net usersidlist command did not show new user

[jasonca]

Today I found that the new user could not access the shared folder, I checked with “net usersidlist” and found no new user in the list


the logfile auth_audit.log

{"timestamp": "2021-12-02T15:09:59.274993-0800", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.3.99:445", "remoteAddress": "ipv4:192.168.3.106:50017", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DESKTOP-F7B2KJ4", "clientAccount": "Laura", "workstation": "DESKTOP-F7B2KJ4", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "Laura", "mappedDomain": "DESKTOP-F7B2KJ4", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 1710}}


All other old users are working.

 

[jasonca]

I fixed it.

1) service samba_server stop
2) mv /var/db/system/samba4/account_policy.tdb /var/db/system/samba4/account_policy.tdb.bak
3) service samba_server start
4) delete the account Laura, and create new account laura
5) check "net usersidlist", find the account laura
6) check share folder from windows. it is working.

 

[jasonca]

It is very strange, I create a new account test, and then check the net usersidlist , but there is still no test account.

 

[jasonca]

I added one more user, test1, and then check net usersidlist, it show test and test1 account

 

[jasonca]

I created test3 and test4. But the net usersidlist did not show test3 and test 4.

 

[anodos]

net usersidlist is the wrong tool to use. `pdebit -L` will show SMB users.

 

[jasonca]

pdebit -L
command not found: pdebit

 

[jasonca]

I found the command.

pdbedit -L -v

 

[jasonca]

pdbedit -L |grep test
test:1033:test
test1:1034:test1
test2:1035:test2

 

[jasonca]

cat /etc/passwd |grep test
test:*:1033:1026:test:/nonexistent:/bin/sh
test1:*:1034:1027:test1:/nonexistent:/bin/sh
test2:*:1035:1028:test2:/nonexistent:/bin/sh
test3:*:1036:1005:test3:/nonexistent:/bin/sh
test4:*:1037:1029:test4:/nonexistent:/bin/sh

 

[anodos]

pdebit -L
command not found: pdebit

typo, pdbedit

 

[jasonca]

User test4

 

[anodos]

PM me a debug please.

 

[jasonca]

PM me a debug please.

I did. Thank you.

 

[jasonca]

Thanks to anodos's help, the following command solved my problem.

rm /var/db/system/samba4/private/passdb.tdb
midclt call smb.synchronize_passdb -job

 

[conghuayu]

https://jira.ixsystems.com/browse/NAS-112623

I reported this issue in months ago, but they said it behaves as intended.

 

[anodos]

As I mentioned in your ticket, net usersidlist output is not correct heuristic in this case.

 

[conghuayu]

As I mentioned in your ticket, net usersidlist output is not correct heuristic in this case.

Thanks for replying.

Also works for me.
But after running:

rm /var/db/system/samba4/private/passdb.tdb
midclt call smb.synchronize_passdb -job

The SIDs of users will be updated while the "share ACL" is not updated at the same time.
Run sharesec --view-all will only get old SIDs.
It would be great if there is a way to synchronize them.
Do you have such problems?

 

[anodos]

Thanks for replying.

Also works for me.
But after running:

The SIDs of users will be updated while the "share ACL" is not updated at the same time.
Run sharesec --view-all will only get old SIDs.
It would be great if there is a way to synchronize them.
Do you have such problems?

share_info.tdb is a key-value store based on SID values. In master / 13-stable I've reworked so that we base RID value on our user database entry id (freenas-v1.db), but this doesn't magically clean up if you choose to change netbios name. I think at a fundamental level if you have _large_ numbers of local users and groups on the NAS, you probably should look into using a directory service (i.e. MS or Samba AD).