Wagner, Douglas
2010-Aug-19 23:38 UTC
[Samba] AD Groups Failing to Authorize in Valid Users (does not start with S-)
For the last 3 weeks I've been working on getting RHEL4 (and 5, but
that's a different story) to play well with Active Directory, OpenLDAP,
Kerberos, PAM and NSS.
It's been a long struggle but I now have a process to authenticate and
authorize a RHEL4 client to a windows Active Directory server to that my
AD Users can log into my Linux boxes (assuming their group permissions
are set right).
Now it's time for Samba. After walking through the Samba by Example
with AD stuff and applying it to my information I've got Samba MOSTLY
working.
Adding an AD Domain User (in the form DOMAIN+user in the Valid Users
list) into a share causes the share to reject all but the list of users.
GREAT!
Unfortunately adding a Domain Group (in the form @DOMAIN+group) to the
valid users list does NOT proper authorize the user, even when he or she
belongs to the proper group.
[test02 at machine01 ~]$ smbclient //machine01/opt_share -k
WARNING: The "printer admin" option is deprecated
OS=[Unix] Server=[Samba 3.0.33-0.19.el4_8.1]
tree connect failed: NT_STATUS_ACCESS_DENIED
BTW both -U and -k work to authenticate a user, so Kerberos does in fact
work.
When I do this (on a debug 10) I get the following snippet:
[2010/08/19 18:07:31, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2010/08/19 18:07:31, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2010/08/19 18:07:31, 5] smbd/uid.c:change_to_root_user(288)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2010/08/19 18:07:31, 4] smbd/reply.c:reply_tcon_and_X(506)
Client requested device type [?????] for share [OPT_SHARE]
[2010/08/19 18:07:31, 5] smbd/service.c:make_connection(1214)
making a connection to 'normal' service opt_share
[2010/08/19 18:07:31, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid @DOMAIN+tstgrp02 does not start with 'S-'.
[2010/08/19 18:07:31, 5] smbd/password.c:user_in_netgroup(470)
Unable to get default yp domain, let's try without specifying it
[2010/08/19 18:07:31, 5] smbd/password.c:user_in_netgroup(474)
looking for user DOMAIN+test02 of domain (ANY) in netgroup
DOMAIN+tstgrp02
[2010/08/19 18:07:31, 5] smbd/password.c:user_in_netgroup(490)
looking for user domain+test02 of domain (ANY) in netgroup
DOMAIN+tstgrp02
[2010/08/19 18:07:31, 10] passdb/lookup_sid.c:lookup_name(70)
lookup_name: DOMAIN\tstgrp02 => DOMAIN (domain), tstgrp02 (name)
[2010/08/19 18:07:31, 10] passdb/lookup_sid.c:lookup_name(71)
lookup_name: flags = 0x077
[2010/08/19 18:07:31, 10] smbd/share_access.c:user_ok_token(211)
User DOMAIN+test02 not in 'valid users'
[2010/08/19 18:07:31, 2] smbd/service.c:make_connection_snum(616)
user 'DOMAIN+test02' (from session setup) not permitted to access this
share (opt_share
)
[2010/08/19 18:07:31, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
However wbinfo will properly return a good SID for the group:
root at machine01 samba]# wbinfo -n DOMAIN+tstgrp02
S-1-5-21-2295727956-4092415901-3019033540-XXXX Domain Group (2)
[last 4 removed for security purposes]
To save the trouble of asking for it, I'll post up my SMB.CONF file
here:
# Samba config file created using SWAT
# Date: 2006/02/15 14:00:00
# Global parameters
[global]
workgroup = DOMAIN
realm = DOMAIN.NET
netbios name = machine01
server string = CIFS Server on machine01
security = ADS
#encrypt passwords = true
#password server = dc.domain.net
#map to guest = Bad Password
username map = /etc/samba/smbusers
#wins server = dc.domain.net
#Printing Options
printcap name = cups
printing = cups
load printers = Yes
cups options = raw
printer admin = @ntadmin, root, administrator
print command =
lpq command = %p
lprm command =
#Winbind Options
winbind separator = +
#LDAP Options
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
#Debug Logging Information parameters
log level = 10
log file = /var/log/samba/%m.log
max log size = 0
[opt_share]
comment = Test Opt Share
path = /opt/share
valid users = @DOMAIN+tstgrp02
force user = test02
force group = tstgrp01
read only = no
browseable = yes
guest ok = no
printable = no
Note: if in the "valid users" list I put DOMAIN+test02 I still get the
issue with the group check, but I am authorized.
Last bit of information that I don't know whether it means anything or
not:
[root at machine01 samba]# wbinfo -g
<snip>
DOMAIN+tstgrp01
DOMAIN+tstgrp02
[root at stltrh4ldap01 samba]# getent group
root:x:0:root
<snip>
request 1 done
tstgrp01:*:10000:test04,test03,test02
tstgrp02:*:10001:test04,test03,test02
request 2 done
Getent is not applying the DOMAIN+ on the front of each group in the
password file. Not sure if it's supposed to or not. Note that
nsswitch.conf reads:
passwd: files ldap [TRYAGAIN=continue] winbind
shadow: files
group: files ldap [TRYAGAIN=continue] winbind
(I added winbind on the end hoping that that might help, obviously it
doesn't).
Architecturally, login to the box is done via Kerberos, pam_krb5, and
nss_ldap. OpenLDAP/nss_ldap is pulling group and user information out
of Active Directory (2003 with the Identity Management for Unix plugin
in place) but is NOT being used for authentication information. Winbind
is not used for anything but SAMBA in this case (and that's as I'd
prefer it).
HELP?!?!?!? This is LITERALLY the last piece of the puzzle (and one of
the most important to save our administrative costs).
I'm sure this is simple, I'm sure I'm doing something wrong.
I'm also
fully willing to accept a workaround with mapping users and groups so
long as I do NOT have to manually modify an SMBUSERS file on the local
box. In other words, the smb.conf file and the smbusers file need to be
static regardless of how many users I add to the samba shares through
AD.
ANY help would be GREATLY appreciated.
--Doug
Maybe Matching Threads
Wisdom of the Ancients
