samba - Jan 2018 - Samba 4.4.16 %g translation fails for some users

Hi all,

Just migrated users to a samba 4 server on built on Solaris 11 samba pkg. Some
users are mapping all required drives (G:, H:, and I:) but some are not able to
map them. The affected users user log files indicate that the %g variable is
being translated to '-1' instead of the users Unix group.

I would welcome any feedback or suggestions on how to resolve this issue.
>From my log file (successful map):
<snip>
[2018/01/04 11:42:32.080787,  2]
../source3/smbd/service.c:787(make_connection_snum)
  134.117.97.141 (ipv4:134.117.97.141:58747) connect to service homedir
initially as user dtheodor (uid=2223, gid=1021) (pid 26156)
[2018/01/04 11:42:32.080845,  5]
../lib/dbwrap/dbwrap.c:177(dbwrap_check_lock_order)
  check lock order 1 for /var/samba/lock/smbXsrv_tcon_global.tdb
[2018/01/04 11:42:32.080907,  5]
../lib/dbwrap/dbwrap.c:145(dbwrap_lock_order_state_destructor)
  release lock order 1 for /var/samba/lock/smbXsrv_tcon_global.tdb
[2018/01/04 11:42:32.080960,  5]
../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu)
  signed SMB2 message
[2018/01/04 11:42:39.182065,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
<snip>
>From log file for unsuccessful user:
<snip>
[2018/01/02 07:59:32.253188,  3]
../source3/smbd/service.c:536(make_connection_snum)
  Connect path is '/departments/-1/ablake' for service [homedir]
[2018/01/02 07:59:32.253286,  3]
../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID root is not in a valid format
[2018/01/02 07:59:32.253627,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2018/01/02 07:59:32.253676,  4] ../source3/smbd/uid.c:490(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2018/01/02 07:59:32.253710,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
<snip>

/departments/-1/homedir should have been /departments/librss/homedir. The unix
group 'librss'. Others in that group are able to login successfully with
%g being translated as expected.

Here is a snip from smb.conf:
# Global parameters
[globals]
   netbios name  = willow
   server string = %L
   workgroup     = WORKGROUP NAME
   browsable     = no
   local master  = no

   allow hosts   = list of hosts allowed in

   hosts deny = 0.0.0.0/0

   security      = ADS
   realm         = <realm deleted>


   machine password timeout = 314496000
   name resolve order = wins lmhosts host bcast

   remote announce = x.x.x.x

#   wins support = yes
   wins server = v.v.v.v w.w.w.w
   winbind use default domain = true

#  force Samba to bind only to public network
   interfaces    = a.b.c.d/255.255.255.0
   bind interfaces only = yes
   socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
   deadtime     = 0

#  added 20150422
   server signing = auto
   client signing = auto

   client lanman auth = no
   client ntlmv2 auth = yes
   client plaintext auth = no
   client use spnego = yes
   client schannel = yes
   lanman auth = no
   ntlm auth = no

   server min protocol = SMB2_10
   client min protocol = SMB2
   client max protocol = SMB3

#  Encrypt all passwords stored in /etc/sfw/samba/private/smbpasswd
   encrypt passwords = yes
   username map = /etc/samba/lib/nt-names


#  not allowed to log in
   invalid users = root daemon bin sys adm lp listen sshd\
                   erl webspirs samba rob jan daulton

   writeable     = yes

#  Debug Logging information
   log level = 5
   log file = /etc/samba/var/log.%m:%U:%I
   max log size = 2000
   debug timestamp = yes

# ---------------------------------------
# Home Directory - G drive
# ---------------------------------------
[homedir]
   comment = %u
   path = /departments/%g/%u
   browseable = no
   writeable = yes
   create mode = 0700

# ------------------------------------
# Shared directory for each department - H drive
# ------------------------------------
[deptshr]
   comment = %g Shared Directory
   path = /departments/%g/common
   read only    = no
   create mask = 0770
   force create mode = 0770
   directory mask = 0770
   writable     = yes
   browseable   = yes
   invalid users = +circdesk

# --------------------------------------
# shared directory for ALL staff - I drive
# --------------------------------------
[libshare]
   comment     = Library staff shared directory
   path        = /departments/common
   browseable  = yes
   writeable   = yes
   create mask = 0777
   force create mode = 0777
   directory mask = 0777
   valid users = +libsys +libmgmt +libacq +libtech +libarc +libcat +libcirc
+librs +librss +libmdgc +libgift +libcoll +libtrain +libill +libgis +libarch
+libstack +libaxs +libssc +studemp +studempl +eserials +pserials +syshead
+ebooks mmcclint refstud catstud

   invalid users = +circdesk train1 train2 train3 train4 train5 train6 train7
train8 train9 train10 train11 train12 train13 train14 train15 train16 train17
train18 circstud madstud ssdata1 edox1 circdesk mlspine +librsch


~~~~~~~~~~~~~~~~~~~~~~~~
Daulton Theodore
Carleton University
Library, Systems Department
Vmail: (613) 520-2600, ext. 8352

On Thu, 4 Jan 2018 19:03:24 +0000
Daulton Theodore via samba <samba at lists.samba.org> wrote:
> Hi all,
> 
> Just migrated users to a samba 4 server on built on Solaris 11 samba
> pkg. Some users are mapping all required drives (G:, H:, and I:) but
> some are not able to map them. The affected users user log files
> indicate that the %g variable is being translated to '-1' instead
of
> the users Unix group.
> 
> I would welcome any feedback or suggestions on how to resolve this
> issue.
> 
> From my log file (successful map):
> <snip>
> [2018/01/04 11:42:32.080787,
> 2] ../source3/smbd/service.c:787(make_connection_snum) 134.117.97.141
> (ipv4:134.117.97.141:58747) connect to service homedir initially as
> user dtheodor (uid=2223, gid=1021) (pid 26156) [2018/01/04
> 11:42:32.080845,
> 5] ../lib/dbwrap/dbwrap.c:177(dbwrap_check_lock_order) check lock
> order 1 for /var/samba/lock/smbXsrv_tcon_global.tdb [2018/01/04
> 11:42:32.080907,
> 5] ../lib/dbwrap/dbwrap.c:145(dbwrap_lock_order_state_destructor)
> release lock order 1 for /var/samba/lock/smbXsrv_tcon_global.tdb
> [2018/01/04 11:42:32.080960,
> 5] ../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu) signed SMB2
> message [2018/01/04 11:42:39.182065,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) <snip>
> 
> From log file for unsuccessful user:
> <snip>
> [2018/01/02 07:59:32.253188,
> 3] ../source3/smbd/service.c:536(make_connection_snum) Connect path
> is '/departments/-1/ablake' for service [homedir] [2018/01/02
> 07:59:32.253286,
> 3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
> string_to_sid: SID root is not in a valid format [2018/01/02
> 07:59:32.253627,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2018/01/02
> 07:59:32.253676,  4] ../source3/smbd/uid.c:490(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2018/01/02
> 07:59:32.253710,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) <snip>
> 
> /departments/-1/homedir should have been /departments/librss/homedir.
> The unix group 'librss'. Others in that group are able to login
> successfully with %g being translated as expected.
> 
> Here is a snip from smb.conf:
> # Global parameters
> [globals]
>    netbios name  = willow
>    server string = %L
>    workgroup     = WORKGROUP NAME
>    browsable     = no
>    local master  = no
> 
>    allow hosts   = list of hosts allowed in
> 
>    hosts deny = 0.0.0.0/0
> 
>    security      = ADS
>    realm         = <realm deleted>
> 
> 
>    machine password timeout = 314496000
>    name resolve order = wins lmhosts host bcast
> 
>    remote announce = x.x.x.x
> 
> #   wins support = yes
>    wins server = v.v.v.v w.w.w.w
>    winbind use default domain = true
> 
> #  force Samba to bind only to public network
>    interfaces    = a.b.c.d/255.255.255.0
>    bind interfaces only = yes
>    socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>    deadtime     = 0
> 
> #  added 20150422
>    server signing = auto
>    client signing = auto
> 
>    client lanman auth = no
>    client ntlmv2 auth = yes
>    client plaintext auth = no
>    client use spnego = yes
>    client schannel = yes
>    lanman auth = no
>    ntlm auth = no
> 
>    server min protocol = SMB2_10
>    client min protocol = SMB2
>    client max protocol = SMB3
> 
> #  Encrypt all passwords stored in /etc/sfw/samba/private/smbpasswd
>    encrypt passwords = yes
>    username map = /etc/samba/lib/nt-names
> 
> 
> #  not allowed to log in
>    invalid users = root daemon bin sys adm lp listen sshd\
>                    erl webspirs samba rob jan daulton
> 
>    writeable     = yes
> 
> #  Debug Logging information
>    log level = 5
>    log file = /etc/samba/var/log.%m:%U:%I
>    max log size = 2000
>    debug timestamp = yes
> 
> # ---------------------------------------
> # Home Directory - G drive
> # ---------------------------------------
> [homedir]
>    comment = %u
>    path = /departments/%g/%u
>    browseable = no
>    writeable = yes
>    create mode = 0700
> 
> # ------------------------------------
> # Shared directory for each department - H drive
> # ------------------------------------
> [deptshr]
>    comment = %g Shared Directory
>    path = /departments/%g/common
>    read only    = no
>    create mask = 0770
>    force create mode = 0770
>    directory mask = 0770
>    writable     = yes
>    browseable   = yes
>    invalid users = +circdesk
> 
> # --------------------------------------
> # shared directory for ALL staff - I drive
> # --------------------------------------
> [libshare]
>    comment     = Library staff shared directory
>    path        = /departments/common
>    browseable  = yes
>    writeable   = yes
>    create mask = 0777
>    force create mode = 0777
>    directory mask = 0777
>    valid users = +libsys +libmgmt +libacq +libtech +libarc +libcat
> +libcirc +librs +librss +libmdgc +libgift +libcoll +libtrain +libill
> +libgis +libarch +libstack +libaxs +libssc +studemp +studempl
> +eserials +pserials +syshead +ebooks mmcclint refstud catstud
> 
>    invalid users = +circdesk train1 train2 train3 train4 train5
> train6 train7 train8 train9 train10 train11 train12 train13 train14
> train15 train16 train17 train18 circstud madstud ssdata1 edox1
> circdesk mlspine +librsch
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~
> Daulton Theodore
> Carleton University
> Library, Systems Department
> Vmail: (613) 520-2600, ext. 8352
> 
> 
I am actually surprised it works at all, you have this in smb.conf:

security      = ADS

You don't appear to have anything in smb.conf for authentication, but
there is this in the log fragments you posted:

dtheodor (uid=2223, gid=1021)

I have this sinking feeling you have a user called 'dtheodor' with the
uid '2223' in /etc/passwd

The 'ADS' means that your computer is a Unix domain member and ALL
your users must be in AD. they should also have uidNumbers and use the
winbind 'ad' backend or you use the 'rid' backend, in which case
you
don't need to add anything to AD. You cannot have a user in /etc/passwd
and AD with the same username.

Can I suggest you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Follow the links on the wiki page to get the info for the winbind
backend you choose.

Any question, please ask.

Rowland

On Fri, 5 Jan 2018 16:47:37 +0000
Daulton Theodore <DaultonTheodore at Cunet.Carleton.Ca> wrote:
> Hi Rowland,
> 
> Thanks for your feedback. 
> It turned out that a few of our users had unix names in /etc/passwd
> that matched the AD names for other staff. I've changed the unix
> names to make them distinct and mapped the new account to the correct
> AD user via the username map option.
You don't map AD users to Unix users in the username map any more, this
is old school ;-)

All you need to do is set up libnss_winbind and then use the winbind
backend of your choice, 'ad' if you want the same ID on all Unix domain
machines, or 'rid' if you do not want to add anything to AD

You should not have AD users in /etc/passwd, even with another name,
there should only be local Unix users in /etc/passwd.

Rowland