LDAP index issue. It has not occured again.