Matt Magoffin
2020-Mar-08 22:14 UTC
[Samba] Trouble resolving some group membership after upgrade from 4.8 to 4.10
Hello,
I had been running Samba 4.8 for a few years without any problems, and then
upgraded to 4.10. Since then I?ve been having problems with some accounts
connecting, while some connect fine still. I haven?t been able to figure out
why. My server is a relatively simple standalone server, using the LDAP password
backend.
A failing user authenticates OK and ends up like this in the logs:
[2020/03/09 10:30:41.723101, 1, pid=2475, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
&session_blob: struct smbXsrv_sessionB
version : SMBXSRV_VERSION_0 (0)
reserved : 0x00000000 (0)
info : union smbXsrv_sessionU(case 0)
info0 : *
info0: struct smbXsrv_session
table : *
db_rec : NULL
client : *
local_id : 0xe752a8c6 (3880954054)
global : *
global: struct smbXsrv_session_global0
db_rec : NULL
session_global_id : 0xe752a8c6 (3880954054)
session_wire_id : 0x00000000e752a8c6
(3880954054)
creation_time : Mon Mar 9 10:30:42 2020
NZDT
expiration_time : Thu Jan 1 12:00:00 1970
NZST
auth_time : Mon Mar 9 10:30:42 2020
NZDT
auth_session_info_seqnum : 0x00000001 (1)
auth_session_info : *
auth_session_info: struct auth_session_info
security_token : *
security_token: struct security_token
num_sids : 0x00000009
(9)
sids: ARRAY(9)
sids :
S-1-5-21-1502235775-2176147628-3003234742-10103
sids :
S-1-5-21-1502235775-2176147628-3003234742-513
sids :
S-1-22-2-10001
sids :
S-1-22-2-10002
sids : S-1-1-0
sids : S-1-5-2
sids :
S-1-5-11
sids :
S-1-22-1-10103
sids :
S-1-22-2-513
privilege_mask :
0x0000000000000000 (0)
0: SEC_PRIV_MACHINE_ACCOUNT_BIT
0: SEC_PRIV_PRINT_OPERATOR_BIT
0: SEC_PRIV_ADD_USERS_BIT
0: SEC_PRIV_DISK_OPERATOR_BIT
0: SEC_PRIV_REMOTE_SHUTDOWN_BIT
0: SEC_PRIV_BACKUP_BIT
0: SEC_PRIV_RESTORE_BIT
0: SEC_PRIV_TAKE_OWNERSHIP_BIT
0: SEC_PRIV_INCREASE_QUOTA_BIT
0: SEC_PRIV_SECURITY_BIT
0: SEC_PRIV_LOAD_DRIVER_BIT
0: SEC_PRIV_SYSTEM_PROFILE_BIT
0: SEC_PRIV_SYSTEMTIME_BIT
0:
SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT
0:
SEC_PRIV_INCREASE_BASE_PRIORITY_BIT
0: SEC_PRIV_CREATE_PAGEFILE_BIT
0: SEC_PRIV_SHUTDOWN_BIT
0: SEC_PRIV_DEBUG_BIT
0:
SEC_PRIV_SYSTEM_ENVIRONMENT_BIT
0: SEC_PRIV_CHANGE_NOTIFY_BIT
0: SEC_PRIV_UNDOCK_BIT
0:
SEC_PRIV_ENABLE_DELEGATION_BIT
0: SEC_PRIV_MANAGE_VOLUME_BIT
0: SEC_PRIV_IMPERSONATE_BIT
0: SEC_PRIV_CREATE_GLOBAL_BIT
rights_mask : 0x00000000
(0)
0: LSA_POLICY_MODE_INTERACTIVE
0: LSA_POLICY_MODE_NETWORK
0: LSA_POLICY_MODE_BATCH
0: LSA_POLICY_MODE_SERVICE
0: LSA_POLICY_MODE_PROXY
0:
LSA_POLICY_MODE_DENY_INTERACTIVE
0: LSA_POLICY_MODE_DENY_NETWORK
0: LSA_POLICY_MODE_DENY_BATCH
0: LSA_POLICY_MODE_DENY_SERVICE
0:
LSA_POLICY_MODE_REMOTE_INTERACTIVE
0:
LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE
0x00: LSA_POLICY_MODE_ALL
(0)
0x00: LSA_POLICY_MODE_ALL_NT4
(0)
unix_token : *
unix_token: struct security_unix_token
uid :
0x0000000000002777 (10103)
gid :
0x0000000000000201 (513)
ngroups : 0x00000003
(3)
groups: ARRAY(3)
groups :
0x0000000000000201 (513)
groups :
0x0000000000002711 (10001)
groups :
0x0000000000002712 (10002)
info : *
info: struct auth_user_info
account_name : *
account_name :
'sambamatt'
user_principal_name : NULL
user_principal_constructed: 0x00 (0)
domain_name : *
domain_name :
'X24'
dns_domain_name : NULL
full_name : *
full_name :
'Samba Matt Magoffin'
logon_script : *
logon_script :
''
profile_path : *
profile_path :
'\\X24\profiles\sambamatt'
home_directory : *
home_directory :
'\\X24\sambamatt'
home_drive : *
home_drive :
''
logon_server : *
logon_server :
'X24'
last_logon : NTTIME(0)
last_logoff : Tue Jan 19
16:14:07 2038 NZDT
acct_expiry : Tue Jan 19
16:14:07 2038 NZDT
last_password_change : Mon Mar 9
10:27:37 2020 NZDT
allow_password_change : Mon Mar 9
10:27:37 2020 NZDT
force_password_change : Tue Jan 19
16:14:07 2038 NZDT
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
acct_flags : 0x00000010
(16)
authenticated : 0x01 (1)
unix_info : *
unix_info: struct auth_user_info_unix
unix_name : *
unix_name :
'sambamatt'
sanitized_username : *
sanitized_username :
'sambamatt'
status : NT_STATUS_OK
compat : *
tcon_table : *
pending_auth : NULL
So you can see the uid is ?sambamatt? and is a member of group 10002, which is
called ?Home? and contains ?sambamatt? in a memberUid attribute.
[2020/03/09 10:30:41.752608, 5, pid=2475, effective(0, 0), real(0, 0)]
../../source3/lib/smbldap.c:1308(smbldap_search_ext)
smbldap_search_ext: base => [dc=msqr,dc=us], filter =>
[(&(objectClass=sambaGroupMapping)(|(displayName=Home)(cn=Home)))], scope
=> [2]
[2020/03/09 10:30:41.753124, 2, pid=2475, effective(0, 0), real(0, 0),
class=passdb] ../../source3/passdb/pdb_ldap.c:2396(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 10002
[2020/03/09 10:30:41.753202, 4, pid=2475, effective(0, 0), real(0, 0)]
../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/03/09 10:30:41.753262, 10, pid=2475, effective(0, 0), real(0, 0)]
../../source3/smbd/share_access.c:213(user_ok_token)
User sambamatt not in 'valid users'
If I show the group membership in other ways it appears like sambamatt is a
member:
$ getent passwd sambamatt
sambamatt:*:10103:513:System User:/home/sambamatt:/bin/sh
$ getent group Home
Home:*:10002:sambamatt
$ id sambamatt
uid=10103(sambamatt) gid=513(Domain Users) groups=513(Domain
Users),10001(Media),10002(Home)
For another account ?tm? that does still connect successfully, the logs end
like:
[2020/03/09 09:55:20.786162, 5, pid=50323, effective(0, 0), real(0, 0)]
../../source3/lib/smbldap.c:1308(smbldap_search_ext)
smbldap_search_ext: base => [dc=msqr,dc=us], filter =>
[(&(objectClass=sambaGroupMapping)(|(displayName=TimeMachine)(cn=TimeMachine)))],
scope => [2]
[2020/03/09 09:55:20.787011, 2, pid=50323, effective(0, 0), real(0, 0),
class=passdb] ../../source3/passdb/pdb_ldap.c:2396(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 10000
[2020/03/09 09:55:20.787106, 10, pid=50323, effective(0, 0), real(0, 0)]
../../source3/lib/smbldap.c:137(smbldap_talloc_single_attribute)
attribute description does not exist
[2020/03/09 09:55:20.787206, 4, pid=50323, effective(0, 0), real(0, 0)]
../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/03/09 09:55:20.787281, 10, pid=50323, effective(0, 0), real(0, 0)]
../../source3/smbd/share_access.c:219(user_ok_token)
user_ok_token: share TimeCapsule is ok for unix user tm
My smb.conf looks like this:
[global]
log level = 10 auth:10 winbind:10
workgroup = MSQR
server string = Samba Server Version %v
netbios name = X24
domain master = yes
wins support = yes
host msdfs = no
security = user
map to guest = Bad User
vfs objects = acl_xattr zfsacl catia fruit streams_xattr
map acl inherit = yes
server min protocol = SMB2
server max protocol = SMB3
fruit:aapl = yes
fruit:resource = stream
fruit:metadata = stream
ea support = yes
oplocks = yes
ntlm auth = no
passdb backend = ldapsam:ldap://localhost
ldap suffix = dc=msqr,dc=us
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap ssl = off
ldap passwd sync = yes
# Auth password saved via `smbpasswd -W`
ldap admin dn = cn=Samba Admin,dc=msqr,dc=us
[TimeCapsule]
path = /zdata/backups/timecapsule
vfs objects = zfsacl fruit streams_xattr
browseable = no
writable = yes
read only = no
inherit acls = yes
fruit:time machine = yes
fruit:time machine max size = 1400G
valid users = @TimeMachine
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfszcl:acesort = dontcare
[Home]
path = /zdata/home
browseable = yes
writable = yes
read only = no
force create mode = 0660
force directory mode = 0770
valid users = @Home
[Media]
path = /zdata/media
browseable = yes
writable = yes
read only = no
force create mode = 0660
force directory mode = 0770
valid users = @Media
I?m at a loss now on what might be wrong, or what else to try to troubleshoot
the issue. Any ideas/help would be much appreciated.
? m@
Rowland penny
2020-Mar-09 08:46 UTC
[Samba] Trouble resolving some group membership after upgrade from 4.8 to 4.10
On 08/03/2020 22:14, Matt Magoffin via samba wrote:> Hello, > > I had been running Samba 4.8 for a few years without any problems, and then upgraded to 4.10. Since then I?ve been having problems with some accounts connecting, while some connect fine still. I haven?t been able to figure out why. My server is a relatively simple standalone server, using the LDAP password backend.AKA a Samba nt4-style PDC, or the next thing to it.> [global] > log level = 10 auth:10 winbind:10 > workgroup = MSQR > server string = Samba Server Version %v > netbios name = X24 > domain master = yes > wins support = yes > host msdfs = no > security = user > map to guest = Bad User > vfs objects = acl_xattr zfsacl catia fruit streams_xattr > map acl inherit = yes > server min protocol = SMB2Try setting the above to 'NT1'> ntlm auth = noYou could also try setting 'ntlm auth' to yes> I?m at a loss now on what might be wrong, or what else to try to troubleshoot the issue. Any ideas/help would be much appreciated.You are still using old ways of doing things, things that rely on SMBv1 and this is going away. You have two ways of dealing with this, either stick with an old version of Samba (along with any security problems entailed in doing so), or upgrade to Samba AD. Rowland
Matt Magoffin
2020-Mar-10 04:59 UTC
[Samba] Trouble resolving some group membership after upgrade from 4.8 to 4.10
> On 9/03/2020, at 9:46 PM, Rowland penny via samba <samba at lists.samba.org> wrote: > >> server min protocol = SMB2 > Try setting the above to 'NT1' >> ntlm auth = no > You could also try setting 'ntlm auth' to yes >> I?m at a loss now on what might be wrong, or what else to try to troubleshoot the issue. Any ideas/help would be much appreciated. > > You are still using old ways of doing things, things that rely on SMBv1 and this is going away. You have two ways of dealing with this, either stick with an old version of Samba (along with any security problems entailed in doing so), or upgrade to Samba AD.Yes, I have been running this service for many years, upgrading Samba along the way but not trying to change to a full AD deployment. Do you think tweaking the authentication settings like you suggest would make a difference? I ask because I can connect, from the same workstation, using one account but not another, which means the same client is being used for both. The account that doesn't work won't work from any workstation that I?ve tried, while the account that does work also works on all other workstations that I?ve tried. From the logs it seems that the authentication is succeeding, but the group membership authorisation part is failing, but only for specific accounts. I had hoped someone might recall something that changed between 4.8 and 4.10 that might be relevant here, because I didn?t make changes to the Samba configuration over that upgrade. ? m@
Apparently Analagous Threads
- Trouble resolving some group membership after upgrade from 4.8 to 4.10
- How to get time differences in consistent units?
- System problem: Sys.time() returns GMT, says NZDT
- Computer in Samba 4.3.11 domain - logon server unavailable
- PANIC outstanding aio + key does not exist