Created attachment 7556 [details] level 10 logs (slightly anonymized) I have many users accessing shares that are readable to the "Authenticated Users" builtin SID. Sometimes the users fail to get access to the share, and after some investigation we have determined that the users are failing to be added to a supplementary group corresponding to that SID. It is mostly reproducible after we join our samba server to the Active Directory and try to connect to the share through windows. The first connection attempt often fails but subsequent attempts from a different windows server succeed. In the logs we see the following: [2012/05/07 10:09:44.814857, 10] auth/auth_util.c:505(create_local_token) Could not convert SID S-1-5-11 to gid, ignoring it [2012/05/07 10:09:44.814940, 10] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (13): SID[ 0]: S-1-5-21-1405700021-3363460546-1698178416-29112 SID[ 1]: S-1-5-21-1405700021-3363460546-1698178416-513 SID[ 2]: S-1-5-21-1405700021-3363460546-1698178416-11162 SID[ 3]: S-1-1-0 SID[ 4]: S-1-5-2 SID[ 5]: S-1-5-11 SID[ 6]: S-1-5-32-545 SID[ 7]: S-1-22-1-429112 SID[ 8]: S-1-22-2-400513 SID[ 9]: S-1-22-2-411162 SID[ 10]: S-1-22-2-200002 SID[ 11]: S-1-22-2-200003 SID[ 12]: S-1-22-2-200001 Privileges (0x 0): Rights (0x 0): [2012/05/07 10:09:44.815313, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 429112 Primary group is 411162 and contains 5 supplementary groups Group[ 0]: 400513 Group[ 1]: 411162 Group[ 2]: 200002 Group[ 3]: 200003 Group[ 4]: 200001 I was able to connect a gdb session to samba and reproduce the issue. It appears that when the sids_to_unix_ids function runs it maps SID S-1-5-11 to a UID with an invalid value instead of a GID! I dumped the "ids" array after sids_to_unix_ids returns and saw the following: $17 = { {type = WBC_ID_TYPE_UID, id = {uid = 411185, gid = 411185}}, {type = WBC_ID_TYPE_GID, id = {uid = 400513, gid = 400513}}, {type = WBC_ID_TYPE_GID, id = {uid = 400512, gid = 400512}}, {type = WBC_ID_TYPE_GID, id = {uid = 411165, gid = 411165}}, {type = WBC_ID_TYPE_GID, id = {uid = 411162, gid = 411162}}, {type = WBC_ID_TYPE_GID, id = {uid = 400572, gid = 400572}}, {type = WBC_ID_TYPE_GID, id = {uid = 200002, gid = 200002}}, {type = WBC_ID_TYPE_GID, id = {uid = 200003, gid = 200003}}, {type = WBC_ID_TYPE_UID, id = {uid = 4294967295, gid = 4294967295}}, {type = WBC_ID_TYPE_GID, id = {uid = 200001, gid = 200001}}, {type = WBC_ID_TYPE_GID, id = {uid = 200000, gid = 200000}} } I re ran the test with GDB and traced the exection of sids_to_unix_ids and saw that idmap_cache_find_sid2uid returned true for that SID with the values I posted above. I am attaching level 10 logs captured while we encountered the problem. Please let me know if there is any other information I can provide.
Going through old bugs I filed: This appears to have been working as desired since about samba 3.6.10. Sorry for not updating sooner.