Jeremy
2020-Jun-05 09:18 UTC
[Samba] It seems to have bug for @group to set in valid or invalid conf
Hi all,
I am using samba 4.10.7 and it seems to have bug for using @group in valid
or invalid conf (?). And i can't find fixed patch in later release. I
describe this issue detail below:
1. Firstly, there is my samba conf below (Add @d_group in "invalid
users"):
(smb_share.conf)
[f1]
path = /home/f1
write list = "admin" "@Administrator_Group"
"@User_Group" "root"
invalid users = "guest" "@d_group"
valid users = "admin" "@Administrator_Group"
"@User_Group" "root"
browsable = Yes
public = Yes
force directory mode = 0777
directory mode = 0777
force create mode = 0777
create mask = 0777
recycle:repository = @recycle
recycle:directory_mode = 0777
recycle:keeptree = yes
recycle:versions = yes
recycle:exclude_dir = .streams
recycle:minsize = 1
vfs objects = shadow_copy2 catia fruit streams_xattr streams_depot
aio_pthread recycle
shadow: format = %Y%m%d-%H%M%S
shadow: sort = desc
shadow: snapdir = .snapshot
shadow: localtime = yes
fruit:nfs_aces = no
fruit:veto_appledouble = no
aio read size = 65536
aio write size = 1
aio_pthread:aio num threads = 1024
smb encrypt = disabled
(global.conf)
[global]
deadtime = 1
guest account = guest
map to guest = Never
log file = /home/samba/log/
max log size = 500000
load printers = no
printcap name = /dev/null
printing = bsd
dns proxy = no
max protocol = SMB3
use sendfile = Yes
socket options = SO_SNDBUF=33554432 TCP_NODELAY
inherit acls = Yes
map acl inherit = Yes
store dos attributes = Yes
inherit permissions = Yes
delete veto files = yes
ntlm auth = yes
streams_depot:delete_lost = yes
ldap timeout = 300
smb2 max write = 1048576
state directory = /home/samba_state
lock directory = /var/lock/samba
cache directory = /home/samba_cache
log level = 10
nt acl support = no
2. I add the user bbb in my debian and not in group "d_group":
# getent group
root:x:0:root
Administrator_Group:x:1:admin
User_Group:x:101:admin,aaa,bbb
Guest_Group:x:65534:guest
Hidden_Group:x:201:admin
fuse:x:102:admin
davfs2:x:103:davfs2
a_group:x:1000:aaa,bbb
b_group:x:1001:aaa,bbb
c_group:x:1002:bbb
d_group:x:1003:
3. But when i open samba log and trying use user bbb to login //$myip/f1 on
Windows and i got the denied permission.
But user bbb is not in d_group. There are somethings mess up.
4. I saw the log in samba below:
[2020/06/05 16:40:40.672747, 10, pid=2781, effective(0, 0), real(0, 0),
class=vfs] ../../source3/smbd/vfs.c:65(vfs_find_backend_
vfs_find_backend_entry called for /[Default VFS]/
Successfully loaded vfs module [/[Default VFS]/] with the new modules
system
[2020/06/05 16:40:40.672789, 10, pid=2781, effective(0, 0), real(0, 0)]
../../source3/smbd/service.c:70(set_conn_connectpath)
set_conn_connectpath: service IPC$, connectpath = /tmpfs/tmp
[2020/06/05 16:40:40.672815, 10, pid=2781, effective(0, 0), real(0, 0)]
../../source3/smbd/share_access.c:220(user_ok_token)
user_ok_token: share IPC$ is ok for unix user bbb
[2020/06/05 16:40:40.672840, 10, pid=2781, effective(0, 0), real(0, 0)]
../../source3/smbd/share_access.c:271(is_share_read_only
is_share_read_only_for_user: share IPC$ is read-only for unix user bbb
[2020/06/05 16:40:40.672868, 10, pid=2781, effective(0, 0), real(0, 0)]
../../libcli/security/access_check.c:366(se_file_access_
se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff
[2020/06/05 16:40:40.672915, 4, pid=2781, effective(0, 0), real(0, 0)]
../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (1003, 101) - sec_ctx_stack_ndx = 0
[2020/06/05 16:40:40.672941, 5, pid=2781, effective(0, 0), real(0, 0)]
../../libcli/security/security_token.c:63(security_token
Security token SIDs (15):
SID[ 0]: S-1-5-21-1151667668-222068009-1375177606-1010
SID[ 1]: S-1-5-21-1151667668-222068009-1375177606-513
SID[ 2]: S-1-5-21-1151667668-222068009-1375177606-1003
SID[ 3]: S-1-5-21-1151667668-222068009-1375177606-1006
SID[ 4]: S-1-5-21-1151667668-222068009-1375177606-1008
SID[ 5]: S-1-22-2-1000
SID[ 6]: S-1-1-0
SID[ 7]: S-1-5-2
SID[ 8]: S-1-5-11
SID[ 9]: S-1-5-21-1151667668-222068009-1375177606-1009
SID[ 10]: S-1-22-1-1003
SID[ 11]: S-1-22-2-101
SID[ 12]: S-1-22-2-1001
SID[ 13]: S-1-22-2-1002
SID[ 14]: S-1-22-2-1003
Privileges (0x 0):
Rights (0x 0):
[2020/06/05 16:40:40.673111, 5, pid=2781, effective(0, 0), real(0, 0)]
../../source3/auth/token_util.c:866(debug_unix_user_toke
UNIX token of user 1003
Primary group is 101 and contains 5 supplementary groups
Group[ 0]: 101
Group[ 1]: 1001
Group[ 2]: 1002
Group[ 3]: 1000
Group[ 4]: 1003
5. Why "bbb" user is notin d_group but the Security token SIDs will
have
d_group's sid (S-1-5-21-1151667668-222068009-1375177606-1009) ??
I thinks this is the reason why i be denied to access "f1". Because
in
program /source3/smbd/share_access.c function "token_contains_name"
will check "nt_token_check_sid" & "user_in_netgroup".
But i absolutely
sure my user "bbb" is not in netgroup, the problem
is on function "nt_token_check_sid". Function
"nt_token_check_sid" will
check Security token SIDs if match.
# wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1010
XN7004T-FF1628\bbb 1
# wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1003
XN7004T-FF1628\User_Group 4
# wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1006
XN7004T-FF1628\b_group 4
# wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1008
XN7004T-FF1628\c_group 4
# wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1009
XN7004T-FF1628\d_group 4
# wbinfo --sid-to-name=S-1-22-1-1003
Unix User\bbb 1
# wbinfo --sid-to-name=S-1-22-1-101
Unix User\davfs2 1
# wbinfo --sid-to-name=S-1-22-1-1001
Unix User\aaa 1
# wbinfo --sid-to-name=S-1-22-1-1002
Unix User\1002 1
# wbinfo --sid-to-name=S-1-22-1-1003
Unix User\bbb 1
6. My questions are:
1. How samba to get Security token SIDs ?
2. And i wonder whate reason will cause the Security token SIDs mess up ?
Note: This issue is occurs in random. Sometimes you will get the true sids
but sometimes is not.
Thanks,
Jeremy
Jeremy
2020-Jun-13 15:35 UTC
[Samba] It seems to have bug for @group to set in valid or invalid conf
No one care then i closed it. Thanks. On Fri, Jun 5, 2020 at 5:18 PM Jeremy <jeremy55662004 at gmail.com> wrote:> Hi all, > > I am using samba 4.10.7 and it seems to have bug for using @group in valid > or invalid conf (?). And i can't find fixed patch in later release. I > describe this issue detail below: > > 1. Firstly, there is my samba conf below (Add @d_group in "invalid users"): > (smb_share.conf) > [f1] > path = /home/f1 > write list = "admin" "@Administrator_Group" "@User_Group" "root" > invalid users = "guest" "@d_group" > valid users = "admin" "@Administrator_Group" "@User_Group" "root" > browsable = Yes > public = Yes > force directory mode = 0777 > directory mode = 0777 > force create mode = 0777 > create mask = 0777 > recycle:repository = @recycle > recycle:directory_mode = 0777 > recycle:keeptree = yes > recycle:versions = yes > recycle:exclude_dir = .streams > recycle:minsize = 1 > vfs objects = shadow_copy2 catia fruit streams_xattr streams_depot > aio_pthread recycle > shadow: format = %Y%m%d-%H%M%S > shadow: sort = desc > shadow: snapdir = .snapshot > shadow: localtime = yes > fruit:nfs_aces = no > fruit:veto_appledouble = no > aio read size = 65536 > aio write size = 1 > aio_pthread:aio num threads = 1024 > smb encrypt = disabled > (global.conf) > [global] > deadtime = 1 > guest account = guest > map to guest = Never > log file = /home/samba/log/ > max log size = 500000 > load printers = no > printcap name = /dev/null > printing = bsd > dns proxy = no > max protocol = SMB3 > use sendfile = Yes > socket options = SO_SNDBUF=33554432 TCP_NODELAY > inherit acls = Yes > map acl inherit = Yes > store dos attributes = Yes > inherit permissions = Yes > delete veto files = yes > ntlm auth = yes > streams_depot:delete_lost = yes > ldap timeout = 300 > smb2 max write = 1048576 > state directory = /home/samba_state > lock directory = /var/lock/samba > cache directory = /home/samba_cache > log level = 10 > nt acl support = no > > 2. I add the user bbb in my debian and not in group "d_group": > # getent group > root:x:0:root > Administrator_Group:x:1:admin > User_Group:x:101:admin,aaa,bbb > Guest_Group:x:65534:guest > Hidden_Group:x:201:admin > fuse:x:102:admin > davfs2:x:103:davfs2 > a_group:x:1000:aaa,bbb > b_group:x:1001:aaa,bbb > c_group:x:1002:bbb > d_group:x:1003: > > > 3. But when i open samba log and trying use user bbb to login //$myip/f1 > on Windows and i got the denied permission. > But user bbb is not in d_group. There are somethings mess up. > > 4. I saw the log in samba below: > [2020/06/05 16:40:40.672747, 10, pid=2781, effective(0, 0), real(0, 0), > class=vfs] ../../source3/smbd/vfs.c:65(vfs_find_backend_ > vfs_find_backend_entry called for /[Default VFS]/ > Successfully loaded vfs module [/[Default VFS]/] with the new modules > system > [2020/06/05 16:40:40.672789, 10, pid=2781, effective(0, 0), real(0, 0)] > ../../source3/smbd/service.c:70(set_conn_connectpath) > set_conn_connectpath: service IPC$, connectpath = /tmpfs/tmp > [2020/06/05 16:40:40.672815, 10, pid=2781, effective(0, 0), real(0, 0)] > ../../source3/smbd/share_access.c:220(user_ok_token) > user_ok_token: share IPC$ is ok for unix user bbb > [2020/06/05 16:40:40.672840, 10, pid=2781, effective(0, 0), real(0, 0)] > ../../source3/smbd/share_access.c:271(is_share_read_only > is_share_read_only_for_user: share IPC$ is read-only for unix user bbb > [2020/06/05 16:40:40.672868, 10, pid=2781, effective(0, 0), real(0, 0)] > ../../libcli/security/access_check.c:366(se_file_access_ > se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff > [2020/06/05 16:40:40.672915, 4, pid=2781, effective(0, 0), real(0, 0)] > ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (1003, 101) - sec_ctx_stack_ndx = 0 > [2020/06/05 16:40:40.672941, 5, pid=2781, effective(0, 0), real(0, 0)] > ../../libcli/security/security_token.c:63(security_token > Security token SIDs (15): > SID[ 0]: S-1-5-21-1151667668-222068009-1375177606-1010 > SID[ 1]: S-1-5-21-1151667668-222068009-1375177606-513 > SID[ 2]: S-1-5-21-1151667668-222068009-1375177606-1003 > SID[ 3]: S-1-5-21-1151667668-222068009-1375177606-1006 > SID[ 4]: S-1-5-21-1151667668-222068009-1375177606-1008 > SID[ 5]: S-1-22-2-1000 > SID[ 6]: S-1-1-0 > SID[ 7]: S-1-5-2 > SID[ 8]: S-1-5-11 > SID[ 9]: S-1-5-21-1151667668-222068009-1375177606-1009 > SID[ 10]: S-1-22-1-1003 > SID[ 11]: S-1-22-2-101 > SID[ 12]: S-1-22-2-1001 > SID[ 13]: S-1-22-2-1002 > SID[ 14]: S-1-22-2-1003 > Privileges (0x 0): > Rights (0x 0): > [2020/06/05 16:40:40.673111, 5, pid=2781, effective(0, 0), real(0, 0)] > ../../source3/auth/token_util.c:866(debug_unix_user_toke > UNIX token of user 1003 > Primary group is 101 and contains 5 supplementary groups > Group[ 0]: 101 > Group[ 1]: 1001 > Group[ 2]: 1002 > Group[ 3]: 1000 > Group[ 4]: 1003 > > 5. Why "bbb" user is notin d_group but the Security token SIDs will have > d_group's sid (S-1-5-21-1151667668-222068009-1375177606-1009) ?? > I thinks this is the reason why i be denied to access "f1". Because in > program /source3/smbd/share_access.c function "token_contains_name" > will check "nt_token_check_sid" & "user_in_netgroup". But i absolutely > sure my user "bbb" is not in netgroup, the problem > is on function "nt_token_check_sid". Function "nt_token_check_sid" will > check Security token SIDs if match. > > # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1010 > XN7004T-FF1628\bbb 1 > # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1003 > XN7004T-FF1628\User_Group 4 > # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1006 > XN7004T-FF1628\b_group 4 > # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1008 > XN7004T-FF1628\c_group 4 > # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1009 > XN7004T-FF1628\d_group 4 > # wbinfo --sid-to-name=S-1-22-1-1003 > Unix User\bbb 1 > # wbinfo --sid-to-name=S-1-22-1-101 > Unix User\davfs2 1 > # wbinfo --sid-to-name=S-1-22-1-1001 > Unix User\aaa 1 > # wbinfo --sid-to-name=S-1-22-1-1002 > Unix User\1002 1 > # wbinfo --sid-to-name=S-1-22-1-1003 > Unix User\bbb 1 > > > 6. My questions are: > 1. How samba to get Security token SIDs ? > 2. And i wonder whate reason will cause the Security token SIDs mess up > ? > > > Note: This issue is occurs in random. Sometimes you will get the true sids > but sometimes is not. > > > > Thanks, > Jeremy >
Rowland penny
2020-Jun-13 18:52 UTC
[Samba] It seems to have bug for @group to set in valid or invalid conf
On 13/06/2020 16:35, Jeremy via samba wrote:> No one care then i closed it. Thanks. >It isn't that no one cares, it is just that no one knows the answer :-( You could try removing the double quotes and the '@' from the write list and valid users lines I take it that you have created Samba users with 'smbpasswd -a username' You should also add 'security = user' to your smb.conf Rowland
Jeremy
2020-Jun-14 15:54 UTC
[Samba] It seems to have bug for @group to set in valid or invalid conf
Thanks, Rowland. i will try your suggestions. Thanks. Jeremy On Sat, Jun 13, 2020 at 11:35 PM Jeremy <jeremy55662004 at gmail.com> wrote:> No one care then i closed it. Thanks. > > On Fri, Jun 5, 2020 at 5:18 PM Jeremy <jeremy55662004 at gmail.com> wrote: > >> Hi all, >> >> I am using samba 4.10.7 and it seems to have bug for using @group in >> valid or invalid conf (?). And i can't find fixed patch in later release. I >> describe this issue detail below: >> >> 1. Firstly, there is my samba conf below (Add @d_group in "invalid >> users"): >> (smb_share.conf) >> [f1] >> path = /home/f1 >> write list = "admin" "@Administrator_Group" "@User_Group" "root" >> invalid users = "guest" "@d_group" >> valid users = "admin" "@Administrator_Group" "@User_Group" "root" >> browsable = Yes >> public = Yes >> force directory mode = 0777 >> directory mode = 0777 >> force create mode = 0777 >> create mask = 0777 >> recycle:repository = @recycle >> recycle:directory_mode = 0777 >> recycle:keeptree = yes >> recycle:versions = yes >> recycle:exclude_dir = .streams >> recycle:minsize = 1 >> vfs objects = shadow_copy2 catia fruit streams_xattr streams_depot >> aio_pthread recycle >> shadow: format = %Y%m%d-%H%M%S >> shadow: sort = desc >> shadow: snapdir = .snapshot >> shadow: localtime = yes >> fruit:nfs_aces = no >> fruit:veto_appledouble = no >> aio read size = 65536 >> aio write size = 1 >> aio_pthread:aio num threads = 1024 >> smb encrypt = disabled >> (global.conf) >> [global] >> deadtime = 1 >> guest account = guest >> map to guest = Never >> log file = /home/samba/log/ >> max log size = 500000 >> load printers = no >> printcap name = /dev/null >> printing = bsd >> dns proxy = no >> max protocol = SMB3 >> use sendfile = Yes >> socket options = SO_SNDBUF=33554432 TCP_NODELAY >> inherit acls = Yes >> map acl inherit = Yes >> store dos attributes = Yes >> inherit permissions = Yes >> delete veto files = yes >> ntlm auth = yes >> streams_depot:delete_lost = yes >> ldap timeout = 300 >> smb2 max write = 1048576 >> state directory = /home/samba_state >> lock directory = /var/lock/samba >> cache directory = /home/samba_cache >> log level = 10 >> nt acl support = no >> >> 2. I add the user bbb in my debian and not in group "d_group": >> # getent group >> root:x:0:root >> Administrator_Group:x:1:admin >> User_Group:x:101:admin,aaa,bbb >> Guest_Group:x:65534:guest >> Hidden_Group:x:201:admin >> fuse:x:102:admin >> davfs2:x:103:davfs2 >> a_group:x:1000:aaa,bbb >> b_group:x:1001:aaa,bbb >> c_group:x:1002:bbb >> d_group:x:1003: >> >> >> 3. But when i open samba log and trying use user bbb to login //$myip/f1 >> on Windows and i got the denied permission. >> But user bbb is not in d_group. There are somethings mess up. >> >> 4. I saw the log in samba below: >> [2020/06/05 16:40:40.672747, 10, pid=2781, effective(0, 0), real(0, 0), >> class=vfs] ../../source3/smbd/vfs.c:65(vfs_find_backend_ >> vfs_find_backend_entry called for /[Default VFS]/ >> Successfully loaded vfs module [/[Default VFS]/] with the new modules >> system >> [2020/06/05 16:40:40.672789, 10, pid=2781, effective(0, 0), real(0, 0)] >> ../../source3/smbd/service.c:70(set_conn_connectpath) >> set_conn_connectpath: service IPC$, connectpath = /tmpfs/tmp >> [2020/06/05 16:40:40.672815, 10, pid=2781, effective(0, 0), real(0, 0)] >> ../../source3/smbd/share_access.c:220(user_ok_token) >> user_ok_token: share IPC$ is ok for unix user bbb >> [2020/06/05 16:40:40.672840, 10, pid=2781, effective(0, 0), real(0, 0)] >> ../../source3/smbd/share_access.c:271(is_share_read_only >> is_share_read_only_for_user: share IPC$ is read-only for unix user bbb >> [2020/06/05 16:40:40.672868, 10, pid=2781, effective(0, 0), real(0, 0)] >> ../../libcli/security/access_check.c:366(se_file_access_ >> se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff >> [2020/06/05 16:40:40.672915, 4, pid=2781, effective(0, 0), real(0, 0)] >> ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) >> setting sec ctx (1003, 101) - sec_ctx_stack_ndx = 0 >> [2020/06/05 16:40:40.672941, 5, pid=2781, effective(0, 0), real(0, 0)] >> ../../libcli/security/security_token.c:63(security_token >> Security token SIDs (15): >> SID[ 0]: S-1-5-21-1151667668-222068009-1375177606-1010 >> SID[ 1]: S-1-5-21-1151667668-222068009-1375177606-513 >> SID[ 2]: S-1-5-21-1151667668-222068009-1375177606-1003 >> SID[ 3]: S-1-5-21-1151667668-222068009-1375177606-1006 >> SID[ 4]: S-1-5-21-1151667668-222068009-1375177606-1008 >> SID[ 5]: S-1-22-2-1000 >> SID[ 6]: S-1-1-0 >> SID[ 7]: S-1-5-2 >> SID[ 8]: S-1-5-11 >> SID[ 9]: S-1-5-21-1151667668-222068009-1375177606-1009 >> SID[ 10]: S-1-22-1-1003 >> SID[ 11]: S-1-22-2-101 >> SID[ 12]: S-1-22-2-1001 >> SID[ 13]: S-1-22-2-1002 >> SID[ 14]: S-1-22-2-1003 >> Privileges (0x 0): >> Rights (0x 0): >> [2020/06/05 16:40:40.673111, 5, pid=2781, effective(0, 0), real(0, 0)] >> ../../source3/auth/token_util.c:866(debug_unix_user_toke >> UNIX token of user 1003 >> Primary group is 101 and contains 5 supplementary groups >> Group[ 0]: 101 >> Group[ 1]: 1001 >> Group[ 2]: 1002 >> Group[ 3]: 1000 >> Group[ 4]: 1003 >> >> 5. Why "bbb" user is notin d_group but the Security token SIDs will have >> d_group's sid (S-1-5-21-1151667668-222068009-1375177606-1009) ?? >> I thinks this is the reason why i be denied to access "f1". Because in >> program /source3/smbd/share_access.c function "token_contains_name" >> will check "nt_token_check_sid" & "user_in_netgroup". But i absolutely >> sure my user "bbb" is not in netgroup, the problem >> is on function "nt_token_check_sid". Function "nt_token_check_sid" >> will check Security token SIDs if match. >> >> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1010 >> XN7004T-FF1628\bbb 1 >> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1003 >> XN7004T-FF1628\User_Group 4 >> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1006 >> XN7004T-FF1628\b_group 4 >> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1008 >> XN7004T-FF1628\c_group 4 >> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1009 >> XN7004T-FF1628\d_group 4 >> # wbinfo --sid-to-name=S-1-22-1-1003 >> Unix User\bbb 1 >> # wbinfo --sid-to-name=S-1-22-1-101 >> Unix User\davfs2 1 >> # wbinfo --sid-to-name=S-1-22-1-1001 >> Unix User\aaa 1 >> # wbinfo --sid-to-name=S-1-22-1-1002 >> Unix User\1002 1 >> # wbinfo --sid-to-name=S-1-22-1-1003 >> Unix User\bbb 1 >> >> >> 6. My questions are: >> 1. How samba to get Security token SIDs ? >> 2. And i wonder whate reason will cause the Security token SIDs mess >> up ? >> >> >> Note: This issue is occurs in random. Sometimes you will get the true >> sids but sometimes is not. >> >> >> >> Thanks, >> Jeremy >> >
Maybe Matching Threads
- It seems to have bug for @group to set in valid or invalid conf
- Yum update erased jdk, jre, and fuse-davfs2
- mount -t devfs
- Some issues for Samba 4.10.7 on ZFS 0.8.1
- Got unexpected error occurred (error code -50) when using Mac OS X 10.12.6 access samba 4.10.7