Eric Hill
2007-May-08 18:52 UTC
[Samba] Two Permissions Issues: null session shares and group membership
I have Samba 3.0.25rc3 running on OpenSolaris build 67. Samba is integrated
with our Active Directory via Kerberos. I do not have nsswitch running with
winbind at this time.
Issue #1: Samba denies access to a share set up with "public = yes"
when
accessed by an AD integrated user account.
The share is defined as follows:
[open]
comment = Null Session Share
path = /pool/open
public = yes
browseable = yes
create mask = 0666
directory mask = 0777
guest account = nobody
force user = nobody
guest ok = yes
The directory is:
vault2:/pool#ls -al | grep open
drwxrwxrwx 2 nobody sys 2 May 8 11:16 open
vault2:/pool#
When I connect to the share with a valid AD user account, I receive the
following message on the client: "The specified user does not exist."
The
log of the session on the server (snipped for brevity):
...
[2007/05/08 13:16:15, 3] smbd/sesssetup.c:(1060)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2007/05/08 13:16:15, 3] smbd/sesssetup.c:(697)
reply_spnego_negotiate: Got secblob of size 1462
[2007/05/08 13:16:15, 3] libads/kerberos_verify.c:(172)
ads_keytab_verify_ticket: krb5_rd_req failed for all 9 matched keytab
principals
[2007/05/08 13:16:15, 3] smbd/sesssetup.c:(321)
Ticket name is [wcerich@PIONEER.WORLD]
[2007/05/08 13:16:15, 4] lib/substitute.c:(407)
Home server: vault2
[2007/05/08 13:16:15, 4] lib/substitute.c:(407)
Home server: vault2
[2007/05/08 13:16:15, 3] passdb/lookup_sid.c:(1115)
store_gid_sid_cache: gid 15000 in cache ->
S-1-5-21-1409556225-1798326808-5522801-512
....
[2007/05/08 13:16:16, 3] passdb/lookup_sid.c:(1071)
fetch gid from cache 15002 -> S-1-5-32-545
[2007/05/08 13:16:16, 3] smbd/password.c:(280)
User name: wcerich Real name: Eric Hill
[2007/05/08 13:16:16, 3] smbd/password.c:(301)
UNIX uid 10000 is UNIX user wcerich, and will be vuid 102
[2007/05/08 13:16:16, 3] smbd/password.c:(332)
Adding homes service for user 'wcerich' using home directory:
'/pool/home/wcerich'
[2007/05/08 13:16:16, 3] smbd/process.c:(1068)
Transaction 3 of length 82
[2007/05/08 13:16:16, 3] smbd/process.c:(926)
switch message SMBtconX (pid 1126) conn 0x0
[2007/05/08 13:16:16, 3] smbd/sec_ctx.c:(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/05/08 13:16:16, 4] smbd/reply.c:(506)
Client requested device type [?????] for share [OPEN]
[2007/05/08 13:16:16, 3] lib/access.c:(312)
check_access: no hostnames in host allow/deny list.
[2007/05/08 13:16:16, 2] lib/access.c:(323)
Allowed connection from (10.3.10.3)
....
[2007/05/08 13:16:16, 3] smbd/sec_ctx.c:(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/05/08 13:16:16, 1] auth/auth_util.c:(1110)
sid_to_uid for nobody (S-1-22-1-60001) failed
[2007/05/08 13:16:16, 3] smbd/error.c:(106)
error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
NT_STATUS_NO_SUCH_USER
[2007/05/08 13:16:16, 3] smbd/process.c:(1068)
Transaction 4 of length 43
[2007/05/08 13:16:16, 3] smbd/process.c:(926)
switch message SMBulogoffX (pid 1126) conn 0x0
[2007/05/08 13:16:16, 3] smbd/sec_ctx.c:(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/05/08 13:16:16, 3] smbd/reply.c:(1560)
ulogoffX vuid=102
Is this failing because of the "sid_to_uid for nobody ... failed"
message,
or some other problem? Heck, maybe I'm just not setting the share up
correctly... :)
Issue #2: Unix users belonging to a unix group are denied access to a
directory/file, even though the unix user account is a member of the group.
Given the following file/account settings:
vault2:/pool/data#ls -al | grep example
drwxrwx--- 2 nobody group1 10 May 8 10:00 example
vault2:/pool/data#cat /etc/group | grep group1
group1::100:wcerich
vault2:/pool/data#
When I attach to the "data" share as wcerich, I do not have access to
the
example directory, even though I am a member of unix group1 and the group
has full access to the directory.
Can anyone help me out with either of these two issues?
Eric
Reasonably Related Threads
Wisdom of the Ancients
