Nissl Reinhard
2015-Jul-31 12:07 UTC
[Samba] samba-4.1.19: resolving local unix group failes when there exists a local unix user with same name
Hi, after upgrading samba from 4.1.17 to 4.1.19 on OpenSuSE 13.2, any shares offered by this machine can nolonger be accessed, when these shares contain an entry "force group" which specifies a local unix group and when there exists a unix user with the same name. Here's an excerpt from smb.conf: [FactWork] comment = FactWork-Downloadportal path = /web/Fee/download/factwork valid users = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator,fee\svtb3$ write list = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator force group = webadmin create mask = 0664 force create mode = 0664 directory mask = 0775 force directory mode = 0775 writeable = Yes guest ok = No When I try to access that share with smbclient like that, it fails: smbclient //platon/factwork mySecret -U reinhard.ni -W fee Domain=[FEE] OS=[Unix] Server=[Samba 4.1.19-11.1-3442-SUSE-oS13.2-x86_64] tree connect failed: NT_STATUS_NO_SUCH_GROUP Running smbd interactive with maximum debug level shows the following lines: looking for user fee\reinhard.ni of domain (ANY) in netgroup fee\g_tb3 lookup_name: fee\g_tb3 => domain=[fee], name=[g_tb3] lookup_name: flags = 0x077 user_ok_token: share FactWork is ok for unix user FEE\reinhard.ni lookup_name: FEE\webadmin => domain=[FEE], name=[webadmin] lookup_name: flags = 0x077 map_name_to_wellknown_sid: looking up webadmin push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 push_conn_ctx(0) : conn_ctx_stack_ndx = 0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 Security token: (NULL) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups failed to unpack map failed to unpack map failed to unpack map pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 Finding user webadmin Trying _Get_Pwnam(), username as lowercase is webadmin Get_Pwnam_internals did find user [webadmin]! webadmin is a User, not a group A further problem (which seems to be caused by the same defect) exists when trying to validate the user against a local unix group (@webadmin in this example). The log output shows similar messages regarding @webadmin being a user while expecting a group. In that case smbclient fails with NT_STATUS_ACCESS_DENIED. A workaround seems to be, to replace all references to unix group webadmin with "Unix Group\webadmin", i. e. valid users = @"Unix Group\webadmin",fee\gabi, at fee\g_tb3,fee\administrator,fee\svtb3$ write list = @"Unix Group\webadmin",fee\gabi, at fee\g_tb3,fee\administrator force group = "Unix Group\webadmin" Bye. -- Reinhard Nißl, TB3, -198
Rowland Penny
2015-Jul-31 13:29 UTC
[Samba] samba-4.1.19: resolving local unix group failes when there exists a local unix user with same name
On 31/07/15 13:07, Nissl Reinhard wrote:> Hi, > > after upgrading samba from 4.1.17 to 4.1.19 on OpenSuSE 13.2, any shares offered by this machine can nolonger be accessed, when these shares contain an entry "force group" which specifies a local unix group and when there exists a unix user with the same name. > > Here's an excerpt from smb.conf: > > [FactWork] > comment = FactWork-Downloadportal > path = /web/Fee/download/factwork > valid users = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator,fee\svtb3$ > write list = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator > force group = webadmin > create mask = 0664 > force create mode = 0664 > directory mask = 0775 > force directory mode = 0775 > writeable = Yes > guest ok = No > > When I try to access that share with smbclient like that, it fails: > > smbclient //platon/factwork mySecret -U reinhard.ni -W fee > Domain=[FEE] OS=[Unix] Server=[Samba 4.1.19-11.1-3442-SUSE-oS13.2-x86_64] > tree connect failed: NT_STATUS_NO_SUCH_GROUP > > Running smbd interactive with maximum debug level shows the following lines: > > looking for user fee\reinhard.ni of domain (ANY) in netgroup fee\g_tb3 > lookup_name: fee\g_tb3 => domain=[fee], name=[g_tb3] > lookup_name: flags = 0x077 > user_ok_token: share FactWork is ok for unix user FEE\reinhard.ni > lookup_name: FEE\webadmin => domain=[FEE], name=[webadmin] > lookup_name: flags = 0x077 > map_name_to_wellknown_sid: looking up webadmin > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > Security token: (NULL) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > failed to unpack map > failed to unpack map > failed to unpack map > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > Finding user webadmin > Trying _Get_Pwnam(), username as lowercase is webadmin > Get_Pwnam_internals did find user [webadmin]! > webadmin is a User, not a group > > A further problem (which seems to be caused by the same defect) exists when trying to validate the user against a local unix group (@webadmin in this example). The log output shows similar messages regarding @webadmin being a user while expecting a group. In that case smbclient fails with NT_STATUS_ACCESS_DENIED. > > A workaround seems to be, to replace all references to unix group webadmin with "Unix Group\webadmin", i. e. > > valid users = @"Unix Group\webadmin",fee\gabi, at fee\g_tb3,fee\administrator,fee\svtb3$ > write list = @"Unix Group\webadmin",fee\gabi, at fee\g_tb3,fee\administrator > force group = "Unix Group\webadmin" > > Bye. > -- > Reinhard Nißl, TB3, -198 >Hi, I think there is a bug report open for this: https://bugzilla.samba.org/show_bug.cgi?id=11320 Rowland
Possibly Parallel Threads
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)