Matt Magoffin
2020-Mar-08 22:14 UTC
[Samba] Trouble resolving some group membership after upgrade from 4.8 to 4.10
Hello, I had been running Samba 4.8 for a few years without any problems, and then upgraded to 4.10. Since then I?ve been having problems with some accounts connecting, while some connect fine still. I haven?t been able to figure out why. My server is a relatively simple standalone server, using the LDAP password backend. A failing user authenticates OK and ends up like this in the logs: [2020/03/09 10:30:41.723101, 1, pid=2475, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug) &session_blob: struct smbXsrv_sessionB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_sessionU(case 0) info0 : * info0: struct smbXsrv_session table : * db_rec : NULL client : * local_id : 0xe752a8c6 (3880954054) global : * global: struct smbXsrv_session_global0 db_rec : NULL session_global_id : 0xe752a8c6 (3880954054) session_wire_id : 0x00000000e752a8c6 (3880954054) creation_time : Mon Mar 9 10:30:42 2020 NZDT expiration_time : Thu Jan 1 12:00:00 1970 NZST auth_time : Mon Mar 9 10:30:42 2020 NZDT auth_session_info_seqnum : 0x00000001 (1) auth_session_info : * auth_session_info: struct auth_session_info security_token : * security_token: struct security_token num_sids : 0x00000009 (9) sids: ARRAY(9) sids : S-1-5-21-1502235775-2176147628-3003234742-10103 sids : S-1-5-21-1502235775-2176147628-3003234742-513 sids : S-1-22-2-10001 sids : S-1-22-2-10002 sids : S-1-1-0 sids : S-1-5-2 sids : S-1-5-11 sids : S-1-22-1-10103 sids : S-1-22-2-513 privilege_mask : 0x0000000000000000 (0) 0: SEC_PRIV_MACHINE_ACCOUNT_BIT 0: SEC_PRIV_PRINT_OPERATOR_BIT 0: SEC_PRIV_ADD_USERS_BIT 0: SEC_PRIV_DISK_OPERATOR_BIT 0: SEC_PRIV_REMOTE_SHUTDOWN_BIT 0: SEC_PRIV_BACKUP_BIT 0: SEC_PRIV_RESTORE_BIT 0: SEC_PRIV_TAKE_OWNERSHIP_BIT 0: SEC_PRIV_INCREASE_QUOTA_BIT 0: SEC_PRIV_SECURITY_BIT 0: SEC_PRIV_LOAD_DRIVER_BIT 0: SEC_PRIV_SYSTEM_PROFILE_BIT 0: SEC_PRIV_SYSTEMTIME_BIT 0: SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT 0: SEC_PRIV_INCREASE_BASE_PRIORITY_BIT 0: SEC_PRIV_CREATE_PAGEFILE_BIT 0: SEC_PRIV_SHUTDOWN_BIT 0: SEC_PRIV_DEBUG_BIT 0: SEC_PRIV_SYSTEM_ENVIRONMENT_BIT 0: SEC_PRIV_CHANGE_NOTIFY_BIT 0: SEC_PRIV_UNDOCK_BIT 0: SEC_PRIV_ENABLE_DELEGATION_BIT 0: SEC_PRIV_MANAGE_VOLUME_BIT 0: SEC_PRIV_IMPERSONATE_BIT 0: SEC_PRIV_CREATE_GLOBAL_BIT rights_mask : 0x00000000 (0) 0: LSA_POLICY_MODE_INTERACTIVE 0: LSA_POLICY_MODE_NETWORK 0: LSA_POLICY_MODE_BATCH 0: LSA_POLICY_MODE_SERVICE 0: LSA_POLICY_MODE_PROXY 0: LSA_POLICY_MODE_DENY_INTERACTIVE 0: LSA_POLICY_MODE_DENY_NETWORK 0: LSA_POLICY_MODE_DENY_BATCH 0: LSA_POLICY_MODE_DENY_SERVICE 0: LSA_POLICY_MODE_REMOTE_INTERACTIVE 0: LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE 0x00: LSA_POLICY_MODE_ALL (0) 0x00: LSA_POLICY_MODE_ALL_NT4 (0) unix_token : * unix_token: struct security_unix_token uid : 0x0000000000002777 (10103) gid : 0x0000000000000201 (513) ngroups : 0x00000003 (3) groups: ARRAY(3) groups : 0x0000000000000201 (513) groups : 0x0000000000002711 (10001) groups : 0x0000000000002712 (10002) info : * info: struct auth_user_info account_name : * account_name : 'sambamatt' user_principal_name : NULL user_principal_constructed: 0x00 (0) domain_name : * domain_name : 'X24' dns_domain_name : NULL full_name : * full_name : 'Samba Matt Magoffin' logon_script : * logon_script : '' profile_path : * profile_path : '\\X24\profiles\sambamatt' home_directory : * home_directory : '\\X24\sambamatt' home_drive : * home_drive : '' logon_server : * logon_server : 'X24' last_logon : NTTIME(0) last_logoff : Tue Jan 19 16:14:07 2038 NZDT acct_expiry : Tue Jan 19 16:14:07 2038 NZDT last_password_change : Mon Mar 9 10:27:37 2020 NZDT allow_password_change : Mon Mar 9 10:27:37 2020 NZDT force_password_change : Tue Jan 19 16:14:07 2038 NZDT logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) acct_flags : 0x00000010 (16) authenticated : 0x01 (1) unix_info : * unix_info: struct auth_user_info_unix unix_name : * unix_name : 'sambamatt' sanitized_username : * sanitized_username : 'sambamatt' status : NT_STATUS_OK compat : * tcon_table : * pending_auth : NULL So you can see the uid is ?sambamatt? and is a member of group 10002, which is called ?Home? and contains ?sambamatt? in a memberUid attribute. [2020/03/09 10:30:41.752608, 5, pid=2475, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1308(smbldap_search_ext) smbldap_search_ext: base => [dc=msqr,dc=us], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=Home)(cn=Home)))], scope => [2] [2020/03/09 10:30:41.753124, 2, pid=2475, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:2396(init_group_from_ldap) init_group_from_ldap: Entry found for group: 10002 [2020/03/09 10:30:41.753202, 4, pid=2475, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2020/03/09 10:30:41.753262, 10, pid=2475, effective(0, 0), real(0, 0)] ../../source3/smbd/share_access.c:213(user_ok_token) User sambamatt not in 'valid users' If I show the group membership in other ways it appears like sambamatt is a member: $ getent passwd sambamatt sambamatt:*:10103:513:System User:/home/sambamatt:/bin/sh $ getent group Home Home:*:10002:sambamatt $ id sambamatt uid=10103(sambamatt) gid=513(Domain Users) groups=513(Domain Users),10001(Media),10002(Home) For another account ?tm? that does still connect successfully, the logs end like: [2020/03/09 09:55:20.786162, 5, pid=50323, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1308(smbldap_search_ext) smbldap_search_ext: base => [dc=msqr,dc=us], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=TimeMachine)(cn=TimeMachine)))], scope => [2] [2020/03/09 09:55:20.787011, 2, pid=50323, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:2396(init_group_from_ldap) init_group_from_ldap: Entry found for group: 10000 [2020/03/09 09:55:20.787106, 10, pid=50323, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:137(smbldap_talloc_single_attribute) attribute description does not exist [2020/03/09 09:55:20.787206, 4, pid=50323, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2020/03/09 09:55:20.787281, 10, pid=50323, effective(0, 0), real(0, 0)] ../../source3/smbd/share_access.c:219(user_ok_token) user_ok_token: share TimeCapsule is ok for unix user tm My smb.conf looks like this: [global] log level = 10 auth:10 winbind:10 workgroup = MSQR server string = Samba Server Version %v netbios name = X24 domain master = yes wins support = yes host msdfs = no security = user map to guest = Bad User vfs objects = acl_xattr zfsacl catia fruit streams_xattr map acl inherit = yes server min protocol = SMB2 server max protocol = SMB3 fruit:aapl = yes fruit:resource = stream fruit:metadata = stream ea support = yes oplocks = yes ntlm auth = no passdb backend = ldapsam:ldap://localhost ldap suffix = dc=msqr,dc=us ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap ssl = off ldap passwd sync = yes # Auth password saved via `smbpasswd -W` ldap admin dn = cn=Samba Admin,dc=msqr,dc=us [TimeCapsule] path = /zdata/backups/timecapsule vfs objects = zfsacl fruit streams_xattr browseable = no writable = yes read only = no inherit acls = yes fruit:time machine = yes fruit:time machine max size = 1400G valid users = @TimeMachine nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfszcl:acesort = dontcare [Home] path = /zdata/home browseable = yes writable = yes read only = no force create mode = 0660 force directory mode = 0770 valid users = @Home [Media] path = /zdata/media browseable = yes writable = yes read only = no force create mode = 0660 force directory mode = 0770 valid users = @Media I?m at a loss now on what might be wrong, or what else to try to troubleshoot the issue. Any ideas/help would be much appreciated. ? m@
Rowland penny
2020-Mar-09 08:46 UTC
[Samba] Trouble resolving some group membership after upgrade from 4.8 to 4.10
On 08/03/2020 22:14, Matt Magoffin via samba wrote:> Hello, > > I had been running Samba 4.8 for a few years without any problems, and then upgraded to 4.10. Since then I?ve been having problems with some accounts connecting, while some connect fine still. I haven?t been able to figure out why. My server is a relatively simple standalone server, using the LDAP password backend.AKA a Samba nt4-style PDC, or the next thing to it.> [global] > log level = 10 auth:10 winbind:10 > workgroup = MSQR > server string = Samba Server Version %v > netbios name = X24 > domain master = yes > wins support = yes > host msdfs = no > security = user > map to guest = Bad User > vfs objects = acl_xattr zfsacl catia fruit streams_xattr > map acl inherit = yes > server min protocol = SMB2Try setting the above to 'NT1'> ntlm auth = noYou could also try setting 'ntlm auth' to yes> I?m at a loss now on what might be wrong, or what else to try to troubleshoot the issue. Any ideas/help would be much appreciated.You are still using old ways of doing things, things that rely on SMBv1 and this is going away. You have two ways of dealing with this, either stick with an old version of Samba (along with any security problems entailed in doing so), or upgrade to Samba AD. Rowland
Matt Magoffin
2020-Mar-10 04:59 UTC
[Samba] Trouble resolving some group membership after upgrade from 4.8 to 4.10
> On 9/03/2020, at 9:46 PM, Rowland penny via samba <samba at lists.samba.org> wrote: > >> server min protocol = SMB2 > Try setting the above to 'NT1' >> ntlm auth = no > You could also try setting 'ntlm auth' to yes >> I?m at a loss now on what might be wrong, or what else to try to troubleshoot the issue. Any ideas/help would be much appreciated. > > You are still using old ways of doing things, things that rely on SMBv1 and this is going away. You have two ways of dealing with this, either stick with an old version of Samba (along with any security problems entailed in doing so), or upgrade to Samba AD.Yes, I have been running this service for many years, upgrading Samba along the way but not trying to change to a full AD deployment. Do you think tweaking the authentication settings like you suggest would make a difference? I ask because I can connect, from the same workstation, using one account but not another, which means the same client is being used for both. The account that doesn't work won't work from any workstation that I?ve tried, while the account that does work also works on all other workstations that I?ve tried. From the logs it seems that the authentication is succeeding, but the group membership authorisation part is failing, but only for specific accounts. I had hoped someone might recall something that changed between 4.8 and 4.10 that might be relevant here, because I didn?t make changes to the Samba configuration over that upgrade. ? m@