Bug 8937 - The "Authenticated Users" SID sometimes fails to map to a GID
Summary: The "Authenticated Users" SID sometimes fails to map to a GID
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.6.4
Hardware: x86 All
: P5 normal
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-11 18:24 UTC by John Mulligan (dead mail address)
Modified: 2014-07-22 20:40 UTC (History)
1 user (show)

See Also:

Attachments
level 10 logs (slightly anonymized) (155.20 KB, application/zip)
2012-05-11 18:24 UTC, John Mulligan (dead mail address) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Mulligan (dead mail address) 2012-05-11 18:24:22 UTC 
Created attachment 7556 [details]
level 10 logs (slightly anonymized)

I have many users accessing shares that are readable to the "Authenticated Users" builtin SID.
Sometimes the users fail to get access to the share, and after some investigation we have determined that the users are failing to be added to a supplementary group corresponding to that SID. It is mostly reproducible after we join our samba server to the Active Directory and try to connect to the share through windows. The first connection attempt often fails but subsequent attempts from a different windows server succeed. In the logs we see the following:

[2012/05/07 10:09:44.814857, 10] auth/auth_util.c:505(create_local_token)
  Could not convert SID S-1-5-11 to gid, ignoring it
[2012/05/07 10:09:44.814940, 10] ../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (13):
    SID[  0]: S-1-5-21-1405700021-3363460546-1698178416-29112
    SID[  1]: S-1-5-21-1405700021-3363460546-1698178416-513
    SID[  2]: S-1-5-21-1405700021-3363460546-1698178416-11162
    SID[  3]: S-1-1-0
    SID[  4]: S-1-5-2
    SID[  5]: S-1-5-11
    SID[  6]: S-1-5-32-545
    SID[  7]: S-1-22-1-429112
    SID[  8]: S-1-22-2-400513
    SID[  9]: S-1-22-2-411162
    SID[ 10]: S-1-22-2-200002
    SID[ 11]: S-1-22-2-200003
    SID[ 12]: S-1-22-2-200001
   Privileges (0x               0):
   Rights (0x               0):
[2012/05/07 10:09:44.815313, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 429112
  Primary group is 411162 and contains 5 supplementary groups
  Group[  0]: 400513
  Group[  1]: 411162
  Group[  2]: 200002
  Group[  3]: 200003
  Group[  4]: 200001

I was able to connect a gdb session to samba and reproduce the issue. It appears that when the sids_to_unix_ids function runs it maps SID S-1-5-11 to a UID with an invalid value instead of a GID! I dumped the "ids" array after sids_to_unix_ids returns and saw the following:

$17 = {
  {type = WBC_ID_TYPE_UID, id = {uid = 411185, gid = 411185}},
  {type = WBC_ID_TYPE_GID, id = {uid = 400513, gid = 400513}},
  {type = WBC_ID_TYPE_GID, id = {uid = 400512, gid = 400512}},
  {type = WBC_ID_TYPE_GID, id = {uid = 411165, gid = 411165}},
  {type = WBC_ID_TYPE_GID, id = {uid = 411162, gid = 411162}},
  {type = WBC_ID_TYPE_GID, id = {uid = 400572, gid = 400572}},
  {type = WBC_ID_TYPE_GID, id = {uid = 200002, gid = 200002}},
  {type = WBC_ID_TYPE_GID, id = {uid = 200003, gid = 200003}},
  {type = WBC_ID_TYPE_UID, id = {uid = 4294967295, gid = 4294967295}}, 
  {type = WBC_ID_TYPE_GID, id = {uid = 200001, gid = 200001}},
  {type = WBC_ID_TYPE_GID, id = {uid = 200000, gid = 200000}}
}

I re ran the test with GDB and traced the exection of sids_to_unix_ids and saw that idmap_cache_find_sid2uid returned true for that SID with the values I posted above. I am attaching level 10 logs captured while we encountered the problem. Please let me know if there is any other information I can provide.
Comment 1 John Mulligan (dead mail address) 2014-07-22 20:40:40 UTC 
Going through old bugs I filed: This appears to have been working as desired since about samba 3.6.10. Sorry for not updating sooner.