[Samba] User Administrator (and only it) access denied on member server
Alex Wakizashi
alex at wakizashi.info
Sun Oct 27 09:26:56 MDT 2013
Hi all,
Have found the reason for Samba behavior, mentioned under this mail subject.
My initial assumption about the hardcoding was wrong - it happens
because of following:
Samba converting user name to lowercase for getpwnam(), regardless
the fact, that name in the system may have uppercase letters - as it's
taken from "sAMAccountName" by winbind, for example.
So, getpwnam() will never find it.
Name in Kerberos Ticket depends on the kinit argument, or on the
username, used for Windows login - and it's not relevant (access
denied in any case).
So, if user account have "sAMAccountName" combined with lower case and
upper case - like "Administrator", Samba trying to look for user
"administrator", and can't find it.
After fixing it in AD (set sAMAccountName to "administrator")
everything works fine.
To prove it, have done few tests:
1. Add user "TestUser" with samba-tool, fix rfc2307 attributes.
2. kinit TestUser
3. smbclient -k -L cheetah
Result - access denied!
User is in the system by nslcd:
root at nas:~# getent passwd | grep TestUser
TestUser:*:3000056:100::/home/TestUser:/bin/false
Log:
[2013/10/27 18:23:25.043964, 3]
../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2013/10/27 18:23:25.044020, 3]
../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2013/10/27 18:23:25.062419, 3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
Found account name from PAC: TestUser []
[2013/10/27 18:23:25.062463, 3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [testuser at SAMBA.LOCAL.NET]
[2013/10/27 18:23:25.077742, 1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
Username SAMBA\testuser is invalid on this system
[2013/10/27 18:23:25.077786, 1]
../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2013/10/27 18:23:25.077818, 1]
../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session
setup: NT_STATUS_ACCESS_DENIED
[2013/10/27 18:23:25.077982, 3] ../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/sesssetup.c(279) cmd=115
(SMBsesssetupX) NT_STATUS_ACCESS_DENIED
Let's check another case - "testUser2"
root at nas:~# getent passwd | grep testUser
testUser2:*:3000057:100::/home/testUser2:/bin/false
root at nas:~# kdestroy
root at nas:~# kinit testUser2
Password for testUser2 at SAMBA.LOCAL.NET:
Warning: Your password will expire in 41 days on Sun Dec 8 18:22:28 2013
root at nas:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testUser2 at SAMBA.LOCAL.NET
Valid starting Expires Service principal
27/10/2013 18:30 28/10/2013 04:30 krbtgt/SAMBA.LOCAL.NET at SAMBA.LOCAL.NET
renew until 28/10/2013 18:29
Let's check for access:
root at nas:~# smbclient -k -L cheetah
session setup failed: NT_STATUS_ACCESS_DENIED
So, again - Access denied.
And smbd log:
[2013/10/27 18:31:53.562042, 3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
Found account name from PAC: testUser2 []
[2013/10/27 18:31:53.562085, 3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [testUser2 at SAMBA.LOCAL.NET]
[2013/10/27 18:31:53.577491, 3] ../source3/param/loadparm.c:4838(lp_load_ex)
lp_load_ex: refreshing parameters
[2013/10/27 18:31:53.577582, 3] ../source3/param/loadparm.c:750(init_globals)
Initialising global parameters
[2013/10/27 18:31:53.577664, 3] ../lib/util/params.c:550(pm_process)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
...
[2013/10/27 18:31:53.578582, 3] ../source3/param/loadparm.c:1773(lp_add_ipc)
adding IPC service
[2013/10/27 18:31:53.585680, 3] ../source3/auth/auth_util.c:1247(check_account)
Failed to find authenticated user SAMBA\testuser2 via getpwnam(),
denying access.
[2013/10/27 18:31:53.585842, 1]
../source3/auth/user_krb5.c:215(make_session_info_krb5)
make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2013/10/27 18:31:53.585933, 1]
../source3/auth/auth_generic.c:119(auth3_generate_session_info_pac)
Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER)
[2013/10/27 18:31:53.586009, 1]
../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session
setup: NT_STATUS_ACCESS_DENIED
[2013/10/27 18:31:53.586234, 3] ../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/sesssetup.c(279) cmd=115
(SMBsesssetupX) NT_STATUS_ACCESS_DENIED
So, most interesting are following strings:
[2013/10/27 18:31:53.585680, 3] ../source3/auth/auth_util.c:1247(check_account)
Failed to find authenticated user SAMBA\testuser2 via getpwnam(),
denying access
Why username has been converted to lowercase, while here:
[2013/10/27 18:31:53.562085, 3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [testUser2 at SAMBA.LOCAL.NET]
and here:
[2013/10/27 18:31:53.562042, 3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
Found account name from PAC: testUser2 []
it's processed "As it is"?
IMHO that is a general issue, and need to be fixed.
Possible workarounds:
1. Username mapping.
Suitable for few users, need to be done on all servers.
2. Modify account entries on DC: Add the rfc2307 attribute "uid" which
contains "sAMAccountName" value, converted to lowercase.
So, all user names will be lower case then (need to disable mapping
"uid" to "sAMAccountName" in nslcd).
That is done by script, but seems like working only with nslcd -
winbindd still uses sAMAccountName and ignores _that_ rfc2307
attribute (BUG to fix by Samba team!)
Not tested with sssd - as I have troubles with it's compilation
against Samba 4.1 development libraries.
2. Fix Samba4 (For example - to match account name from PAC, rather
than use getpwnam() and lowercase name).
That probably the best way.
But I'm too lazy for that, especially having workaround with nslcd and
script, making all users rfc2307 compliant :)
Regards,
Alex
PS: For these, who like the idea of consistent UIDs across Linux
servers, here is a script below.
NIS_DOMAIN is needed for Windows Admin tools to see Unix attributes by default.
ADMIN_UID - allows to set Administrator UID
For groups it's the same idea, except to call wbinfo with "-Y" instead
of "-S", and change ldbsearch filter. For the full coverage just add 2
internal groups on the DC:
SYSTEM:x:3000002:
Authenticated_Users:x:3000003:
--- fix_nonrfc_users.sh ---
#!/bin/bash
LDB_URI='ldap://samba'
NIS_DOMAIN="samba"
ADMIN_UID=500
function readAll()
{
while read line; do
echo $line | grep '^dn:' >/dev/null && dn=`echo -n $line | sed
's/dn: //'` && echo -n "$dn;"
echo $line | grep '^objectSid:' >/dev/null &&
{
sid=`echo -n $line | sed 's/objectSid: //'`
uid=`wbinfo -S $sid 2>/dev/null || echo -n "WBINFO_ERROR" `
echo -n "$sid;$uid;"
}
echo $line | grep '^sAMAccountName:' >/dev/null &&
{
name=`echo -n $line | sed 's/sAMAccountName: //' | tr ' ' '_'`
echo "$name"
}
done
}
function addRfcAttributes()
{
while read line ; do
dn=`echo $line | awk -F\; '{print $1}'`
uid=`echo $line | awk -F\; '{print $3}'`
username=`echo $line | awk -F\; '{print $4}'`
if [ ".$uid" == ".WBINFO_ERROR" ]; then
if [ ".$username" == ".Administrator" ]; then
uid=$ADMIN_UID
else
continue
fi
fi
echo "$dn - $username:$uid"
tmpfile=`mktemp`
echo "dn: $dn
changetype: modify
replace: uidNumber
uidNumber: $uid
-
replace: unixHomeDirectory
unixHomeDirectory: /home/${username,,}
-
replace: loginShell
loginShell: /bin/false
-
replace: gidNumber
gidNumber: 100
-
replace: uid
uid: ${username,,}
-
replace: msSFU30NisDomain
msSFU30NisDomain: $NIS_DOMAIN
" | ldbmodify -H $LDB_URI -k yes -i
done
}
#Fix groups, which have no UID mapping from internal Winbindd mapping of DC:
ldbsearch -H $LDB_URI -k yes
'(&(&(objectClass=person)(!(gidNumber=*)))(!(objectClass=computer)))'
sAMAccountName objectSid | grep -v '^#\|^$' | readAll |
addRfcAttributes
# Fix all users - used in the experiments or for the fixes
#ldbsearch -H $LDB_URI -k yes
'(&(objectClass=person)(!(objectClass=computer)))' sAMAccountName
objectSid | grep -v '^#\|^$' | readAll | addRfcAttributes
--- fix_nonrfc_users.sh ---
2013/10/27 Alex Wakizashi <alex at wakizashi.info>:
> Hello,
>
> 2013/10/27 steve <steve at steve-ss.com>:
>
>>> Why for "Administrator" it looking for "SAMBA\Administrator", rather
>>> than "Administrator", but for other accounts it's working correctly?
>> Do you want the domain admin to be root of the linux member?
> No, and I even have changed it's UID later.
> Just after clean install, user "Administrator" have UID=0 - both
> through winbind and nslcd.
> So, "<DOMAIN>\Administrator" equals to Linux "root" by default (Which,
> IMHO, is wrong - who ever trust Windows administrators? ;-) ).
>
> But problem still exist - if connecting as domain user
> "Administrator", Samba trying to start process as user
> "<DOMAIN_NAME>\Administrator", while all other users are treated
> normally.
> It seems to be some hardcoded buggy behavior in the Samba4 code.
>
>> If so, make a username map e.g. /home/alex/smbmap:
>> !root = SAMBA\Administrator SAMBA\administrator SAMBA\\Administrator
>> SAMBA\administrator
>>
>> (I've put the alternatives because I'm not sure if you need to escape
>> the \)
>>
>> then put it in smb.conf:
>> username map = /home/alex/smbmap
>
> Yes, thanks a lot! Completely forgot about username mapping :)
> Have created username mapping to existing user "Administrator", and
> it's working now:
>
> [2013/10/27 17:47:51.465624, 3]
> ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
> Doing spnego session setup
> [2013/10/27 17:47:51.465652, 3]
> ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
> [2013/10/27 17:47:51.478131, 3]
> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
> Found account name from PAC: Administrator []
> [2013/10/27 17:47:51.478176, 3]
> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> Kerberos ticket principal name is [administrator at SAMBA.LOCAL.NET]
> [2013/10/27 17:47:51.478224, 3] ../source3/auth/user_util.c:404(map_username)
> Mapped user SAMBA\administrator to Administrator
>
>> I'm sure there must be an easier way but anyway. . .
> Well, I'm not sure - username mapping seems to be easiest way.
>
> But IMHO it's a BUG - and such buggy behavior somehow hardcoded somewhere...
> It should work same way as for any other users, without workarounds
> such as username mapping, IMHO.
>
>> HTH
>> Steve
>
> Thanks a lot!
>
> Regards,
> Alex
More information about the samba
mailing list