Nissl Reinhard
2015-Jul-31 12:07 UTC
[Samba] samba-4.1.19: resolving local unix group failes when there exists a local unix user with same name
Hi,
after upgrading samba from 4.1.17 to 4.1.19 on OpenSuSE 13.2, any shares offered
by this machine can nolonger be accessed, when these shares contain an entry
"force group" which specifies a local unix group and when there exists
a unix user with the same name.
Here's an excerpt from smb.conf:
[FactWork]
comment = FactWork-Downloadportal
path = /web/Fee/download/factwork
valid users = @webadmin,fee\gabi, at
fee\g_tb3,fee\administrator,fee\svtb3$
write list = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator
force group = webadmin
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
writeable = Yes
guest ok = No
When I try to access that share with smbclient like that, it fails:
smbclient //platon/factwork mySecret -U reinhard.ni -W fee
Domain=[FEE] OS=[Unix] Server=[Samba 4.1.19-11.1-3442-SUSE-oS13.2-x86_64]
tree connect failed: NT_STATUS_NO_SUCH_GROUP
Running smbd interactive with maximum debug level shows the following lines:
looking for user fee\reinhard.ni of domain (ANY) in netgroup fee\g_tb3
lookup_name: fee\g_tb3 => domain=[fee], name=[g_tb3]
lookup_name: flags = 0x077
user_ok_token: share FactWork is ok for unix user FEE\reinhard.ni
lookup_name: FEE\webadmin => domain=[FEE], name=[webadmin]
lookup_name: flags = 0x077
map_name_to_wellknown_sid: looking up webadmin
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
Security token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
failed to unpack map
failed to unpack map
failed to unpack map
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
Finding user webadmin
Trying _Get_Pwnam(), username as lowercase is webadmin
Get_Pwnam_internals did find user [webadmin]!
webadmin is a User, not a group
A further problem (which seems to be caused by the same defect) exists when
trying to validate the user against a local unix group (@webadmin in this
example). The log output shows similar messages regarding @webadmin being a user
while expecting a group. In that case smbclient fails with
NT_STATUS_ACCESS_DENIED.
A workaround seems to be, to replace all references to unix group webadmin with
"Unix Group\webadmin", i. e.
valid users = @"Unix Group\webadmin",fee\gabi, at
fee\g_tb3,fee\administrator,fee\svtb3$
write list = @"Unix Group\webadmin",fee\gabi, at
fee\g_tb3,fee\administrator
force group = "Unix Group\webadmin"
Bye.
--
Reinhard Nißl, TB3, -198
Rowland Penny
2015-Jul-31 13:29 UTC
[Samba] samba-4.1.19: resolving local unix group failes when there exists a local unix user with same name
On 31/07/15 13:07, Nissl Reinhard wrote:> Hi, > > after upgrading samba from 4.1.17 to 4.1.19 on OpenSuSE 13.2, any shares offered by this machine can nolonger be accessed, when these shares contain an entry "force group" which specifies a local unix group and when there exists a unix user with the same name. > > Here's an excerpt from smb.conf: > > [FactWork] > comment = FactWork-Downloadportal > path = /web/Fee/download/factwork > valid users = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator,fee\svtb3$ > write list = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator > force group = webadmin > create mask = 0664 > force create mode = 0664 > directory mask = 0775 > force directory mode = 0775 > writeable = Yes > guest ok = No > > When I try to access that share with smbclient like that, it fails: > > smbclient //platon/factwork mySecret -U reinhard.ni -W fee > Domain=[FEE] OS=[Unix] Server=[Samba 4.1.19-11.1-3442-SUSE-oS13.2-x86_64] > tree connect failed: NT_STATUS_NO_SUCH_GROUP > > Running smbd interactive with maximum debug level shows the following lines: > > looking for user fee\reinhard.ni of domain (ANY) in netgroup fee\g_tb3 > lookup_name: fee\g_tb3 => domain=[fee], name=[g_tb3] > lookup_name: flags = 0x077 > user_ok_token: share FactWork is ok for unix user FEE\reinhard.ni > lookup_name: FEE\webadmin => domain=[FEE], name=[webadmin] > lookup_name: flags = 0x077 > map_name_to_wellknown_sid: looking up webadmin > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > Security token: (NULL) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > failed to unpack map > failed to unpack map > failed to unpack map > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > Finding user webadmin > Trying _Get_Pwnam(), username as lowercase is webadmin > Get_Pwnam_internals did find user [webadmin]! > webadmin is a User, not a group > > A further problem (which seems to be caused by the same defect) exists when trying to validate the user against a local unix group (@webadmin in this example). The log output shows similar messages regarding @webadmin being a user while expecting a group. In that case smbclient fails with NT_STATUS_ACCESS_DENIED. > > A workaround seems to be, to replace all references to unix group webadmin with "Unix Group\webadmin", i. e. > > valid users = @"Unix Group\webadmin",fee\gabi, at fee\g_tb3,fee\administrator,fee\svtb3$ > write list = @"Unix Group\webadmin",fee\gabi, at fee\g_tb3,fee\administrator > force group = "Unix Group\webadmin" > > Bye. > -- > Reinhard Nißl, TB3, -198 >Hi, I think there is a bug report open for this: https://bugzilla.samba.org/show_bug.cgi?id=11320 Rowland
Possibly Parallel Threads
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)