samba - Apr 2005 - weird problem with "access denied" on share

Hi folks,

I am having a weird problem that I just recently noticed on this 
particular server runnng Samba 3.0.10 on Fedora Core 3 and am hoping 
someone could shed some light on this.

We're using tdb for our backend database.

The user "nsu" is a member of unix group admin.
The unix group admin is mapped to "Domain Adminstrators".

This works OK, in that when logging in on a workstation, I have local 
administrative privelege on that workstation.

So far, so good. But here's the rub: when I attempt to, say, create a 
file within certain shares I have set up in smb.conf (see below), where 
I specifically set "write list = @admin" I receive a dialog from
Windows:

  "Unable to create the file foo.txt Access is denied."

Furthermore I notice some weird messages in /var/log/messages (last 
segment below). Of particular interest are the "transport endpoint is 
not connected" which we have seen before above, but more suspicious is 
the "get_alias_user_groups" errors which state that the gid does not 
exist for user nsu. I suspect this is somehow related, but I am not sure 
what this *really* means.

I did attetmpt to delete and recreate the user nsu. I deleted from 
/etc/passwd and then from the tdb manually using pdbedit. I then 
re-created this user, thiking somehow this might fix this gid problem 
somehow. Didn't fix the share permission issue, though I can still log 
in with local admin rights on the workstation.

This is really annoying!!! Can someone help???? Thanks!

Morgan Toal
Network Manager
City of Burlington, Iowa

--------------------------------------------------------------------------------------

Here is what net user info says about nsu:

  [root@pd1 xinetd.d]# net user info nsu
  root's password:
  [2005/04/14 10:21:13, 0] utils/net_ads.c:ads_startup(186)
    ads_connect: Transport endpoint is not connected
  Domain Admins

(as an aside, I don't know what the ads_connect error means or if it is 
related to my issue.)

--------------------------------------------------------------------------------------

Here is what net groupmap list says:

  [root@pd1 xinetd.d]#  net groupmap list
  System Operators (S-1-5-32-549) -> -1
  Replicators (S-1-5-32-552) -> -1
  Guests (S-1-5-32-546) -> -1
  seint (S-1-5-21-3505514775-834951346-1128776050-2157) -> seint
  Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
  Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> admin
  Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
  Power Users (S-1-5-32-547) -> -1
  Print Operators (S-1-5-32-550) -> -1
  Administrators (S-1-5-32-544) -> -1
  Account Operators (S-1-5-32-548) -> -1
  chief (S-1-5-21-3505514775-834951346-1128776050-2005) -> chief
  cid (S-1-5-21-3505514775-834951346-1128776050-2045) -> cid
  Backup Operators (S-1-5-32-551) -> -1
  Users (S-1-5-32-545) -> -1

--------------------------------------------------------------------------------------

Here is what pdbedit -v -u nsu says:

  [root@pd1 xinetd.d]# pdbedit -v -u nsu
  Unix username:        nsu
  NT username:
  Account Flags:        [U          ]
  User SID:             S-1-5-21-3505514775-834951346-1128776050-2124
  Primary Group SID:    S-1-5-21-3505514775-834951346-1128776050-2127
  Full Name:            nsu account
  Home Directory:       \\pd1\nsu
  HomeDir Drive:        Z:
  Logon Script:         logon.bat
  Profile Path:         \\pd1\nsu\profile
  Domain:               PD
  Account desc:
  Workstations:
  Munged dial:
  Logon time:           0
  Logoff time:          Mon, 18 Jan 2038 21:14:07 GMT
  Kickoff time:         Mon, 18 Jan 2038 21:14:07 GMT
  Password last set:    Thu, 14 Apr 2005 08:58:29 GMT
  Password can change:  Thu, 14 Apr 2005 08:58:29 GMT
  Password must change: Mon, 18 Jan 2038 21:14:07 GMT
  Last bad password   : 0
  Bad password count  : 0
  Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

--------------------------------------------------------------------------------------

Here is what smb.conf says:

[root@pd1 xinetd.d]# more /etc/samba/smb.conf
[global]
log level = 1
workgroup = pd
netbios name = pd1
passdb backend = tdbsam
printcap name = cups
add user script = /usr/sbin/useradd -m %u
add group script = /usr/sbin/groupadd %g
delete user script = /usr/sbin/userdel -r %u
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
logon script = logon.bat
# logon path = \\%L\Profiles\%U
logon drive = Z:
logon home = \\%L\%U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups
wins support = no
wins server = 192.168.18.14
host msdfs = yes

################################################################
## Share Definitions
################################################################

[printers]
         comment = All Printers
         path = /var/spool/samba
         browseable = no
         guest ok = no
         writable = no
         printable = yes

[homes]
         comment = Home Directories
         browseable = no
         writable = yes

[netlogon]
         comment = Network Logon Service
         path = /home/samba/netlogon
         public = yes
         write list = @admin

[public]
         comment = Public Stuff
         path = /home/samba/public
         public = yes
         writeable = yes
         force create mode = 0777
         force directory mode = 0777

[system]
         comment = System Stuff
         path = /home/samba/system
         public = yes
         write list = @admin

[chief]
         comment = Police Administration
         path = /home/samba/chief
         public = no
         valid users = @admin, @chief
         write list = @admin, @chief
         force group = chief
         force create mode = 0770
         force directory mode = 0770

[seint]
         comment = Police Administration
         path = /home/samba/seint
         public = no
         valid users = @admin, @seint
         write list = @admin, @seint
         force group = seint
         force create mode = 0770
         force directory mode = 0770

[dfs]
     comment = DFS Root
     path = /home/samba/dfs
     msdfs root = yes

[tracs]
     comment = TRACS program data files
     path = /home/samba/tracs
     public = yes
     writeable = yes
     force group = nobody
     force create mode = 0777

[cid]
     comment = Criminal Investigation
     path = /home/samba/cid
     public = yes
     writeable = yes
     valid users = @admin, @cid
     write list = @admin, @cid
     force group = cid
     force create mode = 0770
     force directory mode = 0770

--------------------------------------------------------------------------------------

Here is some of the stuff I see in /var/log/messages:

[root@pd1 xinetd.d]# cat /var/log/messages | grep smb
...(snip)
Apr 14 09:13:27 pd1 smb: nmbd startup succeeded
Apr 14 09:13:27 pd1 smbd[1449]: [2005/04/14 09:13:27, 0] 
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:13:27 pd1 smbd[1449]:   getpeername failed. Error was 
Transport endpoint is not connected
Apr 14 09:13:27 pd1 smbd[1449]: [2005/04/14 09:13:27, 0] 
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:13:27 pd1 smbd[1449]:   getpeername failed. Error was 
Transport endpoint is not connected
Apr 14 09:13:28 pd1 smbd[1449]: [2005/04/14 09:13:28, 0] 
lib/util_sock.c:write_socket_data(430)
Apr 14 09:13:28 pd1 smbd[1449]:   write_socket_data: write failure. 
Error = Connection reset by peer
Apr 14 09:13:28 pd1 smbd[1449]: [2005/04/14 09:13:28, 0] 
lib/util_sock.c:write_socket(455)
Apr 14 09:13:28 pd1 smbd[1449]:   write_socket: Error writing 4 bytes to 
socket 22: ERRNO = Connection reset by peer
Apr 14 09:13:28 pd1 smbd[1449]: [2005/04/14 09:13:28, 0] 
lib/util_sock.c:send_smb(647)
Apr 14 09:13:28 pd1 smbd[1449]:   Error writing 4 bytes to client. -1. 
(Connection reset by peer)
Apr 14 09:13:46 pd1 smbd[1451]: [2005/04/14 09:13:46, 0] 
rpc_server/srv_util.c:get_alias_user_groups(206)
Apr 14 09:13:46 pd1 smbd[1451]:   get_alias_user_groups: gid of user 
mtoal doesn't exist. Check your /etc/passwd and /etc/group files
Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0] 
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:18:12 pd1 smbd[1479]:   getpeername failed. Error was 
Transport endpoint is not connected
Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0] 
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:18:12 pd1 smbd[1479]:   getpeername failed. Error was 
Transport endpoint is not connected
Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0] 
lib/util_sock.c:write_socket_data(430)
Apr 14 09:18:12 pd1 smbd[1479]:   write_socket_data: write failure. 
Error = Connection reset by peer
Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0] 
lib/util_sock.c:write_socket(455)
Apr 14 09:18:12 pd1 smbd[1479]:   write_socket: Error writing 4 bytes to 
socket 5: ERRNO = Connection reset by peer
Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0] 
lib/util_sock.c:send_smb(647)
Apr 14 09:18:12 pd1 smbd[1479]:   Error writing 4 bytes to client. -1. 
(Connection reset by peer)
Apr 14 09:25:14 pd1 smbd[1456]: [2005/04/14 09:25:14, 0] 
rpc_server/srv_util.c:get_alias_user_groups(206)
Apr 14 09:25:14 pd1 smbd[1456]:   get_alias_user_groups: gid of user nsu 
doesn't exist. Check your /etc/passwd and /etc/group files
Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0] 
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:52:59 pd1 smbd[1724]:   getpeername failed. Error was 
Transport endpoint is not connected
Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0] 
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:52:59 pd1 smbd[1724]:   getpeername failed. Error was 
Transport endpoint is not connected
Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0] 
lib/util_sock.c:write_socket_data(430)
Apr 14 09:52:59 pd1 smbd[1724]:   write_socket_data: write failure. 
Error = Connection reset by peer
Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0] 
lib/util_sock.c:write_socket(455)
Apr 14 09:52:59 pd1 smbd[1724]:   write_socket: Error writing 4 bytes to 
socket 22: ERRNO = Connection reset by peer
Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0] 
lib/util_sock.c:send_smb(647)
Apr 14 09:52:59 pd1 smbd[1724]:   Error writing 4 bytes to client. -1. 
(Connection reset by peer)

morgan toal wrote:
> So far, so good. But here's the rub: when I attempt to, say, create a 
> file within certain shares I have set up in smb.conf (see below), where 
> I specifically set "write list = @admin" I receive a dialog from
Windows:
> 
>  "Unable to create the file foo.txt Access is denied."
Silly me.

The files on the share in question were owned by root and were mode 770.

I was so busy looking for the exotic, I never noticed the obvious...

Everything works now as it should. Sorry to waste folks' time here.
> Furthermore I notice some weird messages in /var/log/messages (last 
> segment below). Of particular interest are the "transport endpoint is 
> not connected" which we have seen before above, but more suspicious is
> the "get_alias_user_groups" errors which state that the gid does
not
> exist for user nsu. I suspect this is somehow related, but I am not sure 
> what this *really* means.
Though I would appreciate any comment folks might have on this point.

Should I be concerned about these messgaes in the log?

Thanks.

mtoal