Arnaud BLONDEL - Alter Way Solutions
2010-Sep-29 15:38 UTC
[Samba] Problem when "valid users" is used
Hi, When I use "valid users" in smb.conf to limit access on my share, I have this message with smbclient : [global] workgroup = MYDOM domain master = no local master = no security = user passdb backend = ldapsam:ldap://x.x.x.x:389 ldap admin dn = cn=admin,dc=company,dc=com ldap suffix = dc=company,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ... [Images] ... valid users = @Developpeurs ... # smbclient //x.x.x.x/Images -U test Enter test's password: Domain=[SERVER] OS=[Unix] Server=[Samba 3.3.2] tree connect failed: NT_STATUS_ACCESS_DENIED I have this log : 2010/09/29 16:19:03, 3] lib/util_sid.c:string_to_sid(228) string_to_sid: Sid @Developpeurs does not start with 'S-'. [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(425) Unable to get default yp domain, let's try without specifying it [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(429) looking for user test of domain (ANY) in netgroup Developpeurs [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(445) looking for user test of domain (ANY) in netgroup Developpeurs [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(69) lookup_name: SERVER\Developpeurs => SERVER (domain), Developpeurs (name) [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70) lookup_name: flags = 0x077 [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/09/29 16:19:03, 3] smbd/uid.c:push_conn_ctx(388) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/09/29 16:19:03, 5] auth/token_util.c:debug_nt_user_token(522) NT user token: (NULL) [2010/09/29 16:19:03, 5] auth/token_util.c:debug_unix_user_token(548) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/09/29 16:19:03, 5] lib/smbldap.c:smbldap_search_ext(1205) smbldap_search_ext: base => [ou=Groups,dc=company,dc=com], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Developpeurs)))], scope => [2] [2010/09/29 16:19:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2348) init_group_from_ldap: Entry found for group: 1005 [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/09/29 16:19:03, 10] passdb/passdb.c:lookup_global_sam_name(620) Found group Developpeurs (S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain -- ignoring.lookup_name: Unix Group\Developpeurs => Unix Group (domain), Developpeurs (name) [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70) lookup_name: flags = 0x077 [2010/09/29 16:19:03, 10] smbd/share_access.c:user_ok_token(212) User test not in 'valid users' [2010/09/29 16:19:03, 2] smbd/service.c:create_connection_server_info(663) user 'test' (from session setup) not permitted to access this share (Images) [2010/09/29 16:19:03, 0] smbd/service.c:make_connection_snum(744) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED I use /etc/nsswitch to get users and groups from LDAP User "test" is in Developpeurs group : # id anisimov uid=1009(anisimov) gid=513(Domain Users) groupes=513(Domain Users),1005(Developpeurs) In LDAP : cn=Developpeurs,ou=Groups,dc=company,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping cn: Developpeurs gidNumber: 1005 sambaSID: S-1-5-21-1003513250-1319205365-1235820382-101 ... memberUid: test ... and : uid=test,ou=People,dc=company,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount ... givenName: anisimov uid: anisimov uidNumber: 1009 gidNumber: 513 sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1009 ... Where is the problem ? SAMBA : Version 3.3.2
Arnaud BLONDEL - Alter Way Solutions
2010-Sep-29 17:32 UTC
[Samba] Problem when "valid users" is used
Copy and paste are wrong but I have this problem with all users. I don't understand the first error : "string_to_sid: Sid @Developpeurs does not start with 'S-'" On 29/09/2010 18:59, Allen Chen wrote:> Are you talking about uid=anisimov or uid=test ? >
Arnaud BLONDEL - Alter Way Solutions
2010-Sep-30 07:52 UTC
[Samba] Problem when "valid users" is used
Same problem with : valid users = @"MYDOM\Developpeurs" string_to_sid: Sid @MYDOM\Developpeurs does not start with 'S-'. [2010/09/30 09:08:17, 5] smbd/password.c:user_in_netgroup(425) Unable to get default yp domain, let's try without specifying it [2010/09/30 09:08:17, 5] smbd/password.c:user_in_netgroup(429) looking for user test of domain (ANY) in netgroup MYDOM\Developpeurs [2010/09/30 09:08:17, 5] smbd/password.c:user_in_netgroup(445) looking for user test of domain (ANY) in netgroup MYDOM\Developpeurs [2010/09/30 09:08:17, 10] passdb/lookup_sid.c:lookup_name(69) lookup_name: MYDOM\Developpeurs => MYDOM (domain), Developpeurs (name) [2010/09/30 09:08:17, 10] passdb/lookup_sid.c:lookup_name(70) lookup_name: flags = 0x077 [2010/09/30 09:08:17, 10] passdb/util_wellknown.c:lookup_wellknown_name(151) map_name_to_wellknown_sid: looking up Developpeurs [2010/09/30 09:08:17, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/09/30 09:08:17, 3] smbd/uid.c:push_conn_ctx(388) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/09/30 09:08:17, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/09/30 09:08:17, 5] auth/token_util.c:debug_nt_user_token(522) NT user token: (NULL) [2010/09/30 09:08:17, 5] auth/token_util.c:debug_unix_user_token(548) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/09/30 09:08:17, 5] lib/smbldap.c:smbldap_search_ext(1205) smbldap_search_ext: base => [ou=Groups,dc=company,dc=com], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Developpeurs)))], scope => [2] [2010/09/30 09:08:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2348) init_group_from_ldap: Entry found for group: 1005 [2010/09/30 09:08:17, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/09/30 09:08:17, 10] passdb/passdb.c:lookup_global_sam_name(620) Found group Developpeurs (S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain -- ignoring.User test not in 'valid users' [2010/09/30 09:08:17, 2] smbd/service.c:create_connection_server_info(663) user 'test' (from session setup) not permitted to access this share (Images) [2010/09/30 09:08:17, 0] smbd/service.c:make_connection_snum(744) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED [2010/09/30 09:08:17, 3] smbd/error.c:error_packet_set(61) error packet at smbd/reply.c(724) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED On 30/09/2010 01:51, John H Terpstra wrote:> On 09/29/2010 12:32 PM, Arnaud BLONDEL - Alter Way Solutions wrote: >> Copy and paste are wrong but I have this problem with all users. >> >> I don't understand the first error : "string_to_sid: Sid @Developpeurs >> does not start with 'S-'" >> >> On 29/09/2010 18:59, Allen Chen wrote: >> >>> Are you talking about uid=test or uid=test ? >>> >> > > Please specify the "valid user" parameters as shown here: > > Either: > valid users = @"Company\Developpeurs" > > Or as: > valid userse = @%D\Developpeurs > > Cheers, > John T.-- Arnaud BLONDEL Charg? de projets ALTER WAY SOLUTIONS - Nord TD: + 33 (0)3 22 84 04 07 FD: + 33 (0)3 22 84 00 73 44, rue Saint Fursy 80200 PERONNE www.alterway.fr Nos prochains ?v?nements : Open World Forum, l'?v?nement Open Source le plus influent de l'ann?e : 30 sept - 1er oct 2010, Paris. http://bit.ly/aL6BjO Open CIO Summit, le 1er sommet anim? par les DSI pour les DSI : 30 sept, Paris http://bit.ly/bucmEs Petit-d?jeuner th?matique ? Comment monter son Cloud priv? / public ? ? avec Canonical (Ubuntu) et Owlient, ?diteur de jeux communautaires en ligne, 9 sept, Paris. http://bit.ly/9FL7cu Conf?rence "H?bergement & infog?rance d'architectures critiques Magento" avec le t?moignage de Smartbox, Salon E-Commerce, stand L6, 21-23 septembre Paris. http://bit.ly/c9sVxH Conf?rence "Drupal powers sports (and more) at France T?l?visions", DrupalCon, 23 - 27 ao?t, Copenhague. http://bit.ly/bakOGx
Arnaud BLONDEL - Alter Way Solutions
2010-Sep-30 08:20 UTC
[Samba] Problem when "valid users" is used
I add "loglevel 768" into slapd.conf and I have this in my sulog file : Sep 30 09:37:19 xxxx slapd[23852]: conn=2110 op=47 SRCH base="dc=company,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(uniqueMember=cn=developpeurs,ou=groups,dc=company,dc=com))" Sep 30 09:37:19 xxxx slapd[23852]: conn=2110 op=47 SRCH attr=gidNumber Sep 30 09:37:19 xxxx slapd[23852]: conn=2110 op=47 SEARCH RESULT tag=101 err=0 nentries=0 text I don't understand why Developpeurs group is not find here (nentries=0). # ldapsearch -x -b 'ou=groups,dc=company,dc=com' cn=Developpeurs return : cn=Developpeurs,ou=Groups,dc=company,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping cn: Developpeurs gidNumber: 1005 sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1015 sambaGroupType: 2 displayName: Developpeurs description: Le groupe des programmeurs memberUid: test ... On 29/09/2010 18:59, Allen Chen wrote:> Arnaud BLONDEL - Alter Way Solutions wrote: >> Hi, >> >> When I use "valid users" in smb.conf to limit access on my share, I >> have this message with smbclient : >> >> >> [global] >> >> workgroup = MYDOM >> domain master = no >> local master = no >> security = user >> passdb backend = ldapsam:ldap://x.x.x.x:389 >> ldap admin dn = cn=admin,dc=company,dc=com >> ldap suffix = dc=company,dc=com >> ldap user suffix = ou=People >> ldap group suffix = ou=Groups >> ldap idmap suffix = ou=Idmap >> ldap machine suffix = ou=Computers >> .... >> >> [Images] >> ... >> valid users = @Developpeurs >> ... >> >> >> # smbclient //x.x.x.x/Images -U test >> Enter test's password: >> Domain=[SERVER] OS=[Unix] Server=[Samba 3.3.2] >> tree connect failed: NT_STATUS_ACCESS_DENIED >> >> >> I have this log : >> >> 2010/09/29 16:19:03, 3] lib/util_sid.c:string_to_sid(228) >> string_to_sid: Sid @Developpeurs does not start with 'S-'. >> [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(425) >> Unable to get default yp domain, let's try without specifying it >> [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(429) >> looking for user test of domain (ANY) in netgroup Developpeurs >> [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(445) >> looking for user test of domain (ANY) in netgroup Developpeurs >> [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(69) >> lookup_name: SERVER\Developpeurs => SERVER (domain), Developpeurs (name) >> [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70) >> lookup_name: flags = 0x077 >> [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:push_sec_ctx(224) >> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 >> [2010/09/29 16:19:03, 3] smbd/uid.c:push_conn_ctx(388) >> push_conn_ctx(0) : conn_ctx_stack_ndx = 0 >> [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:set_sec_ctx(324) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 >> [2010/09/29 16:19:03, 5] auth/token_util.c:debug_nt_user_token(522) >> NT user token: (NULL) >> [2010/09/29 16:19:03, 5] auth/token_util.c:debug_unix_user_token(548) >> UNIX token of user 0 >> Primary group is 0 and contains 0 supplementary groups >> [2010/09/29 16:19:03, 5] lib/smbldap.c:smbldap_search_ext(1205) >> smbldap_search_ext: base => [ou=Groups,dc=company,dc=com], filter => >> [(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Developpeurs)))], >> scope => [2] >> [2010/09/29 16:19:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2348) >> init_group_from_ldap: Entry found for group: 1005 >> [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:pop_sec_ctx(432) >> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2010/09/29 16:19:03, 10] passdb/passdb.c:lookup_global_sam_name(620) >> Found group Developpeurs >> (S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain -- >> ignoring.lookup_name: Unix Group\Developpeurs => Unix Group (domain), >> Developpeurs (name) >> [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70) >> lookup_name: flags = 0x077 >> [2010/09/29 16:19:03, 10] smbd/share_access.c:user_ok_token(212) >> User test not in 'valid users' >> [2010/09/29 16:19:03, 2] >> smbd/service.c:create_connection_server_info(663) >> user 'test' (from session setup) not permitted to access this share >> (Images) >> [2010/09/29 16:19:03, 0] smbd/service.c:make_connection_snum(744) >> create_connection_server_info failed: NT_STATUS_ACCESS_DENIED >> >> >> I use /etc/nsswitch to get users and groups from LDAP >> >> User "test" is in Developpeurs group : >> >> # id anisimov >> uid=1009(anisimov) gid=513(Domain Users) groupes=513(Domain >> Users),1005(Developpeurs) >> >> >> In LDAP : >> >> cn=Developpeurs,ou=Groups,dc=company,dc=com >> objectClass: top >> objectClass: posixGroup >> objectClass: sambaGroupMapping >> cn: Developpeurs >> gidNumber: 1005 >> sambaSID: S-1-5-21-1003513250-1319205365-1235820382-101 >> .... >> memberUid: test >> .... >> >> and : >> >> uid=test,ou=People,dc=company,dc=com >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetOrgPerson >> objectClass: posixAccount >> objectClass: shadowAccount >> objectClass: sambaSamAccount >> .... >> givenName: anisimov >> uid: anisimov >> uidNumber: 1009 >> gidNumber: 513 >> sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1009 >> .... >> >> >> Where is the problem ? >> >> >> SAMBA : Version 3.3.2 > Are you talking about uid=anisimov or uid=test ? >-- Arnaud BLONDEL Charg? de projets ALTER WAY SOLUTIONS - Nord TD: + 33 (0)3 22 84 04 07 FD: + 33 (0)3 22 84 00 73 44, rue Saint Fursy 80200 PERONNE www.alterway.fr Nos prochains ?v?nements : Open World Forum, l'?v?nement Open Source le plus influent de l'ann?e : 30 sept - 1er oct 2010, Paris. http://bit.ly/aL6BjO Open CIO Summit, le 1er sommet anim? par les DSI pour les DSI : 30 sept, Paris http://bit.ly/bucmEs Petit-d?jeuner th?matique ? Comment monter son Cloud priv? / public ? ? avec Canonical (Ubuntu) et Owlient, ?diteur de jeux communautaires en ligne, 9 sept, Paris. http://bit.ly/9FL7cu Conf?rence "H?bergement & infog?rance d'architectures critiques Magento" avec le t?moignage de Smartbox, Salon E-Commerce, stand L6, 21-23 septembre Paris. http://bit.ly/c9sVxH Conf?rence "Drupal powers sports (and more) at France T?l?visions", DrupalCon, 23 - 27 ao?t, Copenhague. http://bit.ly/bakOGx
On Mittwoch, 29. September 2010 wrote Arnaud BLONDEL - Alter Way Solutions:> Hi, > > When I use "valid users" in smb.conf to limit access on my share, I > have this message with smbclient : > > > [global] > > workgroup = MYDOM > domain master = no > local master = no > security = user > passdb backend = ldapsam:ldap://x.x.x.x:389 > ldap admin dn = cn=admin,dc=company,dc=com > ldap suffix = dc=company,dc=com > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap machine suffix = ou=Computers > ... > > [Images] > ... > valid users = @Developpeurs > ... > > > # smbclient //x.x.x.x/Images -U test > Enter test's password: > Domain=[SERVER] OS=[Unix] Server=[Samba 3.3.2] > tree connect failed: NT_STATUS_ACCESS_DENIED > > > I have this log : > > 2010/09/29 16:19:03, 3] lib/util_sid.c:string_to_sid(228) > string_to_sid: Sid @Developpeurs does not start with 'S-'. > [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(425) > Unable to get default yp domain, let's try without specifying it > [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(429) > looking for user test of domain (ANY) in netgroup Developpeurs > [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(445) > looking for user test of domain (ANY) in netgroup Developpeurs > [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(69) > lookup_name: SERVER\Developpeurs => SERVER (domain), Developpeurs > (name) [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70) > lookup_name: flags = 0x077 > [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:push_sec_ctx(224) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2010/09/29 16:19:03, 3] smbd/uid.c:push_conn_ctx(388) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:set_sec_ctx(324) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2010/09/29 16:19:03, 5] auth/token_util.c:debug_nt_user_token(522) > NT user token: (NULL) > [2010/09/29 16:19:03, 5] > auth/token_util.c:debug_unix_user_token(548) UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2010/09/29 16:19:03, 5] lib/smbldap.c:smbldap_search_ext(1205) > smbldap_search_ext: base => [ou=Groups,dc=company,dc=com], filter > => > [(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Dev >eloppeurs)))], scope => [2] > [2010/09/29 16:19:03, 2] > passdb/pdb_ldap.c:init_group_from_ldap(2348) init_group_from_ldap: > Entry found for group: 1005 > [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:pop_sec_ctx(432) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/09/29 16:19:03, 10] passdb/passdb.c:lookup_global_sam_name(620) > Found group DeveloppeursTry to run the same search as Samba does: ldapsearch -s sub -b "ou=Groups,dc=company,dc=com" "(&(objectClass=sambaGroupMapping)(| (displayName=Developpeurs)(cn=Developpeurs)))"> (S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain -- > ignoring.lookup_name: Unix Group\Developpeurs => Unix Group (domain), > Developpeurs (name)Samba find this SID S-1-5-21-1003513250-1319205365-1235820382-1015 for your group, but according to your ldif, the SID for Developpeurs is: S-1-5-21-1003513250-1319205365-1235820382-101 So you may have a duplicate entry :-( .> [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70) > lookup_name: flags = 0x077 > [2010/09/29 16:19:03, 10] smbd/share_access.c:user_ok_token(212) > User test not in 'valid users' > [2010/09/29 16:19:03, 2] > smbd/service.c:create_connection_server_info(663) user 'test' (from > session setup) not permitted to access this share (Images) > [2010/09/29 16:19:03, 0] smbd/service.c:make_connection_snum(744) > create_connection_server_info failed: NT_STATUS_ACCESS_DENIED > > > I use /etc/nsswitch to get users and groups from LDAP > > User "test" is in Developpeurs group : > > # id anisimov > uid=1009(anisimov) gid=513(Domain Users) groupes=513(Domain > Users),1005(Developpeurs) > > > In LDAP : > > cn=Developpeurs,ou=Groups,dc=company,dc=com > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > cn: Developpeurs > gidNumber: 1005 > sambaSID: S-1-5-21-1003513250-1319205365-1235820382-101 > ... > memberUid: test > ... > > and : > > uid=test,ou=People,dc=company,dc=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: shadowAccount > objectClass: sambaSamAccount > ... > givenName: anisimov > uid: anisimov > uidNumber: 1009 > gidNumber: 513 > sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1009 > ... > > > Where is the problem ? > > > SAMBA : Version 3.3.2-- Regards Harry Jede