samba - Dec 2002 - DISASTER - Samba corrupts shared directory data - URGENTLY

Hi all,

I need a biggest help... I have the following environment:
- SuSE 8.0 with all patches;
- Samba (2.2.3a RPM-SuSE) + LDAP;
- OpenLDAP2 (2.0.23 RPM-SuSE);
- smbldap-tools (0.7 - TGZ).

All was functioning perfectly, but suddenly one of the Samba shares
presented problems: the files/directories are corrupted!!! No changes
are made in configuration, and appear the following datas in to the
shared directory:

Before:

pub:/home/DATA # l | more
total 100
drwxr-xr-x   24 root     root         4096 Dec 20 09:37 ./
drwxr-xr-x  123 root     root         4096 Dec 20 08:59 ../
drwxr-xr-x    2 root     users        4096 Dec 20 09:37 Biblioteca/
drwxrwxrwx    2 root     users        4096 Dec 20 09:37 Boletim de
Ocorr?ncia/
drwxr-xr-x    2 root     users        4096 Dec 20 09:37 CargaMaquinaTS/
drwxr-xr-x    2 root     users        4096 Dec 20 09:37 Darf/
drwxr-xr-x    3 root     users        4096 Dec 20 09:37 Dot/
drwxr-xr-x    2 root     users        4096 Dec 20 09:37 EspecComerciais/
drwxrwxrwx    5 root     users        8192 Dec 20 09:37 Etiquetas
Exportacao/
drwxrwx---    2 root     exportpa     4096 Dec 20 09:37 ExportPayment/
drwxr-xr-x    2 root     users        4096 Dec 20 09:37 ExportSample/
drwxr-xr-x    3 root     users        4096 Dec 20 09:36 Mdb/
drwxr-xr-x    2 root     users        4096 Dec 20 09:37 Moedas/
drwxrwxrwx    2 root     users        4096 Dec 20 10:55 NFs/
drwxrwx---    2 root     opsyst2      4096 Dec 20 09:33 Opsyst2/
drwxrwxrwx    2 root     users        4096 Dec 20 09:37 Pulso/



After:

pub:/home/DATA.OLD # l | more
total 47084
drwxr-xr-x  11580 root     users      356352 Dec 19 12:11 ./
drwxr-xr-x  123 root     root         4096 Dec 20 08:59 ../
drwxr-xr-x    2 root     users        4096 Dec 19 10:53 0/
drwxr-xr-x    2 root     users        4096 Dec 19 10:53 1/
drwxr-xr-x    2 root     users        4096 Dec 19 11:06 100/
drwxr-xr-x    2 root     users        4096 Dec 19 11:03
101248cd8e964bc7f14d8e8e9782e152/
drwxr-xr-x    2 root     users        4096 Dec 19 11:02 10149fd642f3b/
drwxr-xr-x    2 root     users        4096 Dec 19 10:55
1020168bca14819b5b9265c8483b895e/
drwxr-xr-x    2 root     users        4096 Dec 19 11:07
1023149d8bc19422f5165f76c3b812f1/
drwxr-xr-x    2 root     users        4096 Dec 19 10:55 10265ed/
drwxr-xr-x    2 root     users        4096 Dec 19 10:53 1027765b55d/
drwxr-xr-x    2 root     users        4096 Dec 19 10:53 102b62a/
drwxr-xr-x    2 root     users        4096 Dec 19 10:53
103c414240f1587767c5bcf43b4/
drwxr-xr-x    2 root     users        4096 Dec 19 10:55 103d681b755da/
drwxr-xr-x    2 root     users        4096 Dec 19 10:54 104/
drwxr-xr-x    2 root     users        4096 Dec 19 10:57
1044b9756a8048a37a45ec7984784ac0/
drwxr-xr-x    2 root     users        4096 Dec 19 10:55
1049667d4878eb8449937da544c093b4/
drwxr-xr-x    2 root     users        4096 Dec 19 10:54
104a76c5568dcc86def788c04b9d6586/
drwxr-xr-x    2 root     users        4096 Dec 19 10:54
1051ae47d9d43de38035a1f8b267f413/
drwxr-xr-x    2 root     users        4096 Dec 19 10:53
10529e126094efa79b40cb8/
drwxr-xr-x    2 root     users        4096 Dec 19 10:58
105d84323ce26fc0e4fa6c37ce9bc639/
drwxr-xr-x    2 root     users        4096 Dec 19 11:05
105e54e644294cf6e7a6f7b7b/
drwxr-xr-x    2 root     users        4096 Dec 19 10:54
105f92644e71ab42a9bc496f55f4e136/
drwxr-xr-x    2 root     users        4096 Dec 19 10:57 1063c92c93da8/
drwxr-xr-x    2 root     users        4096 Dec 19 10:58
106bbc5ab65a3c68484ad214207c4ce/
drwxr-xr-x    2 root     users        4096 Dec 19 11:02
106dbc2191441caaf219843b44c322fd/
drwxr-xr-x    2 root     users        4096 Dec 19 10:53
10799deecbeba388406a666efd1a6c2/
drwxr-xr-x    2 root     users        4096 Dec 19 10:56 107b8925ef5f16e/
drwxr-xr-x    2 root     users        4096 Dec 19 11:02
10823d1afa11aeba3d3a93127eb1a798/
drwxr-xr-x    2 root     users        4096 Dec 19 10:58
108857646aa141893a58f3eec/
drwxr-xr-x    2 root     users        4096 Dec 19 10:59
10a2a2bc918bfba9c1476cf4added0c/
drwxr-xr-x    2 root     users        4096 Dec 19 10:54
10aaa05c5730e583ba4c681415bfd939/


It is only a part of the directory list (it is biggest), I could observe
that the generate directories are in numeric order (hexa). Was modified
too the owner of the files, being that the user that take ownership
doesn't was connected at moment. I could observe too that only the
"public" directories was affected (directories with rx permissions for
everyone).
The shared directory is an ext3+lvm (in the same mount point, there are
others samba shares that isn't affected). The log.smbd doesn't present
any error.

PLEASE, can someone help me?????

Regards,

Fabiano

I have a samba 2.2.7 PDC running on RH 7.3.  It works good with roaming
profiles, etc, but I want my NT machines to recognize groups that I have set
up on my linux box.  Any body have any ideas about what the best way to do
this is....? I have tried using the domain group map and user map options in
the smb.conf but it does not recognize them.  I have also read that using
LDAP might be an option?  Any ideas or tips would be very helpful.  Thanks,
Jacob Smith

On Sat, 2002-12-21 at 01:00, Fabiano Felix wrote:
> Hi all,
> 
> I need a biggest help... I have the following environment:
> - SuSE 8.0 with all patches;
> - Samba (2.2.3a RPM-SuSE) + LDAP;
> - OpenLDAP2 (2.0.23 RPM-SuSE);
> - smbldap-tools (0.7 - TGZ).
> 
> All was functioning perfectly, but suddenly one of the Samba shares
> presented problems: the files/directories are corrupted!!! No changes
> are made in configuration, and appear the following datas in to the
> shared directory:
I would really be looking either at a kernel/fs fault, or malicious
administrative access.   Samba doesn't rename files on it's own - there
just isn't the code do do it.  And furthermore, Samba always conducts
operations as the connecting user (you didn't have 'admin users ='
set
did you?) unless configured specificly otherwise. 
> Before:
> 
> pub:/home/DATA # l | more
> total 100
> drwxr-xr-x   24 root     root         4096 Dec 20 09:37 ./
> drwxr-xr-x  123 root     root         4096 Dec 20 08:59 ../
> drwxr-xr-x    2 root     users        4096 Dec 20 09:37 Biblioteca/
> drwxrwxrwx    2 root     users        4096 Dec 20 09:37 Boletim de
> Ocorr?ncia/
> drwxr-xr-x    2 root     users        4096 Dec 20 09:37 CargaMaquinaTS/
> drwxr-xr-x    2 root     users        4096 Dec 20 09:37 Darf/
> drwxr-xr-x    3 root     users        4096 Dec 20 09:37 Dot/
> drwxr-xr-x    2 root     users        4096 Dec 20 09:37 EspecComerciais/
> drwxrwxrwx    5 root     users        8192 Dec 20 09:37 Etiquetas
> Exportacao/
> drwxrwx---    2 root     exportpa     4096 Dec 20 09:37 ExportPayment/
> drwxr-xr-x    2 root     users        4096 Dec 20 09:37 ExportSample/
> drwxr-xr-x    3 root     users        4096 Dec 20 09:36 Mdb/
> drwxr-xr-x    2 root     users        4096 Dec 20 09:37 Moedas/
> drwxrwxrwx    2 root     users        4096 Dec 20 10:55 NFs/
> drwxrwx---    2 root     opsyst2      4096 Dec 20 09:33 Opsyst2/
> drwxrwxrwx    2 root     users        4096 Dec 20 09:37 Pulso/
> 
> 
> 
> After:
> 
> pub:/home/DATA.OLD # l | more
> total 47084
> drwxr-xr-x  11580 root     users      356352 Dec 19 12:11 ./
> drwxr-xr-x  123 root     root         4096 Dec 20 08:59 ../
> drwxr-xr-x    2 root     users        4096 Dec 19 10:53 0/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:53 1/
> drwxr-xr-x    2 root     users        4096 Dec 19 11:06 100/
> drwxr-xr-x    2 root     users        4096 Dec 19 11:03
> 101248cd8e964bc7f14d8e8e9782e152/
> drwxr-xr-x    2 root     users        4096 Dec 19 11:02 10149fd642f3b/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:55
> 1020168bca14819b5b9265c8483b895e/
> drwxr-xr-x    2 root     users        4096 Dec 19 11:07
> 1023149d8bc19422f5165f76c3b812f1/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:55 10265ed/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:53 1027765b55d/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:53 102b62a/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:53
> 103c414240f1587767c5bcf43b4/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:55 103d681b755da/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:54 104/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:57
> 1044b9756a8048a37a45ec7984784ac0/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:55
> 1049667d4878eb8449937da544c093b4/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:54
> 104a76c5568dcc86def788c04b9d6586/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:54
> 1051ae47d9d43de38035a1f8b267f413/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:53
> 10529e126094efa79b40cb8/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:58
> 105d84323ce26fc0e4fa6c37ce9bc639/
> drwxr-xr-x    2 root     users        4096 Dec 19 11:05
> 105e54e644294cf6e7a6f7b7b/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:54
> 105f92644e71ab42a9bc496f55f4e136/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:57 1063c92c93da8/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:58
> 106bbc5ab65a3c68484ad214207c4ce/
> drwxr-xr-x    2 root     users        4096 Dec 19 11:02
> 106dbc2191441caaf219843b44c322fd/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:53
> 10799deecbeba388406a666efd1a6c2/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:56 107b8925ef5f16e/
> drwxr-xr-x    2 root     users        4096 Dec 19 11:02
> 10823d1afa11aeba3d3a93127eb1a798/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:58
> 108857646aa141893a58f3eec/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:59
> 10a2a2bc918bfba9c1476cf4added0c/
> drwxr-xr-x    2 root     users        4096 Dec 19 10:54
> 10aaa05c5730e583ba4c681415bfd939/
> 
> 
> It is only a part of the directory list (it is biggest), I could observe
> that the generate directories are in numeric order (hexa). Was modified
> too the owner of the files, being that the user that take ownership
> doesn't was connected at moment. I could observe too that only the
> "public" directories was affected (directories with rx
permissions for
> everyone).
> The shared directory is an ext3+lvm (in the same mount point, there are
> others samba shares that isn't affected). The log.smbd doesn't
present
> any error.
I would carefully examine your system logs, and login records to
determine what programs were actually running at the time, if there were
actually connections to the Samba share etc.

If it was not for the fact that only root could write to those dirs, I
would have suspected one of the various windows worms (some of them have
been known to crawl networks damaging data) - but in your case I'm a bit
stumped.  I would not rule out system compromise, but kernel errors
seems to more likely problem to me.  
> PLEASE, can someone help me?????
> 
> Regards,
> 
> Fabiano
I hope this gives you some ideas where to start looking.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20021229/045f9aee/attachment.bin