samba - Aug 2006 - 3.0.20 -> 3.0.23 SID/group error?? Won't connect.

Gerry, all:

    HELP! On mandriva, I compiled samba from source and got it running, but 
I cannot connect from windows. (see my post from earlier "[Samba] Compiling
and Configuring Samba for Mandrival")

    I think this relates to the group/SID changes discussed in the release 
notes. However, I'm not smart enough to figure it out. The tarball compiled 
and installed fine. It appears to run fine, it just wont take the 
lookup_name: Unix Group\ochiltree => Unix Group (domain), ochiltree (name) 
handshake for some reason. The samba tests work fine until:

querying __SAMBA__ on 192.168.7.15
192.168.7.15 __SAMBA__<00>
david@rankin-xp:~> nmblookup -B rankin-p35 '*'
querying * on 192.168.7.98
name_query failed to find name *

david@rankin-xp:~> nmblookup -d 2 '*'
added interface ip=192.168.7.90 bcast=192.168.7.255 nmask=255.255.255.0
querying * on 192.168.7.255
Got a positive name query response from 192.168.7.15 ( 192.168.7.15 )
192.168.7.15 *<00>

david@rankin-xp:~> smbclient //bonza/office
Password:
Domain=[RB_LAW] OS=[Unix] Server=[Samba 3.0.23b]
tree connect failed: NT_STATUS_ACCESS_DENIED

    I have attached a level 10 debug if that will help. This is a standalone 
server.

    Right now I am running on 3.0.20 after saving myself with a "make 
revert" Gotta love it...

    What should I do/check/read to find out how to get 3.0.23 to allow my 
clients to connect??? Any help is appreciated..

I think the problems come in at this point:

[2006/08/10 10:11:26, 5] auth/auth.c:check_ntlm_password(296)
  check_ntlm_password:  PAM Account for user [david] succeeded
[2006/08/10 10:11:26, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [david] -> [david] -> 
[david] succeeded
[2006/08/10 10:11:26, 5] auth/auth_util.c:free_user_info(1816)
  attempting to free (and zero) a user_info structure
[2006/08/10 10:11:26, 10] auth/auth_util.c:free_user_info(1820)
  structure was created for david
[2006/08/10 10:11:26, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID 
[S-1-5-21-3406342033-1696486390-100470924-2002]
[2006/08/10 10:11:26, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID 
[S-1-5-21-3406342033-1696486390-100470924-2003]
[2006/08/10 10:11:26, 5] lib/privileges.c:get_privileges_for_sids(459)
  get_privileges_for_sids: sid = S-1-1-0
  Privilege set:
  SE_PRIV  0x0 0x0 0x0 0x0


(snip)



[2006/08/10 10:11:26, 10] passdb/lookup_sid.c:lookup_name(65)
  lookup_name: Unix Group\ochiltree => Unix Group (domain), ochiltree (name)
[2006/08/10 10:11:26, 10] smbd/share_access.c:user_ok_token(208)
  User david not in 'valid users'
[2006/08/10 10:11:26, 2] smbd/service.c:make_connection_snum(571)
  user 'david' (from session setup) not permitted to access this share 
(office)
[2006/08/10 10:11:26, 3] smbd/error.c:error_packet(146)
  error packet at smbd/reply.c(676) cmd=117 (SMBtconX) 
NT_STATUS_ACCESS_DENIED


I am certainly a member of group 'ochiltree', so I'm not sure where
to go
from here. Help?

--
David C. Rankin, J.D., P.E.
RANKIN LAW FIRM, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
(936) 715-9333
(936) 715-9339 fax
www.rankinlawfirm.com
--

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

david,
>    HELP! On mandriva, I compiled samba from source 
> and got it running, but I cannot connect from windows.
> (see my post from earlier "[Samba] Compiling and
> Configuring Samba for Mandrival")
> david@rankin-xp:~> smbclient //bonza/office
> Password:
> Domain=[RB_LAW] OS=[Unix] Server=[Samba 3.0.23b]
> tree connect failed: NT_STATUS_ACCESS_DENIED
...
>    I have attached a level 10 debug if that will help. 
> This is a standalone server.
Attachments get stripped from the list.  I need
your smb.conf, a level 10 debug log from smbd,
and output from the following tow commands

* pdbedit -L -w | cut -d: -f1
* net groupmap list | cut -d\( -f1






cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE27a4IR7qMdg1EfYRAu97AKDeKIT8n0t/7Z9gRxzIXMfjjVnz6QCglGzx
G/dFUy92rL2FdHw3eJ0z104=wDgQ
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Franz Sirl wrote:
> I have the same problem with a simple security = user, 
> non-LDAP, non-windbindd etc. setup. I can workaround
> this for gid=100/groupname=users with:
> 
>        valid users = S-1-5-21-1540046517-542637695-1028676802-1201
> 
> My net getlocalsid:
>  SID for domain HOSTNAME is: S-1-5-21-1540046517-542637695-1028676802
> 
> These didn't work:
> 
>        valid users = +users
>        valid users = +HOSTNAME\users
>        valid users = +BUILTIN\users
>        valid users = +"Unix Group\users"
>        valid users = S-1-22-2-100
ok.  Found the problem.  It's smbpasswd.  If you use tdbsam
everything is fine.  Patch forthcoming shortly.  Sorry.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE3H5VIR7qMdg1EfYRAlqTAJ0ZcnKBwL4cTSqjcjq5rHpITHoG7ACg633E
fiP3Ihqaeu+zHUfltU8CbJE=YTCJ
-----END PGP SIGNATURE-----

I had the same problem on AIX with Samba 3.0.23b upgrading Samba
3.0.23a.  The solution I found was to change all "valid users" to
"users".  The documents still say "valid users" is
acceptable; but it
would not work once I went to 3.0.23b.

Lamar

-----Original Message-----
From: Franz Sirl [mailto:Franz.Sirl-kernel@lauterbach.com]
Sent: Friday, August 11, 2006 4:20 AM
To: Gerald (Jerry) Carter
Cc: samba
Subject: Re: [Samba] 3.0.20 -> 3.0.23 SID/group error?? Won't connect.

At 00:44 11.08.2006, Gerald (Jerry) Carter wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>david,
>
> >    HELP! On mandriva, I compiled samba from source
> > and got it running, but I cannot connect from windows.
> > (see my post from earlier "[Samba] Compiling and
> > Configuring Samba for Mandrival")
>
> > david@rankin-xp:~> smbclient //bonza/office
> > Password:
> > Domain=[RB_LAW] OS=[Unix] Server=[Samba 3.0.23b]
> > tree connect failed: NT_STATUS_ACCESS_DENIED
>...
> >    I have attached a level 10 debug if that will help.
> > This is a standalone server.
>
>Attachments get stripped from the list.  I need
>your smb.conf, a level 10 debug log from smbd,
>and output from the following tow commands
>
>* pdbedit -L -w | cut -d: -f1
>* net groupmap list | cut -d\( -f1
Hi,

I have the same problem with a simple security = user, non-LDAP,
non-windbindd etc. setup. I can workaround this for
gid=100/groupname=users with:

        valid users = S-1-5-21-1540046517-542637695-1028676802-1201

My net getlocalsid:
  SID for domain HOSTNAME is: S-1-5-21-1540046517-542637695-1028676802

These didn't work:

        valid users = +users
        valid users = +HOSTNAME\users
        valid users = +BUILTIN\users
        valid users = +"Unix Group\users"
        valid users = S-1-22-2-100

This seems also to be related on which versions of samba were working
before on a machine (seems to depend on the contents of the .tdb),
but so far I could always reproduce it when I delete most of the
.tdb's except printer related and secrets.tdb.
Maybe some "net groupmap" statements are now necessary for simple
setups as well?

bye,
Franz.




Privileged and Confidential.  This e-mail, and any attachments there to, is
intended only for use by the addressee(s) named herein and may contain
privileged or confidential information.  If you have received this e-mail in
error, please notify me immediately by a return e-mail and delete this e-mail. 
You are hereby notified that any dissemination, distribution or copying of this
e-mail and/or any attachments thereto, is strictly prohibited.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Rankin wrote:
>> From: "Gerald (Jerry) Carter" <jerry@samba.org>
>>
>> ok.  Found the problem.  It's smbpasswd.  If you use tdbsam
>> everything is fine.  Patch forthcoming shortly.  Sorry.
>>
> 
> Aahah!
> 
>     I knew the coffee would help ; - )
Hey folks,

Please try the attached patch (samba-3.0.23b-lookup_name_smbconf_v1.patch).
It passes very basic testing for standalone servers
using smbpasswd.  And still has some discussion
to go through before it will go into the tree for
3.0.23c.

Also available at http://www.samba.org/~jerry/patches/
if the attachment gets messed up.



cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE3J18IR7qMdg1EfYRAjK4AJ9bRS+cXFU0L3nMm9g+Hi+ExeXNxgCfb2/x
Omcesq0DAeSWNOv0SGj5q6I=LfCs
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Franz Sirl wrote:
> the patch fixes the valid users problem for me. Or, to 
> come back to the list of different syntaxes, these work:
> 
>        valid users = +users
>        valid users = S-1-5-21-1540046517-542637695-1028676802-1201
> 
> These didn't work:
> 
>        valid users = +"Unix Group\users"
>        valid users = +HOSTNAME\users
>        valid users = +BUILTIN\users
>        valid users = S-1-22-2-100
> 
> Thanks for the patch!
I understand why now these don't work now.  Second round of
patches on the way.
> On a side note, 3.0.23 series fixed the "long delay/hang 
> when accessing a samba share in explorer after a long
> pause" nuisance for me, thanks for this as well!
Good news :-)  Thanks.




cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE3M4BIR7qMdg1EfYRAks4AJ9V0AWVUzuGwmGaPsWVo8QjIGTXJQCeLu+D
51IPyqOeK1dQIkUJqTVIf4k=IhPQ
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Franz Sirl wrote:
> the patch fixes the valid users problem for me. Or, 
> to come back to the list of different syntaxes,
> these work:
> 
>        valid users = +users
>        valid users = S-1-5-21-1540046517-542637695-1028676802-1201
> 
> These didn't work:
> 
>        valid users = +"Unix Group\users"
>        valid users = +HOSTNAME\users
>        valid users = +BUILTIN\users
>        valid users = S-1-22-2-100
Please test the patch.  Supersedes the previous one.
Also available from http://www.samba.org/~jerry/patches/
It's semi-ok that syntax you list doesn't work.  You
should really only worry about +users for local group names.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE3NHbIR7qMdg1EfYRAj3nAJ4wtGGV5gZdfPex6VoqV0oR56U5jQCfenpt
nngKKBmiJcVOXVi60MoQk4w=e+/6
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: groupdb/mapping.c
==================================================================---
groupdb/mapping.c	(revision 17493)
+++ groupdb/mapping.c	(working copy)
@@ -195,7 +195,7 @@
 	fstrcpy(map.nt_name, grpname);
 
 	if (pdb_rid_algorithm()) {
-		rid = pdb_gid_to_group_rid( grp->gr_gid );
+		rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
 	} else {
 		if (!pdb_new_rid(&rid)) {
 			DEBUG(3, ("Could not get a new RID for %s\n",
Index: passdb/util_unixsids.c
==================================================================---
passdb/util_unixsids.c	(revision 17493)
+++ passdb/util_unixsids.c	(working copy)
@@ -42,6 +42,12 @@
 	return sid_append_rid(sid, uid);
 }
 
+BOOL uid_to_unix_groups_sid(gid_t gid, DOM_SID *sid)
+{
+	sid_copy(sid, &global_sid_Unix_Groups);
+	return sid_append_rid(sid, gid);
+}
+
 const char *unix_users_domain_name(void)
 {
 	return "Unix User";
Index: passdb/lookup_sid.c
==================================================================---
passdb/lookup_sid.c	(revision 17493)
+++ passdb/lookup_sid.c	(working copy)
@@ -43,7 +43,6 @@
 	DOM_SID sid;
 	enum SID_NAME_USE type;
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-	struct group *grp;
 
 	if (tmp_ctx == NULL) {
 		DEBUG(0, ("talloc_new failed\n"));
@@ -120,63 +119,6 @@
 		goto failed;
 	}
 
-	/*
-	 * Nasty hack necessary for too common scenarios:
-	 *
-	 * For 'valid users = +users' we know "users" is most
probably not
-	 * BUILTIN\users but the unix group users. This hack requires the
-	 * admin to explicitly qualify BUILTIN if BUILTIN\users is meant.
-	 *
-	 * Please note that LOOKUP_NAME_GROUP can not be requested via for
-	 * example lsa_lookupnames, it only comes into this routine via
-	 * the expansion of group names coming in from smb.conf
-	 */
-
-	if ((flags & LOOKUP_NAME_GROUP) && ((grp = getgrnam(name)) !=
NULL)) {
-
-		GROUP_MAP map;
-
-		if (pdb_getgrgid(&map, grp->gr_gid)) {
-			/* The hack gets worse. Handle the case where we have
-			 * 'force group = +unixgroup' but "unixgroup" has a
-			 * group mapping */
-
-			if (sid_check_is_in_builtin(&map.sid)) {
-				domain = talloc_strdup(
-					tmp_ctx, builtin_domain_name());
-			} else {
-				domain = talloc_strdup(
-					tmp_ctx, get_global_sam_name());
-			}
-
-			sid_copy(&sid, &map.sid);
-			type = map.sid_name_use;
-			goto ok;
-		}
-
-		/* If we are using the smbpasswd backend, we need to use the
-		 * algorithmic mapping for the unix group we find. This is
-		 * necessary because when creating the NT token from the unix
-		 * gid list we got from initgroups() we use gid_to_sid() that
-		 * uses algorithmic mapping if pdb_rid_algorithm() is true. */
-
-		if (pdb_rid_algorithm() &&
-		    (grp->gr_gid < max_algorithmic_gid())) {
-			domain = talloc_strdup(tmp_ctx, get_global_sam_name());
-			sid_compose(&sid, get_global_sam_sid(),
-				    pdb_gid_to_group_rid(grp->gr_gid));
-			type = SID_NAME_DOM_GRP;
-			goto ok;
-		}
-		
-		if (lookup_unix_group_name(name, &sid)) {
-			domain = talloc_strdup(tmp_ctx,
-					       unix_groups_domain_name());
-			type = SID_NAME_DOM_GRP;
-			goto ok;
-		}
-	}
-
 	/* Now the guesswork begins, we haven't been given an explicit
 	 * domain. Try the sequence as documented on
 	 * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
@@ -1138,15 +1080,10 @@
 		goto done;
 	}
 
-	if (pdb_rid_algorithm() && (uid < max_algorithmic_uid())) {
-		sid_copy(psid, get_global_sam_sid());
-		sid_append_rid(psid, algorithmic_pdb_uid_to_user_rid(uid));
-		goto done;
-	} else {
-		uid_to_unix_users_sid(uid, psid);
-		goto done;
-	}
+	/* This is an unmapped user */
 
+	uid_to_unix_users_sid(uid, psid);
+
  done:
 	DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid,
 		  sid_string_static(psid)));
@@ -1180,16 +1117,10 @@
 		/* This is a mapped group */
 		goto done;
 	}
+	
+	/* This is an unmapped group */
 
-	if (pdb_rid_algorithm() && (gid < max_algorithmic_gid())) {
-		sid_copy(psid, get_global_sam_sid());
-		sid_append_rid(psid, pdb_gid_to_group_rid(gid));
-		goto done;
-	} else {
-		sid_copy(psid, &global_sid_Unix_Groups);
-		sid_append_rid(psid, gid);
-		goto done;
-	}
+	uid_to_unix_groups_sid(gid, psid);
 
  done:
 	DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid,
@@ -1235,14 +1166,9 @@
 			*puid = id.uid;
 			goto done;
 		}
-		if (pdb_rid_algorithm() &&
-		    algorithmic_pdb_rid_is_user(rid)) {
-			*puid = algorithmic_pdb_user_rid_to_uid(rid);
-			goto done;
-		}
 
-		/* This was ours, but it was neither mapped nor
-		 * algorithmic. Fail */
+		/* This was ours, but it was not mapped.  Fail */
+
 		return False;
 	}
 
@@ -1323,14 +1249,9 @@
 			*pgid = id.gid;
 			goto done;
 		}
-		if (pdb_rid_algorithm() &&
-		    !algorithmic_pdb_rid_is_user(rid)) {
-			/* This must be a group, presented as alias */
-			*pgid = pdb_group_rid_to_gid(rid);
-			goto done;
-		}
-		/* This was ours, but it was neither mapped nor
-		 * algorithmic. Fail. */
+
+		/* This was ours, but it was not mapped.  Fail */
+
 		return False;
 	}
 	
Index: passdb/passdb.c
==================================================================---
passdb/passdb.c	(revision 17493)
+++ passdb/passdb.c	(working copy)
@@ -505,7 +505,7 @@
  there is not anymore a direct link between the gid and the rid.
  ********************************************************************/
 
-uint32 pdb_gid_to_group_rid(gid_t gid)
+uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid)
 {
 	int rid_offset = algorithmic_rid_base();
 	return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
Index: passdb/pdb_interface.c
==================================================================---
passdb/pdb_interface.c	(revision 17493)
+++ passdb/pdb_interface.c	(working copy)
@@ -595,7 +595,7 @@
 	}
 
 	if (pdb_rid_algorithm()) {
-		*rid = pdb_gid_to_group_rid( grp->gr_gid );
+		*rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
 	} else {
 		if (!pdb_new_rid(rid)) {
 			return NT_STATUS_ACCESS_DENIED;
Index: include/smb.h
==================================================================---
include/smb.h	(revision 17493)
+++ include/smb.h	(working copy)
@@ -272,7 +272,7 @@
 #define LOOKUP_NAME_REMOTE   2  /* Ask others */
 #define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE)
 
-#define LOOKUP_NAME_GROUP    4  /* This is a NASTY hack for valid users = @foo
+#define LOOKUP_NAME_GROUP    4  /* (unused) This is a NASTY hack for valid
users = @foo
 				 * where foo also exists in as user. */
 
 /**
Index: utils/net_groupmap.c
==================================================================---
utils/net_groupmap.c	(revision 17493)
+++ utils/net_groupmap.c	(working copy)
@@ -275,7 +275,7 @@
 	if ( (rid == 0) && (string_sid[0] == '\0') ) {
 		d_printf("No rid or sid specified, choosing a RID\n");
 		if (pdb_rid_algorithm()) {
-			rid = pdb_gid_to_group_rid(gid);
+			rid = algorithmic_pdb_gid_to_group_rid(gid);
 		} else {
 			if (!pdb_new_rid(&rid)) {
 				d_printf("Could not get new RID\n");
@@ -555,7 +555,14 @@
 		map.gid = grp->gr_gid;
 
 		if (opt_rid == 0) {
-			opt_rid = pdb_gid_to_group_rid(map.gid);
+			if ( pdb_rid_algorithm() )
+				opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid);
+			else {
+				if ( !pdb_new_rid((uint32*)&opt_rid) ) {
+					d_fprintf( stderr, "Could not allocate new RID\n");
+					return -1;
+				}
+			}
 		}
 
 		sid_copy(&map.sid, get_global_sam_sid());