thr3ads.net - samba - FW: [Samba] RID to SID Bug? Share ACL Access Denied [Mar 2004]

If this information is useful, please help other people find it:
Share via:

Aden, Steve

2004-Mar-30 20:07 UTC

FW: [Samba] RID to SID Bug? Share ACL Access Denied

Hi,
	Is this problem related to this bug?
Bugzilla Bug 1165  
   Samba ADS Kerberos login doesnt resolve correct groups when smbd is
su'ing to the uid 
https://bugzilla.samba.org/show_bug.cgi?id=1165

Anyone? Please respond. I am desperate to get this working.

Thank you,
Steve

-----Original Message-----
From: Aden, Steve 
Sent: Friday, March 26, 2004 3:24 PM
To: samba@lists.samba.org
Subject: [Samba] RID to SID Bug? Share ACL Access Denied


Hello,
	I have been trying to work through an Access Denied problem and
have found that the user rid is not getting mapped properly. I have yet
to figure out where the assigned rid is coming from, but I know is that
is incorrect. In the log (level 10) for the connecting computer, I see:

"pdb_set_user_sid_from_rid:
 setting user sid S-1-5-21-74637098-2648309090-13861XXXXX-21006 from rid
21006"

There are two problems here. One the rid should be 1586 as verified with
rpcclient. Also the remainder of the sid does not match the W2K ADS
domain the samba server has been joined to. Instead it is the SID of the
domain for the samba server as verified with "net getlocalsid":
SID for domain SAMBASERVER is: S-1-5-21-74637098-2648309090-13861XXXXX

"net ads status" shows the SID for the SAMBASERVER:
distinguishedName: CN=sambaserver,CN=Computers,DC=domain,DC=com
objectSid: S-1-5-21-1202660629-1292428093-18016XXXXX-1588

The Winbind log shows the correct lookup of the user and sid from the
W2K ADS domain. Since the sid doesn't actually represent the user, the
share acl's do not match and causes denial to the share. Tdbdump of the
winbindd_idmap.tdb shows the user's UID and actual SID. The UID matches
what is listed using "getent passwd".

The commands wbinfo, getent, smbclient -k all work. I can kinit a user
and access Windows shares from the Samba server, but users cannot
connect to the Samba server by name from a Windows client. They can
access by ip address, but as I understand it, that method does not use
kerberos.

This is 3.0.2a-1 on Redhat 9.0 with security = ADS.

I have searched the Samba list archives and read man pages and the
HOWTO, but haven't been able find an answer to why this is happening.
Any help would be greatly appreciated.


Thank you,
Steve Aden

Privileged/Confidential Information may be contained in this message. If
you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not copy or deliver
this message to anyone. In such case, you should destroy this message
and kindly notify the sender by reply email. Opinions, conclusions and
other information contained in this message that do not relate to
official business shall be understood as neither given nor endorsed by
ITS
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

_____________________________________________________
This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BF08d9f679.00000001.mml

Aden, Steve

2004-Mar-31 22:08 UTC

head link

FW: [Samba] RID to SID Bug? Share ACL Access Denied

Thank you for the response.

I tried the suggestions and have found no change. I still see the sid
being set to the domain "SAMBASERVER" instead of the W2K ADS domain
and
the rid logged does not match the actual rid of the user account.

<-snip-from machine log>
[2004/03/31 15:45:48, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(510)
  PAC_TYPE_UNKNOWN_10
[2004/03/31 15:45:48, 7] rpc_parse/parse_prs.c:prs_debug(82)
          000200 pac_io_unknown_type_10 pac data
[2004/03/31 15:45:48, 8] rpc_parse/parse_prs.c:prs_debug(82)
              000200 smb_io_time unknown_time
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint32(635)
                  0200 low : 719e7000
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint32(635)
                  0204 high: 01c41739
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint16(606)
              0208 len: 0010
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint16s(765)
              020a name: t.e.s.t.g.i.r.l.
[2004/03/31 15:45:48, 6] rpc_parse/parse_prs.c:prs_debug(82)
      00021a pac_io_pac_info_hdr_ctr pac data
[2004/03/31 15:45:48, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(452)
  offset in header(x220) and data(x21c) do not match
[2004/03/31 15:45:48, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(481)
  PAC_TYPE_SERVER_CHECKSUM
[2004/03/31 15:45:48, 7] rpc_parse/parse_prs.c:prs_debug(82)
          000220 pac_io_pac_signature_data pac data
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint32(635)
              0220 type: ffffff76
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
              0224 signature: f0 26 d7 63 5d e6 8b 4e 52 40 72 cb 6a f1
ac 16
[2004/03/31 15:45:48, 6] rpc_parse/parse_prs.c:prs_debug(82)
      000234 pac_io_pac_info_hdr_ctr pac data
[2004/03/31 15:45:48, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(452)
  offset in header(x238) and data(x234) do not match
[2004/03/31 15:45:48, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(495)
  PAC_TYPE_PRIVSVR_CHECKSUM
[2004/03/31 15:45:48, 7] rpc_parse/parse_prs.c:prs_debug(82)
          000238 pac_io_pac_signature_data pac data
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint32(635)
              0238 type: ffffff76
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
              023c signature: 68 49 32 71 0c 65 b0 f2 05 53 7e 1b 7e 06
52 e2
[2004/03/31 15:45:48, 3] smbd/sesssetup.c:reply_spnego_kerberos(179)
  Ticket name is [testgirl@DOMAIN.COM]
[2004/03/31 15:45:48, 10] smbd/sesssetup.c:reply_spnego_kerberos(220)
  Mapping [DOMAIN.COM] to short name
[2004/03/31 15:45:48, 10] smbd/sesssetup.c:reply_spnego_kerberos(233)
  Mapped to [DOMAIN]
[2004/03/31 15:45:48, 5] lib/username.c:Get_Pwnam(288)
  Finding user DOMAIN_testgirl
[2004/03/31 15:45:48, 5] lib/username.c:Get_Pwnam_internals(223)
  Trying _Get_Pwnam(), username as lowercase is domain_testgirl
[2004/03/31 15:45:48, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals did find user [DOMAIN_testgirl]!
[2004/03/31 15:45:48, 6] param/loadparm.c:lp_file_list_changed(2653)
  lp_file_list_changed()
  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Wed
Mar 31 15:
43:28 2004
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_username(593)
  pdb_set_username: setting username DOMAIN_testgirl, was
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_init_flags(493)
  element 11 -> now SET
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_fullname(674)
  pdb_set_full_name: setting full name testgirl, was
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_init_flags(493)
  element 12 -> now SET
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_unix_homedir(809)
  pdb_set_unix_homedir: setting home dir /home/DOMAIN/testgirl, was NULL
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_init_flags(493)
  element 21 -> now SET
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_domain(620)
  pdb_set_domain: setting domain SAMBASERVER, was
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_user_sid(520)
  pdb_set_user_sid: setting user sid
S-1-5-21-74637098-2648309090-13861XXXXX-210
02
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_init_flags(493)
  element 17 -> now SET
[2004/03/31 15:45:48, 10]
passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73)
  pdb_set_user_sid_from_rid:
        setting user sid S-1-5-21-74637098-2648309090-13861XXXXX-21002
from rid
21002
<-snip->
>does wbinfo -[tug] all work?
>What about 'getent passwd' ?Yes all of these work correctly.

Do the PAC errors have something to do with this? As seen above, there
are a few in the log: "PAC_TYPE_UNKNOWN_10",
"pac_io_unknown_type_10 pac
data", "offset in header(x238) and data(x234) do not match".

What else can I send that will help nail down the problem here?

Thanks again.
Steve

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
Sent: Wednesday, March 31, 2004 3:37 PM
To: Aden, Steve
Subject: Re: FW: [Samba] RID to SID Bug? Share ACL Access Denied


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aden, Steve wrote:
| Hi,
| 	Is this problem related to this bug?
| Bugzilla Bug 1165
|    Samba ADS Kerberos login doesnt resolve correct groups when smbd is
| su'ing to the uid
| https://bugzilla.samba.org/show_bug.cgi?id=1165
|
| Anyone? Please respond. I am desperate to get this working.

I don't think you provided enough information.  Try this

stop smbd nmbd & winbindd

~  root# mv winbindd_idmap.tdb windbindd_idmap.tdb-
~  root# vi /usr/local/samba/lib/smb.conf
~        ...add 'winbind enable local accounts = no' in [global]...

start smbd nmbd winbindd


rerun you tests.

does wbinfo -[tug] all work?
What about 'getent passwd' ?




jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAayvuIR7qMdg1EfYRAnUAAKCWrV32p0Xvz399Srqx6B5h12fkJwCeJITQ
AfIFw3J79FnISrccK/qLUJs=hkiz
-----END PGP SIGNATURE-----


_____________________________________________________
This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BH08e1e7c8.00000001.mml

Possibly Parallel Threads

Search for more apparently analagous threads

samba - Mar 2004 - FW: RID to SID Bug? Share ACL Access Denied

FW: [Samba] RID to SID Bug? Share ACL Access Denied

FW: [Samba] RID to SID Bug? Share ACL Access Denied

Possibly Parallel Threads