Fyodor Kravchenko
2024-Feb-01 15:40 UTC
[Samba] Samba omitting the user group setting, might be a bug
Hello, I am experiencing a strange behaviour that I think might be a bug. I was advised to consult the mailing list instead of trying to file a bug, so here it is. I have a user `kate` which is both a member of a `family` group and a `feddkate` group. There is a share called `FeddAndKate` which I what to be accessible to the `feddkate` group but not to a `family` group, and I've set up the permissions accordingly. Everything works as expected when kate, fedd or others log in via ssh, but Samba fails to adhere the permissions set. The most strange thing is that when I log in as `kate` for the first time it lets her to see the `ls`: $ smbclient -U kate \\\\10.75.9.21\\FeddKate Password for [LITTLEBASKET\kate]: Try "help" to get a list of possible commands. smb: \> ls ? .?????????????????????????????????? D??????? 0? Tue Jan 30 18:55:09 2024 ? ..????????????????????????????????? D??????? 0? Mon Dec 18 16:09:48 2023 ? uvedomlenie.pdf???????????????????? N?? 361117? Mon Jan 12 18:25:29 2015 ......etc......... However when I exit and log in again it suddenly restricts her from seeing the directory contents: $ smbclient -U kate \\\\10.75.9.21\\FeddKate Password for [LITTLEBASKET\kate]: Try "help" to get a list of possible commands. smb: \> ls NT_STATUS_ACCESS_DENIED listing \* The log file on debug level 6 looks differently for both situations. Here the directory list works: [2024/01/30 23:48:22.301508,? 4] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal) ? setting sec ctx (1000, 1000) - sec_ctx_stack_ndx = 0 [2024/01/30 23:48:22.301520,? 5] ../../libcli/security/security_token.c:56(security_token_debug) ? Security token SIDs (10): ??? SID[? 0]: S-1-5-21-3975486732-3624466930-94389381-1001 ??? SID[? 1]: S-1-5-21-3975486732-3624466930-94389381-513 ??? SID[? 2]: S-1-5-21-3975486732-3624466930-94389381-1003 ??? SID[? 3]: S-1-22-2-100 ??? SID[? 4]: S-1-1-0 ??? SID[? 5]: S-1-5-2 ??? SID[? 6]: S-1-5-11 ??? SID[? 7]: S-1-22-1-1000 ??? SID[? 8]: S-1-22-2-1000 ??? SID[? 9]: S-1-22-2-1001 ?? Privileges (0x?????????????? 0): ?? Rights (0x?????????????? 0): [2024/01/30 23:48:22.301575,? 5] ../../source3/auth/token_util.c:873(debug_unix_user_token) ? UNIX token of user 1000 ? Primary group is 1000 and contains 2 supplementary groups ? Group[? 0]: 1001 ? Group[? 1]: 100 [2024/01/30 23:48:22.301613,? 5] ../../source3/smbd/uid.c:293(print_impersonation_info) ? print_impersonation_info: Impersonated user: uid=(1000,1000), gid=(0,1000), cwd=[/] [2024/01/30 23:48:22.301630,? 4] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal) ? setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2024/01/30 23:48:22.301641,? 5] ../../libcli/security/security_token.c:52(security_token_debug) ? Security token: (NULL) [2024/01/30 23:48:22.301651,? 5] ../../source3/auth/token_util.c:873(debug_unix_user_token) ? UNIX token of user 0 ? Primary group is 0 and contains 0 supplementary groups [2024/01/30 23:48:22.301676,? 5] ../../source3/smbd/uid.c:493(smbd_change_to_root_user) ? change_to_root_user: now uid=(0,0) gid=(0,0) [2024/01/30 23:48:22.301710,? 2] ../../source3/smbd/service.c:852(make_connection_snum) ? fdell (ipv4:10.75.6.119:41506) connect to service FeddKate initially as user kate (uid=1000, gid=1000) (pid 1183) [2024/01/30 23:48:22.301726,? 5] ../../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_lock) ? dbwrap_lock_order_lock: check lock order 1 for /run/samba/smbXsrv_tcon_global.tdb [2024/01/30 23:48:22.301741,? 5] ../../lib/dbwrap/dbwrap.c:178(dbwrap_lock_order_unlock) ? dbwrap_lock_order_unlock: release lock order 1 for /run/samba/smbXsrv_tcon_global.tdb [2024/01/30 23:48:22.301762,? 5] ../../libcli/smb/smb2_signing.c:173(smb2_signing_sign_pdu) ? signed SMB2 message ......etc............ Here it denies permission (disregard the clock, collected it from different parts of the log file): [2024/01/30 23:41:10.198795,? 4] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal) ? setting sec ctx (1000, 1000) - sec_ctx_stack_ndx = 0 [2024/01/30 23:41:10.198830,? 5] ../../libcli/security/security_token.c:56(security_token_debug) ? Security token SIDs (9): ??? SID[? 0]: S-1-5-21-3975486732-3624466930-94389381-1001 ??? SID[? 1]: S-1-5-21-3975486732-3624466930-94389381-513 ??? SID[? 2]: S-1-5-21-3975486732-3624466930-94389381-1003 ??? SID[? 3]: S-1-22-2-100 ??? SID[? 4]: S-1-1-0 ??? SID[? 5]: S-1-5-2 ??? SID[? 6]: S-1-5-11 ??? SID[? 7]: S-1-22-1-1000 ??? SID[? 8]: S-1-22-2-1000 ?? Privileges (0x?????????????? 0): ?? Rights (0x?????????????? 0): [2024/01/30 23:41:10.198906,? 5] ../../source3/auth/token_util.c:873(debug_unix_user_token) ? UNIX token of user 1000 ? Primary group is 1000 and contains 1 supplementary groups ? Group[? 0]: 100 [2024/01/30 23:41:10.198946,? 4] ../../source3/smbd/vfs.c:939(vfs_ChDir) ? vfs_ChDir to /srv/archive/FeddAndKate [2024/01/30 23:41:10.198968,? 0] ../../source3/smbd/service.c:166(chdir_current_service) ? chdir_current_service: vfs_ChDir(/srv/archive/FeddAndKate) failed: Permission denied. Current token: uid=1000, gid=1000, 1 groups: 100 [2024/01/30 23:41:10.198997,? 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3147 -----etc---etc...... I've googled somebody with a similar behaviour of Samba omitting an arbitrary group, and found a bug report regarding this line of code: https://github.com/samba-team/samba/blob/9b2f2302ee4828ae54f5903a3bf649ffd255fb4a/source3/auth/auth_util.c#L635 This is the bug report: https://bugzilla.samba.org/show_bug.cgi?id=10618 It says resolved-fixed but not for my situation. Have to add about the environment - this is an unprivileged TurnKey Fileserver Linux container run under Proxmox. The extensive googling for the problem suggests Samba will not work in such environment because of ACL and such, but I need a fileserver as an unprivileged container, mapping the same directories the FileServer would serve to other containers, and if not for this little bug I'd be quite happy. Do the user groups come in different order from system to Samba in my environment, or cached somewhere between the logins, so we can't arbitrarily expect the zeroth ID to be of the type `BOTH`? Best regards, fedd
Marco Gaiarin
2024-Feb-05 13:44 UTC
[Samba] Samba omitting the user group setting, might be a bug
Mandi! Fyodor Kravchenko via samba In chel di` si favelave...> Have to add about the environment - this is an unprivileged TurnKey > Fileserver Linux container run under Proxmox. The extensive googling for > the problem suggests Samba will not work in such environment because of > ACL and such, but I need a fileserver as an unprivileged container, > mapping the same directories the FileServer would serve to other > containers, and if not for this little bug I'd be quite happy.What PVE version? Try adding: features: nesting=1 that is the default for new container for PVE7 onward, but not added automatically for PVE6 containers. -- Per trovare qualcosa sui siti di Ms devi usare Google :-) (Simo Sorce, da samba-it)
Apparently Analagous Threads
- vfs_shadow_copy2: permission denied - SMB_VFS_NEXT_OPENDIR() failed for '/snapshots'
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- Samba omitting the user group setting, might be a bug
- In mac guest user is not working when AD connected - samba 4.9.3