valid users = +group doesn't work [Samba]

Prev: [Samba] valid users = +group doesn't work
Next: [Samba] script to move user profile directories

From: Gerald (Jerry) Carter on 16 Apr 2008 08:50

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leonid Zeitlin wrote:
> Hi all,
> I seem to be having a problem identical to this bug:
> https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however the
> bug is supposed to be fixed by now.
>
> I have a Fedora 7 box joined as a member to Windows 2003 domain. All my
> Windows users have accounts on the Samba machine, with the same user name in
> Windows and in Unix. I have a share with valid users = +group, where group
> is a Unix group. Yet, when a user who is a member of that Unix group
> connects, access is denied. The messages in the log are as follows:
>
> [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205)
> making a connection to 'normal' service www
> [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223)
> string_to_sid: Sid +webdev does not start with 'S-'.
> [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64)
> lookup_name: UNIXBOX\webdev => UNIXBOX (domain), webdev (name)

Is webdev in the local gtroup mapping table ?

> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448)
> NT user token: (NULL)
> [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211)
> User lz not in 'valid users'
> [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616)
> user 'lz' (from session setup) not permitted to access this share (www)
>
> Interestingly, if I specify valid users = +DOMAIN\windows_group, it works.
>
> Maybe I need to configure something? Can I have valid users accept UNIX
> groups?

yes. But there's some missing details in your original post.
Sounds like your server is configured as a domain member server.
is the user logging as a domain user ? Or a local user?

The domain user will only get domain groups (and possible
local nested groups from winbindd) unless you explicitly
map the domain\user account to a specific local Unix account.

cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIBfPuIR7qMdg1EfYRAhQyAJ4k+OEz7EaNr4P1K/L6E6GLg0TafgCeJubR
ETDDOlBflWi7oonxqQ2ptro=
=35qf
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

From: Leonid Zeitlin on 16 Apr 2008 10:10

Hi Jerry,
Thanks a lot for your quick reply. Please see below.

>> Hi all,
>> I seem to be having a problem identical to this bug:
>> https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however
>> the
>> bug is supposed to be fixed by now.
>>
>> I have a Fedora 7 box joined as a member to Windows 2003 domain. All my
>> Windows users have accounts on the Samba machine, with the same user name
>> in
>> Windows and in Unix. I have a share with valid users = +group, where
>> group
>> is a Unix group. Yet, when a user who is a member of that Unix group
>> connects, access is denied. The messages in the log are as follows:
>>
>> [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205)
>> making a connection to 'normal' service www
>> [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223)
>> string_to_sid: Sid +webdev does not start with 'S-'.
>> [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64)
>> lookup_name: UNIXBOX\webdev => UNIXBOX (domain), webdev (name)
>
> Is webdev in the local gtroup mapping table ?

If I understand your question correctly, initally it wasn't. Then I did "net
sam mapunixgroup webdev", but this didn't seem to have any effect.

>> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208)
>> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>> [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358)
>> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>> [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448)
>> NT user token: (NULL)
>> [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474)
>> UNIX token of user 0
>> Primary group is 0 and contains 0 supplementary groups
>> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211)
>> User lz not in 'valid users'
>> [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616)
>> user 'lz' (from session setup) not permitted to access this share (www)
>>
>> Interestingly, if I specify valid users = +DOMAIN\windows_group, it
>> works.
>>
>> Maybe I need to configure something? Can I have valid users accept UNIX
>> groups?
>
> yes. But there's some missing details in your original post.
> Sounds like your server is configured as a domain member server.
> is the user logging as a domain user ? Or a local user?

I suppose as domain user. I am sitting at my Windows computer, logged in to
domain as DOMAIN\lz and connecting to a share at the Unix computer. The user
named "lz" also exists on the Unix computer. I was thinking that Samba would
map DOMAIN\lz the Windows user to lz the Unix user and use this user's group
membership.

> The domain user will only get domain groups (and possible
> local nested groups from winbindd) unless you explicitly
> map the domain\user account to a specific local Unix account.

I guess I am getting confused here. Are "local nested groups from winbindd"
the Unix local groups? If yes, this is what I need, but I'm failing to grasp
how to make them work.

Thanks,
Leonid

>
>
>
>
>
> cheers, jerry
> - --
> =====================================================================
> Samba ------- http://www.samba.org
> Likewise Software --------- http://www.likewisesoftware.com
> "What man is a man who does not make the world better?" --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIBfPuIR7qMdg1EfYRAhQyAJ4k+OEz7EaNr4P1K/L6E6GLg0TafgCeJubR
> ETDDOlBflWi7oonxqQ2ptro=
> =35qf
> -----END PGP SIGNATURE-----
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

From: Gerald (Jerry) Carter on 16 Apr 2008 18:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leonid Zeitlin wrote:

>> Is webdev in the local gtroup mapping table ?
>
> If I understand your question correctly, initally it
> wasn't. Then I did "net sam mapunixgroup webdev", but
> this didn't seem to have any effect.

Correct. That was my question. In 3.0.23 and later
Samba converts the name to a SID internally and then
compares for that SID in the user's NT token.

See below for why this matters.

>>> Interestingly, if I specify valid users = +DOMAIN\windows_group, it
>>> works.
>>>
>>> Maybe I need to configure something? Can I have valid users accept UNIX
>>> groups?
>>
>> yes. But there's some missing details in your original post.
>> Sounds like your server is configured as a domain member server.
>> is the user logging as a domain user ? Or a local user?
>
> I suppose as domain user. I am sitting at my Windows computer, logged in
> to domain as DOMAIN\lz and connecting to a share at the Unix computer.
> The user named "lz" also exists on the Unix computer. I was thinking
> that Samba would map DOMAIN\lz the Windows user to lz the Unix user and
> use this user's group membership.

DOMAIN\lz has a different SID and token than the local
user "lz". Therefore the search for the local group SID
of "webdev" will not be found in the domain user's (DOMAIN\lz)
token. You can view the user's complete list of SIDs in the NT
token in a level 10 smbd debug log.

>> The domain user will only get domain groups (and possible
>> local nested groups from winbindd) unless you explicitly
>> map the domain\user account to a specific local Unix account.
>
> I guess I am getting confused here. Are "local nested groups from
> winbindd" the Unix local groups? If yes, this is what I need, but I'm
> failing to grasp how to make them work.

No. See the "winbind nested groups" option for more details on
local nested groups. These are the equivalent of Windows NT
4.0 local machine groups.

cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIBnWoIR7qMdg1EfYRAqS6AKCePyOTvq3XmQm5IQIkZzw0y0dXcwCeJzxH
mXijoHfCBnyVvyomNsQyqBk=
=CCjy
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

From: Leonid Zeitlin on 17 Apr 2008 07:00

Hi Jerry,
Please see below.

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Leonid Zeitlin wrote:
>
>>> Is webdev in the local gtroup mapping table ?
>>
>> If I understand your question correctly, initally it
>> wasn't. Then I did "net sam mapunixgroup webdev", but
>> this didn't seem to have any effect.
>
> Correct. That was my question. In 3.0.23 and later
> Samba converts the name to a SID internally and then
> compares for that SID in the user's NT token.
>
> See below for why this matters.

Got you on this one, thanks.

>>>> Interestingly, if I specify valid users = +DOMAIN\windows_group, it
>>>> works.
>>>>
>>>> Maybe I need to configure something? Can I have valid users accept UNIX
>>>> groups?
>>>
>>> yes. But there's some missing details in your original post.
>>> Sounds like your server is configured as a domain member server.
>>> is the user logging as a domain user ? Or a local user?
>>
>> I suppose as domain user. I am sitting at my Windows computer, logged in
>> to domain as DOMAIN\lz and connecting to a share at the Unix computer.
>> The user named "lz" also exists on the Unix computer. I was thinking
>> that Samba would map DOMAIN\lz the Windows user to lz the Unix user and
>> use this user's group membership.
>
> DOMAIN\lz has a different SID and token than the local
> user "lz". Therefore the search for the local group SID
> of "webdev" will not be found in the domain user's (DOMAIN\lz)
> token. You can view the user's complete list of SIDs in the NT
> token in a level 10 smbd debug log.

I see. I observe an interesting picture here. If I specify valid users =
+DOMAIN\windows_group, then I am able to access the share, and in this case
I see the following in the log:

[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(454)
NT user token of user S-1-5-21-800801294-1190493330-1361462980-1010
contains 19 SIDs
SID[ 0]: S-1-5-21-800801294-1190493330-1361462980-1010
(... 18 more SIDs follow ... )
SE_PRIV 0x0 0x0 0x0 0x0
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 500
Primary group is 500 and contains 0 supplementary groups
[2008/04/17 13:39:56, 5] smbd/uid.c:change_to_user(273)
change_to_user uid=(500,500) gid=(0,500)

The list of SIDs actually includes the SID to which the local group webdev
was mapped with "net sam mapunixgroup"! The only thing that is somewhat
strange here is "contains 0 supplementary groups", since my user actually
has a number of supplementary groups, however, so far so good. Now, if I
specify valid users = +webdev, I cannot access the share and when I try the
log has something quite different:

[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2008/04/17 13:39:56, 5] smbd/uid.c:change_to_root_user(288)
change_to_root_user: now uid=(0,0) gid=(0,0)

Maybe I'm off base here, and this is normal, but this looks strange:
apparently Samba knows my user is a member of local webdev group, yet it
won't let me in based on this membership.

>>> The domain user will only get domain groups (and possible
>>> local nested groups from winbindd) unless you explicitly
>>> map the domain\user account to a specific local Unix account.
>>
>> I guess I am getting confused here. Are "local nested groups from
>> winbindd" the Unix local groups? If yes, this is what I need, but I'm
>> failing to grasp how to make them work.
>
> No. See the "winbind nested groups" option for more details on
> local nested groups. These are the equivalent of Windows NT
> 4.0 local machine groups.

I see. But it appears to me (correct me if I'm wrong) that if a local Unix
group is mapped with "net sam mapunixgroup", then it becomes a local nested
group and Samba could use it in "valid users" - but apparently it doesn't,
which confuses me.

BTW, I didn't mention this before, maybe it is relevant: I am using NIS on
the Samba machine. So, local user lz and group webdev are not in local
passwd and group files, but come from NIS. I don't expect it to make a
difference, but mentioning this just in case.

Thanks a lot,
Leonid

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

From: Leonid Zeitlin on 17 Apr 2008 19:10

| Next | Last
Pages: 1 2
Prev: [Samba] valid users = +group doesn't work
Next: [Samba] script to move user profile directories