Jeremy
2020-Jun-05 09:18 UTC
[Samba] It seems to have bug for @group to set in valid or invalid conf
Hi all, I am using samba 4.10.7 and it seems to have bug for using @group in valid or invalid conf (?). And i can't find fixed patch in later release. I describe this issue detail below: 1. Firstly, there is my samba conf below (Add @d_group in "invalid users"): (smb_share.conf) [f1] path = /home/f1 write list = "admin" "@Administrator_Group" "@User_Group" "root" invalid users = "guest" "@d_group" valid users = "admin" "@Administrator_Group" "@User_Group" "root" browsable = Yes public = Yes force directory mode = 0777 directory mode = 0777 force create mode = 0777 create mask = 0777 recycle:repository = @recycle recycle:directory_mode = 0777 recycle:keeptree = yes recycle:versions = yes recycle:exclude_dir = .streams recycle:minsize = 1 vfs objects = shadow_copy2 catia fruit streams_xattr streams_depot aio_pthread recycle shadow: format = %Y%m%d-%H%M%S shadow: sort = desc shadow: snapdir = .snapshot shadow: localtime = yes fruit:nfs_aces = no fruit:veto_appledouble = no aio read size = 65536 aio write size = 1 aio_pthread:aio num threads = 1024 smb encrypt = disabled (global.conf) [global] deadtime = 1 guest account = guest map to guest = Never log file = /home/samba/log/ max log size = 500000 load printers = no printcap name = /dev/null printing = bsd dns proxy = no max protocol = SMB3 use sendfile = Yes socket options = SO_SNDBUF=33554432 TCP_NODELAY inherit acls = Yes map acl inherit = Yes store dos attributes = Yes inherit permissions = Yes delete veto files = yes ntlm auth = yes streams_depot:delete_lost = yes ldap timeout = 300 smb2 max write = 1048576 state directory = /home/samba_state lock directory = /var/lock/samba cache directory = /home/samba_cache log level = 10 nt acl support = no 2. I add the user bbb in my debian and not in group "d_group": # getent group root:x:0:root Administrator_Group:x:1:admin User_Group:x:101:admin,aaa,bbb Guest_Group:x:65534:guest Hidden_Group:x:201:admin fuse:x:102:admin davfs2:x:103:davfs2 a_group:x:1000:aaa,bbb b_group:x:1001:aaa,bbb c_group:x:1002:bbb d_group:x:1003: 3. But when i open samba log and trying use user bbb to login //$myip/f1 on Windows and i got the denied permission. But user bbb is not in d_group. There are somethings mess up. 4. I saw the log in samba below: [2020/06/05 16:40:40.672747, 10, pid=2781, effective(0, 0), real(0, 0), class=vfs] ../../source3/smbd/vfs.c:65(vfs_find_backend_ vfs_find_backend_entry called for /[Default VFS]/ Successfully loaded vfs module [/[Default VFS]/] with the new modules system [2020/06/05 16:40:40.672789, 10, pid=2781, effective(0, 0), real(0, 0)] ../../source3/smbd/service.c:70(set_conn_connectpath) set_conn_connectpath: service IPC$, connectpath = /tmpfs/tmp [2020/06/05 16:40:40.672815, 10, pid=2781, effective(0, 0), real(0, 0)] ../../source3/smbd/share_access.c:220(user_ok_token) user_ok_token: share IPC$ is ok for unix user bbb [2020/06/05 16:40:40.672840, 10, pid=2781, effective(0, 0), real(0, 0)] ../../source3/smbd/share_access.c:271(is_share_read_only is_share_read_only_for_user: share IPC$ is read-only for unix user bbb [2020/06/05 16:40:40.672868, 10, pid=2781, effective(0, 0), real(0, 0)] ../../libcli/security/access_check.c:366(se_file_access_ se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff [2020/06/05 16:40:40.672915, 4, pid=2781, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (1003, 101) - sec_ctx_stack_ndx = 0 [2020/06/05 16:40:40.672941, 5, pid=2781, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:63(security_token Security token SIDs (15): SID[ 0]: S-1-5-21-1151667668-222068009-1375177606-1010 SID[ 1]: S-1-5-21-1151667668-222068009-1375177606-513 SID[ 2]: S-1-5-21-1151667668-222068009-1375177606-1003 SID[ 3]: S-1-5-21-1151667668-222068009-1375177606-1006 SID[ 4]: S-1-5-21-1151667668-222068009-1375177606-1008 SID[ 5]: S-1-22-2-1000 SID[ 6]: S-1-1-0 SID[ 7]: S-1-5-2 SID[ 8]: S-1-5-11 SID[ 9]: S-1-5-21-1151667668-222068009-1375177606-1009 SID[ 10]: S-1-22-1-1003 SID[ 11]: S-1-22-2-101 SID[ 12]: S-1-22-2-1001 SID[ 13]: S-1-22-2-1002 SID[ 14]: S-1-22-2-1003 Privileges (0x 0): Rights (0x 0): [2020/06/05 16:40:40.673111, 5, pid=2781, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:866(debug_unix_user_toke UNIX token of user 1003 Primary group is 101 and contains 5 supplementary groups Group[ 0]: 101 Group[ 1]: 1001 Group[ 2]: 1002 Group[ 3]: 1000 Group[ 4]: 1003 5. Why "bbb" user is notin d_group but the Security token SIDs will have d_group's sid (S-1-5-21-1151667668-222068009-1375177606-1009) ?? I thinks this is the reason why i be denied to access "f1". Because in program /source3/smbd/share_access.c function "token_contains_name" will check "nt_token_check_sid" & "user_in_netgroup". But i absolutely sure my user "bbb" is not in netgroup, the problem is on function "nt_token_check_sid". Function "nt_token_check_sid" will check Security token SIDs if match. # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1010 XN7004T-FF1628\bbb 1 # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1003 XN7004T-FF1628\User_Group 4 # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1006 XN7004T-FF1628\b_group 4 # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1008 XN7004T-FF1628\c_group 4 # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1009 XN7004T-FF1628\d_group 4 # wbinfo --sid-to-name=S-1-22-1-1003 Unix User\bbb 1 # wbinfo --sid-to-name=S-1-22-1-101 Unix User\davfs2 1 # wbinfo --sid-to-name=S-1-22-1-1001 Unix User\aaa 1 # wbinfo --sid-to-name=S-1-22-1-1002 Unix User\1002 1 # wbinfo --sid-to-name=S-1-22-1-1003 Unix User\bbb 1 6. My questions are: 1. How samba to get Security token SIDs ? 2. And i wonder whate reason will cause the Security token SIDs mess up ? Note: This issue is occurs in random. Sometimes you will get the true sids but sometimes is not. Thanks, Jeremy
Jeremy
2020-Jun-13 15:35 UTC
[Samba] It seems to have bug for @group to set in valid or invalid conf
No one care then i closed it. Thanks. On Fri, Jun 5, 2020 at 5:18 PM Jeremy <jeremy55662004 at gmail.com> wrote:> Hi all, > > I am using samba 4.10.7 and it seems to have bug for using @group in valid > or invalid conf (?). And i can't find fixed patch in later release. I > describe this issue detail below: > > 1. Firstly, there is my samba conf below (Add @d_group in "invalid users"): > (smb_share.conf) > [f1] > path = /home/f1 > write list = "admin" "@Administrator_Group" "@User_Group" "root" > invalid users = "guest" "@d_group" > valid users = "admin" "@Administrator_Group" "@User_Group" "root" > browsable = Yes > public = Yes > force directory mode = 0777 > directory mode = 0777 > force create mode = 0777 > create mask = 0777 > recycle:repository = @recycle > recycle:directory_mode = 0777 > recycle:keeptree = yes > recycle:versions = yes > recycle:exclude_dir = .streams > recycle:minsize = 1 > vfs objects = shadow_copy2 catia fruit streams_xattr streams_depot > aio_pthread recycle > shadow: format = %Y%m%d-%H%M%S > shadow: sort = desc > shadow: snapdir = .snapshot > shadow: localtime = yes > fruit:nfs_aces = no > fruit:veto_appledouble = no > aio read size = 65536 > aio write size = 1 > aio_pthread:aio num threads = 1024 > smb encrypt = disabled > (global.conf) > [global] > deadtime = 1 > guest account = guest > map to guest = Never > log file = /home/samba/log/ > max log size = 500000 > load printers = no > printcap name = /dev/null > printing = bsd > dns proxy = no > max protocol = SMB3 > use sendfile = Yes > socket options = SO_SNDBUF=33554432 TCP_NODELAY > inherit acls = Yes > map acl inherit = Yes > store dos attributes = Yes > inherit permissions = Yes > delete veto files = yes > ntlm auth = yes > streams_depot:delete_lost = yes > ldap timeout = 300 > smb2 max write = 1048576 > state directory = /home/samba_state > lock directory = /var/lock/samba > cache directory = /home/samba_cache > log level = 10 > nt acl support = no > > 2. I add the user bbb in my debian and not in group "d_group": > # getent group > root:x:0:root > Administrator_Group:x:1:admin > User_Group:x:101:admin,aaa,bbb > Guest_Group:x:65534:guest > Hidden_Group:x:201:admin > fuse:x:102:admin > davfs2:x:103:davfs2 > a_group:x:1000:aaa,bbb > b_group:x:1001:aaa,bbb > c_group:x:1002:bbb > d_group:x:1003: > > > 3. But when i open samba log and trying use user bbb to login //$myip/f1 > on Windows and i got the denied permission. > But user bbb is not in d_group. There are somethings mess up. > > 4. I saw the log in samba below: > [2020/06/05 16:40:40.672747, 10, pid=2781, effective(0, 0), real(0, 0), > class=vfs] ../../source3/smbd/vfs.c:65(vfs_find_backend_ > vfs_find_backend_entry called for /[Default VFS]/ > Successfully loaded vfs module [/[Default VFS]/] with the new modules > system > [2020/06/05 16:40:40.672789, 10, pid=2781, effective(0, 0), real(0, 0)] > ../../source3/smbd/service.c:70(set_conn_connectpath) > set_conn_connectpath: service IPC$, connectpath = /tmpfs/tmp > [2020/06/05 16:40:40.672815, 10, pid=2781, effective(0, 0), real(0, 0)] > ../../source3/smbd/share_access.c:220(user_ok_token) > user_ok_token: share IPC$ is ok for unix user bbb > [2020/06/05 16:40:40.672840, 10, pid=2781, effective(0, 0), real(0, 0)] > ../../source3/smbd/share_access.c:271(is_share_read_only > is_share_read_only_for_user: share IPC$ is read-only for unix user bbb > [2020/06/05 16:40:40.672868, 10, pid=2781, effective(0, 0), real(0, 0)] > ../../libcli/security/access_check.c:366(se_file_access_ > se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff > [2020/06/05 16:40:40.672915, 4, pid=2781, effective(0, 0), real(0, 0)] > ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (1003, 101) - sec_ctx_stack_ndx = 0 > [2020/06/05 16:40:40.672941, 5, pid=2781, effective(0, 0), real(0, 0)] > ../../libcli/security/security_token.c:63(security_token > Security token SIDs (15): > SID[ 0]: S-1-5-21-1151667668-222068009-1375177606-1010 > SID[ 1]: S-1-5-21-1151667668-222068009-1375177606-513 > SID[ 2]: S-1-5-21-1151667668-222068009-1375177606-1003 > SID[ 3]: S-1-5-21-1151667668-222068009-1375177606-1006 > SID[ 4]: S-1-5-21-1151667668-222068009-1375177606-1008 > SID[ 5]: S-1-22-2-1000 > SID[ 6]: S-1-1-0 > SID[ 7]: S-1-5-2 > SID[ 8]: S-1-5-11 > SID[ 9]: S-1-5-21-1151667668-222068009-1375177606-1009 > SID[ 10]: S-1-22-1-1003 > SID[ 11]: S-1-22-2-101 > SID[ 12]: S-1-22-2-1001 > SID[ 13]: S-1-22-2-1002 > SID[ 14]: S-1-22-2-1003 > Privileges (0x 0): > Rights (0x 0): > [2020/06/05 16:40:40.673111, 5, pid=2781, effective(0, 0), real(0, 0)] > ../../source3/auth/token_util.c:866(debug_unix_user_toke > UNIX token of user 1003 > Primary group is 101 and contains 5 supplementary groups > Group[ 0]: 101 > Group[ 1]: 1001 > Group[ 2]: 1002 > Group[ 3]: 1000 > Group[ 4]: 1003 > > 5. Why "bbb" user is notin d_group but the Security token SIDs will have > d_group's sid (S-1-5-21-1151667668-222068009-1375177606-1009) ?? > I thinks this is the reason why i be denied to access "f1". Because in > program /source3/smbd/share_access.c function "token_contains_name" > will check "nt_token_check_sid" & "user_in_netgroup". But i absolutely > sure my user "bbb" is not in netgroup, the problem > is on function "nt_token_check_sid". Function "nt_token_check_sid" will > check Security token SIDs if match. > > # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1010 > XN7004T-FF1628\bbb 1 > # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1003 > XN7004T-FF1628\User_Group 4 > # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1006 > XN7004T-FF1628\b_group 4 > # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1008 > XN7004T-FF1628\c_group 4 > # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1009 > XN7004T-FF1628\d_group 4 > # wbinfo --sid-to-name=S-1-22-1-1003 > Unix User\bbb 1 > # wbinfo --sid-to-name=S-1-22-1-101 > Unix User\davfs2 1 > # wbinfo --sid-to-name=S-1-22-1-1001 > Unix User\aaa 1 > # wbinfo --sid-to-name=S-1-22-1-1002 > Unix User\1002 1 > # wbinfo --sid-to-name=S-1-22-1-1003 > Unix User\bbb 1 > > > 6. My questions are: > 1. How samba to get Security token SIDs ? > 2. And i wonder whate reason will cause the Security token SIDs mess up > ? > > > Note: This issue is occurs in random. Sometimes you will get the true sids > but sometimes is not. > > > > Thanks, > Jeremy >
Rowland penny
2020-Jun-13 18:52 UTC
[Samba] It seems to have bug for @group to set in valid or invalid conf
On 13/06/2020 16:35, Jeremy via samba wrote:> No one care then i closed it. Thanks. >It isn't that no one cares, it is just that no one knows the answer :-( You could try removing the double quotes and the '@' from the write list and valid users lines I take it that you have created Samba users with 'smbpasswd -a username' You should also add 'security = user' to your smb.conf Rowland
Jeremy
2020-Jun-14 15:54 UTC
[Samba] It seems to have bug for @group to set in valid or invalid conf
Thanks, Rowland. i will try your suggestions. Thanks. Jeremy On Sat, Jun 13, 2020 at 11:35 PM Jeremy <jeremy55662004 at gmail.com> wrote:> No one care then i closed it. Thanks. > > On Fri, Jun 5, 2020 at 5:18 PM Jeremy <jeremy55662004 at gmail.com> wrote: > >> Hi all, >> >> I am using samba 4.10.7 and it seems to have bug for using @group in >> valid or invalid conf (?). And i can't find fixed patch in later release. I >> describe this issue detail below: >> >> 1. Firstly, there is my samba conf below (Add @d_group in "invalid >> users"): >> (smb_share.conf) >> [f1] >> path = /home/f1 >> write list = "admin" "@Administrator_Group" "@User_Group" "root" >> invalid users = "guest" "@d_group" >> valid users = "admin" "@Administrator_Group" "@User_Group" "root" >> browsable = Yes >> public = Yes >> force directory mode = 0777 >> directory mode = 0777 >> force create mode = 0777 >> create mask = 0777 >> recycle:repository = @recycle >> recycle:directory_mode = 0777 >> recycle:keeptree = yes >> recycle:versions = yes >> recycle:exclude_dir = .streams >> recycle:minsize = 1 >> vfs objects = shadow_copy2 catia fruit streams_xattr streams_depot >> aio_pthread recycle >> shadow: format = %Y%m%d-%H%M%S >> shadow: sort = desc >> shadow: snapdir = .snapshot >> shadow: localtime = yes >> fruit:nfs_aces = no >> fruit:veto_appledouble = no >> aio read size = 65536 >> aio write size = 1 >> aio_pthread:aio num threads = 1024 >> smb encrypt = disabled >> (global.conf) >> [global] >> deadtime = 1 >> guest account = guest >> map to guest = Never >> log file = /home/samba/log/ >> max log size = 500000 >> load printers = no >> printcap name = /dev/null >> printing = bsd >> dns proxy = no >> max protocol = SMB3 >> use sendfile = Yes >> socket options = SO_SNDBUF=33554432 TCP_NODELAY >> inherit acls = Yes >> map acl inherit = Yes >> store dos attributes = Yes >> inherit permissions = Yes >> delete veto files = yes >> ntlm auth = yes >> streams_depot:delete_lost = yes >> ldap timeout = 300 >> smb2 max write = 1048576 >> state directory = /home/samba_state >> lock directory = /var/lock/samba >> cache directory = /home/samba_cache >> log level = 10 >> nt acl support = no >> >> 2. I add the user bbb in my debian and not in group "d_group": >> # getent group >> root:x:0:root >> Administrator_Group:x:1:admin >> User_Group:x:101:admin,aaa,bbb >> Guest_Group:x:65534:guest >> Hidden_Group:x:201:admin >> fuse:x:102:admin >> davfs2:x:103:davfs2 >> a_group:x:1000:aaa,bbb >> b_group:x:1001:aaa,bbb >> c_group:x:1002:bbb >> d_group:x:1003: >> >> >> 3. But when i open samba log and trying use user bbb to login //$myip/f1 >> on Windows and i got the denied permission. >> But user bbb is not in d_group. There are somethings mess up. >> >> 4. I saw the log in samba below: >> [2020/06/05 16:40:40.672747, 10, pid=2781, effective(0, 0), real(0, 0), >> class=vfs] ../../source3/smbd/vfs.c:65(vfs_find_backend_ >> vfs_find_backend_entry called for /[Default VFS]/ >> Successfully loaded vfs module [/[Default VFS]/] with the new modules >> system >> [2020/06/05 16:40:40.672789, 10, pid=2781, effective(0, 0), real(0, 0)] >> ../../source3/smbd/service.c:70(set_conn_connectpath) >> set_conn_connectpath: service IPC$, connectpath = /tmpfs/tmp >> [2020/06/05 16:40:40.672815, 10, pid=2781, effective(0, 0), real(0, 0)] >> ../../source3/smbd/share_access.c:220(user_ok_token) >> user_ok_token: share IPC$ is ok for unix user bbb >> [2020/06/05 16:40:40.672840, 10, pid=2781, effective(0, 0), real(0, 0)] >> ../../source3/smbd/share_access.c:271(is_share_read_only >> is_share_read_only_for_user: share IPC$ is read-only for unix user bbb >> [2020/06/05 16:40:40.672868, 10, pid=2781, effective(0, 0), real(0, 0)] >> ../../libcli/security/access_check.c:366(se_file_access_ >> se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff >> [2020/06/05 16:40:40.672915, 4, pid=2781, effective(0, 0), real(0, 0)] >> ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) >> setting sec ctx (1003, 101) - sec_ctx_stack_ndx = 0 >> [2020/06/05 16:40:40.672941, 5, pid=2781, effective(0, 0), real(0, 0)] >> ../../libcli/security/security_token.c:63(security_token >> Security token SIDs (15): >> SID[ 0]: S-1-5-21-1151667668-222068009-1375177606-1010 >> SID[ 1]: S-1-5-21-1151667668-222068009-1375177606-513 >> SID[ 2]: S-1-5-21-1151667668-222068009-1375177606-1003 >> SID[ 3]: S-1-5-21-1151667668-222068009-1375177606-1006 >> SID[ 4]: S-1-5-21-1151667668-222068009-1375177606-1008 >> SID[ 5]: S-1-22-2-1000 >> SID[ 6]: S-1-1-0 >> SID[ 7]: S-1-5-2 >> SID[ 8]: S-1-5-11 >> SID[ 9]: S-1-5-21-1151667668-222068009-1375177606-1009 >> SID[ 10]: S-1-22-1-1003 >> SID[ 11]: S-1-22-2-101 >> SID[ 12]: S-1-22-2-1001 >> SID[ 13]: S-1-22-2-1002 >> SID[ 14]: S-1-22-2-1003 >> Privileges (0x 0): >> Rights (0x 0): >> [2020/06/05 16:40:40.673111, 5, pid=2781, effective(0, 0), real(0, 0)] >> ../../source3/auth/token_util.c:866(debug_unix_user_toke >> UNIX token of user 1003 >> Primary group is 101 and contains 5 supplementary groups >> Group[ 0]: 101 >> Group[ 1]: 1001 >> Group[ 2]: 1002 >> Group[ 3]: 1000 >> Group[ 4]: 1003 >> >> 5. Why "bbb" user is notin d_group but the Security token SIDs will have >> d_group's sid (S-1-5-21-1151667668-222068009-1375177606-1009) ?? >> I thinks this is the reason why i be denied to access "f1". Because in >> program /source3/smbd/share_access.c function "token_contains_name" >> will check "nt_token_check_sid" & "user_in_netgroup". But i absolutely >> sure my user "bbb" is not in netgroup, the problem >> is on function "nt_token_check_sid". Function "nt_token_check_sid" >> will check Security token SIDs if match. >> >> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1010 >> XN7004T-FF1628\bbb 1 >> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1003 >> XN7004T-FF1628\User_Group 4 >> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1006 >> XN7004T-FF1628\b_group 4 >> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1008 >> XN7004T-FF1628\c_group 4 >> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1009 >> XN7004T-FF1628\d_group 4 >> # wbinfo --sid-to-name=S-1-22-1-1003 >> Unix User\bbb 1 >> # wbinfo --sid-to-name=S-1-22-1-101 >> Unix User\davfs2 1 >> # wbinfo --sid-to-name=S-1-22-1-1001 >> Unix User\aaa 1 >> # wbinfo --sid-to-name=S-1-22-1-1002 >> Unix User\1002 1 >> # wbinfo --sid-to-name=S-1-22-1-1003 >> Unix User\bbb 1 >> >> >> 6. My questions are: >> 1. How samba to get Security token SIDs ? >> 2. And i wonder whate reason will cause the Security token SIDs mess >> up ? >> >> >> Note: This issue is occurs in random. Sometimes you will get the true >> sids but sometimes is not. >> >> >> >> Thanks, >> Jeremy >> >
Possibly Parallel Threads
- It seems to have bug for @group to set in valid or invalid conf
- Yum update erased jdk, jre, and fuse-davfs2
- mount -t devfs
- Some issues for Samba 4.10.7 on ZFS 0.8.1
- Got unexpected error occurred (error code -50) when using Mac OS X 10.12.6 access samba 4.10.7