Summarization of the bug in Samba 3.0.2pre1:
It seems that an ADS group is not valid or detected anymore to access a
samba share, in case only an ADS group is used a valid user on a Samba
share, because Kerberos is reporting: Username (null) is invalid on this
system.
Besides that, connecting to a share (service) reports with Samba 3.0.0-2
REALM\username (NH-TEST.NL\fo6), but with Samba 3.0.2pre1 connecting to
a share (service) reports only username (fo6)
Downgrading to Samba 3.0.0-2 solves this problem!
Subjoined the steps to reproduce the bug:
Windows 2003 native mode
Realm: NH-TEST.NL
Red Hat Linux release 9 (Shrike)
Kernel 2.4.20-8 on an i686
Linux (server) newly installed on clean system.
Directly after Linux installation:
rpmbuild --rebuild krb5-1.3.1-7.src.rpm
Installed the resulting Kerberos packages. (rpm -Uhv -- force -- nodeps
krb5*)
rpmbuild -- rebuild samba-3.0.1-2.src.rpm
Installed the resulting Samba package
Samba configured for the use of winbind.
Joined NH-TEST.NL realm.
wbinfo -u, wbinfo -g, getent passwd, getent group, wbinfo -I ip_address,
wbinfo -N netbios_name is working.
Samba share "grp"
# Group Directory
[grp]
writeable = yes
inherit permissions = yes
path = /data/grp
comment = Group Directory
valid users = @NH-TEST.NL\FO_GRP
browsable = yes
getent group
FO_GRP:x:10014:fo7,fo6
chown root:FO_GRP /data/grp/fog
[root@linuxalex data]# ls -l grp
drwxrws--- 5 root FO_GRP 4096 Jan 16 17:34 fog
Output log.smbd
[2004/01/15 11:58:27, 0] smbd/server.c:main(747)
smbd version 3.0.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2003
On a Win2k workstation logged in on the domain as user fo6 accessing the
"grp" results in 10.15.69.101.log:
[2004/01/15 12:06:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
Failed to verify incoming ticket!
Left the NH-TEST.NL realm
rpmbuild -- rebuild samba-3.0.2pre1-1.src.rpm
rpmbuild -- rebuild samba-3.0.0-2.src.rpm
Installed the resulting Samba package: samba-3.0.2pre1-1.i386.rpm
Joined NH-TEST.NL realm.
wbinfo -u, wbinfo -g, getent passwd, getent group, wbinfo -I ip_address,
wbinfo -N netbios_name is working.
Output log.smbd
[2004/01/16 14:50:24, 0] smbd/server.c:main(747)
smbd version 3.0.2pre1 started.
On a Win2k workstation logged in on the domain as user fo6 accessing the
"grp" share results in 10.15.69.101.log:
[2004/01/16 15:02:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username (null) is invalid on this system
And NO access to the "grp" share!!!
Changed on the "grp" share in smb.conf
valid users = fo6
(user fo6 is only available as ADS user and not as local Linux user!)
On a Win2k workstation logged in on the domain as user fo6 accessing the
"grp" share results in 10.15.69.101.log:
[2004/01/16 15:13:15, 1] smbd/service.c:make_connection_snum(705)
10.15.69.101 (10.15.69.101) connect to service public initially as
user fo6 (uid=10004, gid=10000) (pid 1161)
(getent group: Domain Users:x:10000:)
(getent passwd: fo6:x:10004:10000:fo6:/data/hom/fo6:/bin/bash)
and access to the "grp" share!!! However no access to the
"fog"
directory!!!
[root@linuxalex data]# ls -l grp
drwxrws--- 5 root FO_GRP 4096 Jan 16 17:34 fog
chown fo6:FO_GRP /data/grp/fog
[root@linuxalex data]# ls -l grp
drwxrws--- 5 fo6 FO_GRP 4096 Jan 16 17:34 fog
Now access to the "fog" directory!
Left the NH-TEST.NL realm
Installed the Samba package: samba-3.0.0-2.i386.rpm
Joined NH-TEST.NL realm.
wbinfo -u, wbinfo -g, getent passwd, getent group, wbinfo -I ip_address,
wbinfo -N netbios_name is working.
Output log.smbd
[2004/01/16 16:08:49, 0] smbd/server.c:main(747)
smbd version 3.0.0 started.
Copyright Andrew Tridgell and the Samba Team 1992-2003
Changed on the "grp" share in smb.conf
valid users = @NH-TEST.NL\FO_GRP
chown root:FO_GRP /data/grp/fog
[root@linuxalex data]# ls -l grp
drwxrws--- 5 root FO_GRP 4096 Jan 16 17:34 fog
On a Win2k workstation logged in on the domain as user fo6 accessing the
"grp" share results in 10.15.69.101.log:
[2004/01/16 16:11:22, 1] smbd/service.c:make_connection_snum(698)
10.15.69.101 (10.15.69.101) connect to service grp initially as user
NH-TEST.NL\fo6 (uid=10004, gid=10000) (pid 1102)
Now I can access as fo6 user the "grp" share and I can access the
"fog"
directory and this is possible when the user fo6 is given access to the
"grp" share only as group membership of the ADS group FO_GRP!
Summarization of the bug in Samba 3.0.2pre1:
It seems that an ADS group is not valid or detected anymore to access a
samba share, in case only an ADS group is used a valid user on a Samba
share, because Kerberos is reporting: Username (null) is invalid on this
system.
Besides that, connecting to a share (service) reports with Samba 3.0.0-2
REALM\username (NH-TEST.NL\fo6), but with Samba 3.0.2pre1 connecting to
a share (service) reports only username (fo6)
Downgrading to Samba 3.0.0-2 solves this problem!
smb.conf
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
"testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings
====================================[global]
log file = /var/log/samba/%m.log
smb passwd file = /etc/samba/smbpasswd
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#"domain master = yes" can't be set in ADS
domain master = no
encrypt passwords = yes
passwd program = /usr/bin/passwd %u
dns proxy = no
#netbios name changed for Samba in ADS
netbios name = LINUX
level2 oplocks = no
oplocks = no
server string = %h server (Samba %v)
unix password sync = yes
#Workgroup changed for Samba in ADS
workgroup = NH-TEST
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false
-M %u
#Security changed to "ADS" for Samba in ADS
security = ADS
max log size = 0
#domain logons set to "No" for ADS domain membership
domain logons = no
#Below added for Samba in ADS
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /data/hom/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
#"realm =" added for Samba in ADS
realm = NH-TEST.NL
#"password server =" added for Samba in ADS
password server = tstsrvr01.nh-test.nl
#"client use spnego = yes" set for Windows 2003. Wk3 requires SMB
singing.
client use spnego = yes
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
# default home share settings
[homes]
comment = Home Directories
browseable = no
writable = yes
## valid users = %S
create mode = 0660
directory mode = 0770
# Group Directory
[grp]
writeable = yes
inherit permissions = yes
path = /data/grp
comment = Group Directory
valid users = @NH-TEST.NL\FO_GRP,@NH-TEST.NL\SALES_GRP
browsable = yes
# Public Files
[pub]
path = /data/public
comment = Public files
guest ok = yes
writable = no
browsable = yes
write list = @NH-TEST.NL\SALES_GRP
# Root data Directory
[root]
writeable = yes
inherit permissions = yes
path = /data
comment = Root data Directory
valid users = @NH-TEST.NL\"Domain Admins"
browsable = yes
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = NH-TEST.NL
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
proxiable = true
[realms]
NH-TEST.NL = {
kdc = tstsrvr01.nh-test.nl:88
admin_server = tstsrvr01.nh-test.nl:749
default_domain = nh-test.nl
}
[domain_realm]
.nh-test.nl = NH-TEST.NL
nh-test.nl = NH-TEST.NL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
pam.d\login
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nodelay use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
hosts: files winbind dns
--
Regards,
Alex de Vaal.
Visit our Web site: http://www.nh-hoteles.com
This message is from NH HOTELES and it is private and confidential.
Its content may be legally protected.Reception by a non-intended person does not
waive legal protection rights.
If you receive this message by mistake, please delete it from your system and
report the sender.
Although this message has been cleared for viruses using currently available
virus definitions before sending,
it is the responsibility of the receiver to ensure it is virus-free.Thank you.
John Schmerold
2004-Jan-20 00:56 UTC
[Samba] Samba 3.0.2rc1 / LDAP login fails, pdbedit shows user
I'm running 3.0.2rc1. User authentication was working, until I got
the bright idea to change ntgroup _users_ to users
Now no one can login, any ideas how to fix?
I've tried deleting the tree & starting over from scratch, no joy:
[root@chs root]# smbclient //chs/tmp -U doj
Password:
tree connect failed: Call returned zero bytes (EOF)
[root@chs root]#
When I run pdbedit -v, the use is listed
I can browse the LDAP tree with Jarek Gawor's LDAP Browser\Editor
smb.conf is as follows:
[global]
force user = root
hosts allow = 192.168.10. 192.168.20.
hosts deny = all
interfaces = eth0 eth1
passdb backend = ldapsam
ldap suffix = dc=hbclp,dc=com
#ldap machine suffix = ou=_COMPUTERS_
#ldap user suffix = ou=_USERS_
#ldap group suffix = ou=_GROUPS_
ldap machine suffix = ou=computers
ldap group suffix = ou=groups
ldap user suffix = ou=users
ldap admin dn = "cn=root,dc=hbclp,dc=com"
#not using ssl because this is all happening on the localhost
ldap ssl = no
#ldap ssl = Yes
#ldap ssl = start tls
idmap backend = ldap:ldap://127.0.0.1
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
wins support = yes
idmap gid = 10000-20000
idmap uid = 10000-20000
passwd chat debug = Yes
passwd program =/usr/bin/smbldap-passwd.pl -o %u
passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
#mentioned that these options improve performance
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/bin/smbldap-useradd.pl -w %ms"
add user script = /usr/bin/smbldap-useradd.pl -a %u
delete user script = /usr/bin/smbldap-userdel.pl %u
add group script = /usr/bin/smbldap-groupadd.pl %g
delete group script = /usr/bin/smbldap-groupdel.pl %g
add user to group script = /usr/bin/smbldap-groupmod.pl" -m %u %g
delete user from group script = /usr/bin/smbldap-groupmod.pl -x %u %g
set primary group script = /usr/bin/smbldap-usermod.pl -G %g %u
workgroup = workgroup
netbios name = chs
comment = Chesterfield Server
server string = Chesterfield Server
security = user
null passwords = yes
encrypt passwords = yes
logon script=logon.bat
### These left Blank will force local profiles but will not override LDAP config
##if set LDAP takes precedence.
logon drive logon path
domain master = yes
domain logons = yes
preferred master = yes
os level = 33
wins support = no
wins proxy = no
log file = /var/log/samba/%m.log
public = No
browseable = yes
writable = No
; necessary share for domain controller
[netlogon]
path = /netlogon
locking = no
read only = yes
write list = ntadmin
;test share
[tmp]
writeable = yes
public = yes
path = /tmp
[profiles]
path = /profiles
read only = no
writeable = yes
create mask = 0600
directory mask = 0700
[sys]
public=yes
path = /home/sys
read only = No
[vol1]
public=yes
path = /home/vol1
read only = No
[cdroms]
public=yes
path = /home/cdroms
read only = No
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex de Vaal wrote:> Summarization of the bug in Samba 3.0.2pre1: > It seems that an ADS group is not valid or detected anymore to access a > samba share, in case only an ADS group is used a valid user on a Samba > share, because Kerberos is reporting: Username (null) is invalid on this > system. > Besides that, connecting to a share (service) reports with Samba 3.0.0-2 > REALM\username (NH-TEST.NL\fo6), but with Samba 3.0.2pre1 connecting to > a share (service) reports only username (fo6) > Downgrading to Samba 3.0.0-2 solves this problem!Please read the release notes (WHATSNEW).> winbind use default domain = yesDisable this parameter and you will get your desired behavior. - -- cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song" --Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFADfr1IR7qMdg1EfYRAmGZAJ9T4V9vg/5xkQyKq3MgmwmwOr8DLgCfQy8C T1iIjC46l8aV8GCT1NTiujk=HSmy -----END PGP SIGNATURE-----