SID Not Resolving

[zenon1823]

Hello all, been lurking around the shadows for awhile now and have been able to get all my answers thus far by way of searching and YouTube, but I'm outa ideas on this one. I seen a similar post that curiously fixed itself, but mine has not. I have included a bunch of the information that was requested in that post. I have provided samples from one share, but its happening across multiple shares and pools. As this has been a test build I was doing alot of various configuration learning the ins/outs of how to setup volumes, shares permissions etc. This included the creating and deleting of users and it seems the issues started after I deleted some test users and created some real users.

When I right clicking any of the shares/files and looking at the windows security properties, the owner user is properly enumerated but the owner group isn't ... it's showing Account Unknown and the SID. The owner user is the same as what I was logged on as in windows when creating those files.

FreeNAS version is: FreeNAS-11.1-U6

Code:

[root@freenas /mnt/PriData]# getfacl /mnt/PriData/Temp																			
# file: /mnt/PriData/Temp																											
# owner: nobody																													
# group: Husers																													
			group@:rwxpDdaARWcCo-:fd-----:allow																					
			everyone@:r-x---a-R-c---:fd-----:allow																					
		   owner@:rwxpDdaARWcCo-:fd-----:allow

[root@freenas ~]# net getlocalsid																									
Environment LOGNAME is not defined. Trying anonymous access.																		
SID for domain FREENAS is: S-1-5-21-840822762-2033700010-180462736

[root@freenas ~]# net groupmap list																								
Environment LOGNAME is not defined. Trying anonymous access.																		
Zgroup (S-1-5-21-840822762-2033700010-1804627366-1005) -> Zusers																	
Husers (S-1-5-21-840822762-2033700010-1804627366-1004) -> Husers																	
																						
[root@freenas ~]# net usersidlist																									
Environment LOGNAME is not defined. Trying anonymous access.																		
FREENAS\zenon																														
 S-1-5-21-840822762-2033700010-1804627366-1006																					
 S-1-1-0																															
 S-1-5-2																															
 S-1-5-11																															
FREENAS\tanya																														
 S-1-5-21-840822762-2033700010-1804627366-1008																					
 S-1-1-0																															
 S-1-5-2																															
 S-1-5-11										

smb4.conf:

Code:

[global]
	server min protocol = SMB2
	server max protocol = SMB3
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 470729
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	ntlm auth = no
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	hostname lookups = yes
	unix extensions = no
	time server = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	local master = yes
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = standalone
	netbios name = FREENAS
	workgroup = ZENARC
	security = user
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = yes
	dos charset = CP437
	unix charset = UTF-8
	log level = 1
 

[Backup_Client]
	path = "/mnt/BckData/Backup_Client"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	vfs objects = zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
 

[Backup_Local]
	path = "/mnt/BckData/Backup_Local"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	vfs objects = zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
 

[Backup_Offsite]
	path = "/mnt/BckData/Backup_Offsite"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	vfs objects = zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
 

[Backup_Web]
	path = "/mnt/BckData/Backup_Web"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	vfs objects = zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
 

[Home]
	path = "/mnt/PriData/Home"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	shadow:snapdir = .zfs/snapshot
	shadow:sort = desc
	shadow:localtime = yes
	shadow:format = auto-%Y%m%d.%H%M-1w
	shadow:snapdirseverywhere = yes
	vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
 

[Media]
	path = "/mnt/PriData/Media"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	shadow:snapdir = .zfs/snapshot
	shadow:sort = desc
	shadow:localtime = yes
	shadow:format = auto-%Y%m%d.%H%M-1w
	shadow:snapdirseverywhere = yes
	vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = yes
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
 

[Software]
	path = "/mnt/PriData/Software"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	shadow:snapdir = .zfs/snapshot
	shadow:sort = desc
	shadow:localtime = yes
	shadow:format = auto-%Y%m%d.%H%M-1w
	shadow:snapdirseverywhere = yes
	vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = yes
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
 

[Temp]
	path = "/mnt/PriData/Temp"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	shadow:snapdir = .zfs/snapshot
	shadow:sort = desc
	shadow:localtime = yes
	shadow:format = auto-%Y%m%d.%H%M-1w
	shadow:snapdirseverywhere = yes
	vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = yes
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare

EDIT:
I don't know if its related, but I just noticed that in the webui the userID and groupID numbers do not match up to the ID's I see when running the commands net groupmap list & get usersidlist as shown above. (see image below)

I'm not sure if that means anything or not, from the look of SID in the windows permissions its saying it should be groupID 1002, but that's not a valid group ID in either the freenas webgui or the groupmap output.

 

[dlavigne]

Were you able to figure this out?

 

[zenon1823]

Thanks DLavigne, well no to figuring it out conclusively, but apparently yes to it being fixed. When I last checked on the weekend, about 5 days after first noticing it and posting it was still not resolving, but I just checked again now and it seems to be working fine more then a week later without any defined action on my part.

I noticed when I opened it today that the group SID in the windows property box change from ending in 1002 (shown above) to 1004 which is a valid groupSID as shown in the net groupmap list command. Very quickly it resolved it to the group name.

Based on that I assume this is a windows issue where it must be caching permissions for a period of time so when I changed the group ownership on freenas windows took some days before it fetched new SID's rather then resolving cached ones. Maybe?

Any thoughts on my theory or if you feel its correct then suggestions as to how one could force windows to fetch new SID's for shares and objects in shares?

Secondly I'm still curious as to why the group ID number shown in the gui doens't mach the last 4 digits of the SID shown using net usersidlist and net groupmap list

 

[anodos]

Thanks DLavigne, well no to figuring it out conclusively, but apparently yes to it being fixed. When I last checked on the weekend, about 5 days after first noticing it and posting it was still not resolving, but I just checked again now and it seems to be working fine more then a week later without any defined action on my part.

I noticed when I opened it today that the group SID in the windows property box change from ending in 1002 (shown above) to 1004 which is a valid groupSID as shown in the net groupmap list command. Very quickly it resolved it to the group name.

Based on that I assume this is a windows issue where it must be caching permissions for a period of time so when I changed the group ownership on freenas windows took some days before it fetched new SID's rather then resolving cached ones. Maybe?

Any thoughts on my theory or if you feel its correct then suggestions as to how one could force windows to fetch new SID's for shares and objects in shares?

Secondly I'm still curious as to why the group ID number shown in the gui doens't mach the last 4 digits of the SID shown using net usersidlist and net groupmap list

Sorry this is late. That looks like an issue with your group_mapping.tdb file. Try the following:
1) service samba_server stop
2) mv /var/db/samba4/group_mapping.tdb /var/db/samba4/group_mapping.tdb.bak
3) service samba_server start

 

[zenon1823]

Well its been awhile and I'm just getting back to trying to figure this out. Everything is working fine so its not inhibiting my usage but I"m still curious whats going on.

I have tried Anodos suggestion to stop Samba, rename group_mapping.tdb file and restart Samba, but the same behaviour continues as shown below.
(one thing to note after renaming and restarting the server the output of net groupmap list is now blank. prior to renaming and restarting samba it was as shown in my original post)

The freenas gui reports one set of user and group ID numbers but the net usersidlist and net groupmap list command show different last 4 digits.

 

[Basil Hendroff]

I experienced group SID mapping issues on the w/e. I've documented the steps I took to resolve the issue here https://www.ixsystems.com/community/threads/group-sid-resolution-to-friendly-name-fails.74566/. Hopefully, you'll find something of use in it.

 

[anodos]

Well its been awhile and I'm just getting back to trying to figure this out. Everything is working fine so its not inhibiting my usage but I"m still curious whats going on.

I have tried Anodos suggestion to stop Samba, rename group_mapping.tdb file and restart Samba, but the same behaviour continues as shown below.
(one thing to note after renaming and restarting the server the output of net groupmap list is now blank. prior to renaming and restarting samba it was as shown in my original post)

The freenas gui reports one set of user and group ID numbers but the net usersidlist and net groupmap list command show different last 4 digits. View attachment 29221
View attachment 29222
View attachment 29220

After you remove / rename the file, you need to run service ix-pre-samba start.