if standard guest account is added to a group, all Samba group information is broken after next Samba start

[Herwig Bauernfeind]

The first guest account gets a SID of 501, this is correct as can be seen from the Samba documentation.

As soon as you add this account with SID of 501 to any group, Samba (partly) forgets about its groups as soon as you stop the server and restart it.

The resulting list of a "net rpc group" command is always empty afterwards and you cannot add groups anymore.

You still can delete all groups except the one where the guest account was added to. When you try to delete this group you get a "dc lookup failed" error.

A "net groupmap" command still works. Unmapping the groups also works, with the exception of the group to which the guest account was added to.

It is impossible to get the group functionality back, integrity of some .tdb files (most notably group_mapping.tdb) is unrecoverably broken.

The above scenario is valid both for the smbpasswd backend and for the tdbsam backend.

The most easy way to reproduce is using my smbusers.exe which acts as a frontend for the net rpc user, net rpc group and net groupmap commands, however reproduction using the net rpc commands alone is also possible.

I can reproduce this 100% reliably on 3 machines.

This problem was present in all Samba builds so far, the reproduction scenario was developed and tested on both Samba 3.0.29 (private build) and Samba 3.0.30 (official build).

[Herwig Bauernfeind]

There must be a second trigger for the "broken group list" situation. More testing required.

[Silvan Scherrer]

is this still true in 3.3 tree?

[Herwig Bauernfeind]

This problem is gone in Samba 3.3.x