#4675 samba group syncronization breaks when adding new user
I have a linux local group named "managers" which is synced to a samba group also named "managers". I use this group to assign ACL's for our managers to allow access to a "managers" folder inside our main samba file share while preventing access by normal users. Each time I add a user through webmins "Add User" module the managers can no longer access the shared folder until I delete and recreate the samba "managers" group. I noticed that each time I delete and recreate the group it gets assigned a new SID. I'm not sure if that is normal or if the SID is somehow being changed for the samba managers group each time a new user is added? I attached screenshots showing the managers group and SID's before and after deleting and recreating the group.
I found that the actual cause of my issue was that the GID that was assigned by Webmin when I first created the "managers" group was the same as an existing users UID. After deleting the group and creating a new one with a manually assigned GID above 1000 I no longer have issues. Maybe Webmin could be changed to automatically assign GID's above 1000 when creating new groups or at least check for conflicts with existing UID's.
UIDs and GIDs should be separate namespaces though, so having a group with the same ID as a user normally isn't a problem.
Or was the issue that the GID for managers was different in the samba config than in the /etc/group file?
Jamie, thanks for taking the time to reply.
I had been having a problem with members of this group being able to access it since I first setup this server. Each time I created or deleted a user from the system the members of the managers group could no longer access the folders that I granted them permissions to using ACL's. I would have to keep deleting and recreating the managers group in SAMBA until it finally started working again.
Since re-creating the Linux managers group with a uinique GID that did not match any UID I have been able to add or remove users without affecting the managers access to their folders.
I also noticed that before making the change if I was looking at the folders security properties from Windows Explorer it used to incorrecty show that rights were assigned to the user that had the same UID (501) as the old managers group GID (501). Since manually assigning a GID of 1002 to the managers group it now shows correctly when I check permissions from Windows Explorer.
This is where I got the idea to change the GID of my managers group. I know it mentions RID not GID but changing the GID is what seems to have been the fix.
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html
"Be aware that the RID parameter is an unsigned 32-bit integer that should normally start at 1000. However, this RID must not overlap with any RID assigned to a user. Verification for this is done differently depending on the passdb backend you are using. Future versions of the tools may perform the verification automatically, but for now the burden is on you."
Thanks for the info - in the next Webmin release, I will prevent a group's RID from being the same as an existing user.
Thank you for the fix and for a great product!