From: Lee, Andrien on
Hello to all,

I have recently upgraded to SAMBA 3.4.2 on Solaris 10, and reconfigured it to use domain authentication (security = domain). We slapped guest authentication on most shares, with an explicit "valid users = ...." on a small number of sensitive shares. Due to the number of users we were looking at, we set up two UNIX groups "payroll" and "payoff" and then set "valid users = +payoff +payroll" or some combination of the two.

The problem I am having is that when a user that is a member of these UNIX groups connects they are rejected. I also tried using @payoff or @payroll, with the same results. Authentication works if the user's login is explicitly placed in the valid users line, but not if the same user is just a member of one of the +/@<group>'s entered.

I have included a level 3 log from log.smbd up to the first rejection, along with the relevant smb.conf info that I am aware of. The log is for a connection to a share with "valid users = @payoff", where bbancroft is a member of the payoff group.

Any assistance that you could provide would be extremely appreciated.

####################
# log.smbd extract #
####################

[2010/07/12 13:17:28, 3] libsmb/ntlmssp_sign.c:342(ntlmssp_sign_init)
NTLMSSP Sign/Seal - Initialising with flags:
[2010/07/12 13:17:28, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xa2088205
[2010/07/12 13:17:28, 3] smbd/password.c:269(register_existing_vuid)
register_existing_vuid: User name: bbancroft Real name:
[2010/07/12 13:17:28, 3] smbd/password.c:279(register_existing_vuid)
register_existing_vuid: UNIX uid 60194 is UNIX user bbancroft, and will be vuid 100
[2010/07/12 13:17:28, 3] smbd/password.c:211(register_homes_share)
Adding homes service for user 'bbancroft' using home directory: '/dev/null'
[2010/07/12 13:17:28, 3] smbd/process.c:1459(process_smb)
Transaction 3 of length 102 (0 toread)
[2010/07/12 13:17:28, 3] smbd/process.c:1273(switch_message)
switch message SMBtconX (pid 8648) conn 0x0
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid root does not start with 'S-'.
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid @payoff does not start with 'S-'.
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 2] smbd/service.c:595(create_connection_server_info)
user 'bbancroft' (from session setup) not permitted to access this share (rl6pd_payoff)
[2010/07/12 13:17:28, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/07/12 13:17:28, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/reply.c(684) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

####################
# smb.conf extract #
####################

[global]
workgroup = rail
update encrypted = Yes
ldap ssl = no
invalid users = root
encrypt passwords = yes
security = domain
password server = <--deleted-->
guest account = <--deleted-->
map to guest = bad user
create mask = 0664
log level = 3

[rl6pd_payoff]
comment = ellrl6pd payoffice
path = /samba/ellrl6pd/payoffice
read only = No
valid users = @payoff
browseable = no

###############
# /etc/passwd #
###############

bbancroft:x:60194:5003:SAMBA User:/dev/null:/bin/false

##############
# /etc/group #
##############

payoff::5003:bbancroft



Many thanks in advance!




This e-mail and any attachments may contain confidential information that is intended solely for the use of the intended recipient and may be subject to copyright. If you receive this e-mail in error, please notify the sender immediately and delete the email and its attachments from your system. You must not disclose, copy or use any part of this e-mail if you are not the intended recipient. Any opinion expressed in this e-mail and any attachments is not an opinion of RailCorp unless stated or apparent from its content. RailCorp is not responsible for any unauthorised alterations to this e-mail or any attachments. RailCorp will not incur any liability resulting directly or indirectly as a result of the recipient accessing any of the attached files that may contain a virus.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba