[Samba] valid users = +group doesn't work
Hi all, I seem to be having a problem identical to this bug: https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however the bug is supposed to be fixed by now. I have a Fedora 7 box joined as a member to Windows 2003 domain. All my Windows users have accounts on the Samba machine, with the same user name in Windows and in Unix. I have a share with valid users = +group, where group is a Unix group. Yet, when a user who is a member of that Unix group connects, access is denied. The messages in the log are as follows: [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205) making a connection to 'normal' service www [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223) string_to_sid: Sid +webdev does not start with 'S-'. [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64) lookup_name: UNIXBOX\webdev => UNIXBOX (domain), webdev (name) [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211) User lz not in 'valid users' [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616) user 'lz' (from session setup) not permitted to access this share (www) Interestingly, if I specify valid users = +DOMAIN\windows_group, it works. Maybe I need to configure something? Can I have valid users accept UNIX groups? Thanks, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] valid users = +group doesn't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leonid Zeitlin wrote: > Hi all, > I seem to be having a problem identical to this bug: > https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however the > bug is supposed to be fixed by now. > > I have a Fedora 7 box joined as a member to Windows 2003 domain. All my > Windows users have accounts on the Samba machine, with the same user name in > Windows and in Unix. I have a share with valid users = +group, where group > is a Unix group. Yet, when a user who is a member of that Unix group > connects, access is denied. The messages in the log are as follows: > > [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205) > making a connection to 'normal' service www > [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223) > string_to_sid: Sid +webdev does not start with 'S-'. > [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64) > lookup_name: UNIXBOX\webdev => UNIXBOX (domain), webdev (name) Is webdev in the local gtroup mapping table ? > [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448) > NT user token: (NULL) > [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211) > User lz not in 'valid users' > [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616) > user 'lz' (from session setup) not permitted to access this share (www) > > Interestingly, if I specify valid users = +DOMAIN\windows_group, it works. > > Maybe I need to configure something? Can I have valid users accept UNIX > groups? yes. But there's some missing details in your original post. Sounds like your server is configured as a domain member server. is the user logging as a domain user ? Or a local user? The domain user will only get domain groups (and possible local nested groups from winbindd) unless you explicitly map the domain\user account to a specific local Unix account. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIBfPuIR7qMdg1EfYRAhQyAJ4k+OEz7EaNr4P1K/L6E6GLg0TafgCeJubR ETDDOlBflWi7oonxqQ2ptro= =35qf -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] valid users = +group doesn't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leonid Zeitlin wrote: >> Is webdev in the local gtroup mapping table ? > > If I understand your question correctly, initally it > wasn't. Then I did "net sam mapunixgroup webdev", but > this didn't seem to have any effect. Correct. That was my question. In 3.0.23 and later Samba converts the name to a SID internally and then compares for that SID in the user's NT token. See below for why this matters. >>> Interestingly, if I specify valid users = +DOMAIN\windows_group, it >>> works. >>> >>> Maybe I need to configure something? Can I have valid users accept UNIX >>> groups? >> >> yes. But there's some missing details in your original post. >> Sounds like your server is configured as a domain member server. >> is the user logging as a domain user ? Or a local user? > > I suppose as domain user. I am sitting at my Windows computer, logged in > to domain as DOMAIN\lz and connecting to a share at the Unix computer. > The user named "lz" also exists on the Unix computer. I was thinking > that Samba would map DOMAIN\lz the Windows user to lz the Unix user and > use this user's group membership. DOMAIN\lz has a different SID and token than the local user "lz". Therefore the search for the local group SID of "webdev" will not be found in the domain user's (DOMAIN\lz) token. You can view the user's complete list of SIDs in the NT token in a level 10 smbd debug log. >> The domain user will only get domain groups (and possible >> local nested groups from winbindd) unless you explicitly >> map the domain\user account to a specific local Unix account. > > I guess I am getting confused here. Are "local nested groups from > winbindd" the Unix local groups? If yes, this is what I need, but I'm > failing to grasp how to make them work. No. See the "winbind nested groups" option for more details on local nested groups. These are the equivalent of Windows NT 4.0 local machine groups. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIBnWoIR7qMdg1EfYRAqS6AKCePyOTvq3XmQm5IQIkZzw0y0dXcwCeJzxH mXijoHfCBnyVvyomNsQyqBk= =CCjy -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] valid users = +group doesn't work
Hi Jerry, Please see below. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leonid Zeitlin wrote: Is webdev in the local gtroup mapping table ? If I understand your question correctly, initally it wasn't. Then I did "net sam mapunixgroup webdev", but this didn't seem to have any effect. Correct. That was my question. In 3.0.23 and later Samba converts the name to a SID internally and then compares for that SID in the user's NT token. See below for why this matters. Got you on this one, thanks. Interestingly, if I specify valid users = +DOMAIN\windows_group, it works. Maybe I need to configure something? Can I have valid users accept UNIX groups? yes. But there's some missing details in your original post. Sounds like your server is configured as a domain member server. is the user logging as a domain user ? Or a local user? I suppose as domain user. I am sitting at my Windows computer, logged in to domain as DOMAIN\lz and connecting to a share at the Unix computer. The user named "lz" also exists on the Unix computer. I was thinking that Samba would map DOMAIN\lz the Windows user to lz the Unix user and use this user's group membership. DOMAIN\lz has a different SID and token than the local user "lz". Therefore the search for the local group SID of "webdev" will not be found in the domain user's (DOMAIN\lz) token. You can view the user's complete list of SIDs in the NT token in a level 10 smbd debug log. I see. I observe an interesting picture here. If I specify valid users = +DOMAIN\windows_group, then I am able to access the share, and in this case I see the following in the log: [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(454) NT user token of user S-1-5-21-800801294-1190493330-1361462980-1010 contains 19 SIDs SID[ 0]: S-1-5-21-800801294-1190493330-1361462980-1010 (... 18 more SIDs follow ... ) SE_PRIV 0x0 0x0 0x0 0x0 [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 500 Primary group is 500 and contains 0 supplementary groups [2008/04/17 13:39:56, 5] smbd/uid.c:change_to_user(273) change_to_user uid=(500,500) gid=(0,500) The list of SIDs actually includes the SID to which the local group webdev was mapped with "net sam mapunixgroup"! The only thing that is somewhat strange here is "contains 0 supplementary groups", since my user actually has a number of supplementary groups, however, so far so good. Now, if I specify valid users = +webdev, I cannot access the share and when I try the log has something quite different: [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/04/17 13:39:56, 5] smbd/uid.c:change_to_root_user(288) change_to_root_user: now uid=(0,0) gid=(0,0) Maybe I'm off base here, and this is normal, but this looks strange: apparently Samba knows my user is a member of local webdev group, yet it won't let me in based on this membership. The domain user will only get domain groups (and possible local nested groups from winbindd) unless you explicitly map the domain\user account to a specific local Unix account. I guess I am getting confused here. Are "local nested groups from winbindd" the Unix local groups? If yes, this is what I need, but I'm failing to grasp how to make them work. No. See the "winbind nested groups" option for more details on local nested groups. These are the equivalent of Windows NT 4.0 local machine groups. I see. But it appears to me (correct me if I'm wrong) that if a local Unix group is mapped with "net sam mapunixgroup", then it becomes a local nested group and Samba could use it in "valid users" - but apparently it doesn't, which confuses me. BTW, I didn't mention this before, maybe it is relevant: I am using NIS on the Samba machine. So, local user lz and group webdev are not in local passwd and group files, but come from NIS. I don't expect it to make a difference, but mentioning this just in case. Thanks a lot, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] valid users = +group doesn't work
Hi Jerry, Thanks a lot for your quick reply. Please see below. Hi all, I seem to be having a problem identical to this bug: https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however the bug is supposed to be fixed by now. I have a Fedora 7 box joined as a member to Windows 2003 domain. All my Windows users have accounts on the Samba machine, with the same user name in Windows and in Unix. I have a share with valid users = +group, where group is a Unix group. Yet, when a user who is a member of that Unix group connects, access is denied. The messages in the log are as follows: [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205) making a connection to 'normal' service www [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223) string_to_sid: Sid +webdev does not start with 'S-'. [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64) lookup_name: UNIXBOX\webdev => UNIXBOX (domain), webdev (name) Is webdev in the local gtroup mapping table ? If I understand your question correctly, initally it wasn't. Then I did "net sam mapunixgroup webdev", but this didn't seem to have any effect. [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211) User lz not in 'valid users' [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616) user 'lz' (from session setup) not permitted to access this share (www) Interestingly, if I specify valid users = +DOMAIN\windows_group, it works. Maybe I need to configure something? Can I have valid users accept UNIX groups? yes. But there's some missing details in your original post. Sounds like your server is configured as a domain member server. is the user logging as a domain user ? Or a local user? I suppose as domain user. I am sitting at my Windows computer, logged in to domain as DOMAIN\lz and connecting to a share at the Unix computer. The user named "lz" also exists on the Unix computer. I was thinking that Samba would map DOMAIN\lz the Windows user to lz the Unix user and use this user's group membership. The domain user will only get domain groups (and possible local nested groups from winbindd) unless you explicitly map the domain\user account to a specific local Unix account. I guess I am getting confused here. Are "local nested groups from winbindd" the Unix local groups? If yes, this is what I need, but I'm failing to grasp how to make them work. Thanks, Leonid cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIBfPuIR7qMdg1EfYRAhQyAJ4k+OEz7EaNr4P1K/L6E6GLg0TafgCeJubR ETDDOlBflWi7oonxqQ2ptro= =35qf -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] valid users = +group doesn't work
Hi Jerry, Please see below. The supplementary groups are determined by mapping the Windows group to a gid. I'm having to remember what we already convered so apoligies fotr asking again. Are you running winbindd? or just manually mapping groups to SIDs ? Seems to be the former. Winbind is running, yes. I see. But it appears to me (correct me if I'm wrong) that if a local Unix group is mapped with "net sam mapunixgroup", then it becomes a local nested group and Samba could use it in "valid users" - but apparently it doesn't, which confuses me. No. The nested group functionality is only served by Winbind. I guess my question now boils down to the following: when I access a share as domain user DOMAIN\lz, is there a way to apply "valid users" check based on the Unix group membership of the Unix user "lz". From what you are saying I am getting the impression that the asnwer is no; is this really so? Thanks, Leonid cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIDKAIIR7qMdg1EfYRAk+fAJ4zn2iWrkmyVMcfXv9O09rRGWAzPgCcDkA8 E1O1kHw1lM1LDcE2xRcJfWY= =ch5e -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] valid users = +group doesn't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leonid Zeitlin wrote: >> DOMAIN\lz has a different SID and token than the local >> user "lz". Therefore the search for the local group SID >> of "webdev" will not be found in the domain user's (DOMAIN\lz) >> token. You can view the user's complete list of SIDs in the NT >> token in a level 10 smbd debug log. > > I see. I observe an interesting picture here. If I specify > valid users = +DOMAIN\windows_group, then I am able > to access the share, and in this case I see the following > in the log: > > [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(454) > NT user token of user S-1-5-21-800801294-1190493330-1361462980-1010 > contains 19 SIDs > SID[ 0]: S-1-5-21-800801294-1190493330-1361462980-1010 > (... 18 more SIDs follow ... ) > SE_PRIV 0x0 0x0 0x0 0x0 > [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474) > UNIX token of user 500 > Primary group is 500 and contains 0 supplementary groups > [2008/04/17 13:39:56, 5] smbd/uid.c:change_to_user(273) > change_to_user uid=(500,500) gid=(0,500) > > The list of SIDs actually includes the SID to which the local group > webdev was mapped with "net sam mapunixgroup"! The only thing that is > somewhat strange here is "contains 0 supplementary groups", since my > user actually has a number of supplementary groups, however, so far so > good. Now, if I specify valid users = +webdev, I cannot access the share > and when I try the log has something quite different: The supplementary groups are determined by mapping the Windows group to a gid. I'm having to remember what we already convered so apoligies fotr asking again. Are you running winbindd? or just manually mapping groups to SIDs ? Seems to be the former. If so, I think I remember we made a change that group mapping really only honored groups in the local SAM domain of the machine which would explain why mapping to the domain group didn't work. But I'm a little fuzzy on when (or if we really made that change). >>> I guess I am getting confused here. Are "local nested groups from >>> winbindd" the Unix local groups? If yes, this is what I need, but I'm >>> failing to grasp how to make them work. >> >> No. See the "winbind nested groups" option for more details on >> local nested groups. These are the equivalent of Windows NT >> 4.0 local machine groups. > > I see. But it appears to me (correct me if I'm wrong) that > if a local Unix group is mapped with "net sam mapunixgroup", then > it becomes a local nested group and Samba could use > it in "valid users" - but apparently it doesn't, which confuses me. No. The nested group functionality is only served by Winbind. > BTW, I didn't mention this before, maybe it is relevant: I > am using NIS on the Samba machine. So, local user lz > and group webdev are not inlocal passwd and group files, > but come from NIS. I don't expect it to make a difference, > but mentioning this just in case. No difference. "Local" in this discussion is in relation to who is authoriative for the account: e.g. either Samba (local machine) or the Domain controller. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIDKAIIR7qMdg1EfYRAk+fAJ4zn2iWrkmyVMcfXv9O09rRGWAzPgCcDkA8 E1O1kHw1lM1LDcE2xRcJfWY= =ch5e -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] valid users = +group doesn't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leonid Zeitlin wrote: > I guess my question now boils down to the following: when I access a > share as domain user DOMAIN\lz, is there a way to apply "valid users" > check based on the Unix group membership of the Unix user "lz". From > what you are saying I am getting the impression that the asnwer is no; > is this really so? If you setup a "username map" and define "lz = DOMAIN\lz", then when you login as DOMAIN\lz you should only be assigned the groups belonging to the local user "lz". But you will not get the domain user's group membership. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIDdvAIR7qMdg1EfYRAsudAJ0QyxaRDc+lnJH6VdOtPNmPszKSgwCgzbE/ u8DONjtZc1zf+wXNTuCFHgM= =ti50 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] valid users = +group doesn't work
Hi Jerry, I guess my question now boils down to the following: when I access a share as domain user DOMAIN\lz, is there a way to apply "valid users" check based on the Unix group membership of the Unix user "lz". From what you are saying I am getting the impression that the asnwer is no; is this really so? If you setup a "username map" and define "lz = DOMAIN\lz", then when you login as DOMAIN\lz you should only be assigned the groups belonging to the local user "lz". But you will not get the domain user's group membership. This doesn't seem to work. The log shows: [2008/04/22 15:51:38, 5] auth/auth_util.c:debug_nt_user_token(454) NT user token of user S-1-5-21-3395643079-1670520419-2869919353-501 contains 4 SIDs SID[ 0]: S-1-5-21-3395643079-1670520419-2869919353-501 SID[ 1]: S-1-1-0 SID[ 2]: S-1-5-2 SID[ 3]: S-1-5-32-546 SE_PRIV 0x0 0x0 0x0 0x0 [2008/04/22 15:51:38, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 99 Primary group is 99 and contains 0 supplementary groups The SID and uid 99 correspond to user nobody. BTW, I am using idmap backend = nss. Actually, even if this works, it would be inconvenient to map every user that needs to access the share. I hoped Samba would treat local Unix group similar to how Windows treat local groups. I wouldn't mind if a Unix group needed some "blessing" before Samba uses it (i.e. a SID is somehow created for it). Is it not possible? Thanks, Leonid cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIDdvAIR7qMdg1EfYRAsudAJ0QyxaRDc+lnJH6VdOtPNmPszKSgwCgzbE/ u8DONjtZc1zf+wXNTuCFHgM= =ti50 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
