IPC User Problem (was Situational Deadlock)
Esh, Andrew
Andrew_Esh at adaptec.com
Wed Jan 28 19:16:10 GMT 2004
After more digging, I have learned more about the problem I am seeing. I noticed the log entries which were reporting the problem were referring to "\srvsvc", not the share I was trying to access:
[2004/01/28 11:59:59, 5, pid=10907, effective(0, 0), real(0, 0)] lib/util.c:show_msg(459)
size=100
smb_com=0xa2
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=32771
smb_tid=1
smb_pid=57376
smb_uid=103
smb_mid=1152
smt_wct=24
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]= 3584 (0xE00)
smb_vwv[ 3]= 1536 (0x600)
smb_vwv[ 4]= 0 (0x0)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 0 (0x0)
smb_vwv[ 7]=40704 (0x9F00)
smb_vwv[ 8]= 513 (0x201)
smb_vwv[ 9]= 0 (0x0)
smb_vwv[10]= 0 (0x0)
smb_vwv[11]= 0 (0x0)
smb_vwv[12]= 0 (0x0)
smb_vwv[13]= 0 (0x0)
smb_vwv[14]= 0 (0x0)
smb_vwv[15]= 768 (0x300)
smb_vwv[16]= 0 (0x0)
smb_vwv[17]= 256 (0x100)
smb_vwv[18]= 0 (0x0)
smb_vwv[19]= 0 (0x0)
smb_vwv[20]= 0 (0x0)
smb_vwv[21]= 512 (0x200)
smb_vwv[22]= 0 (0x0)
smb_vwv[23]= 256 (0x100)
smb_bcc=17
[2004/01/28 11:59:59, 10, pid=10907, effective(0, 0), real(0, 0)] lib/util.c:dump_data(1830)
[000] 9C 5C 00 73 00 72 00 76 00 73 00 76 00 63 00 00 .\.s.r.v .s.v.c..
[010] 00 .
[2004/01/28 11:59:59, 3, pid=10907, effective(0, 0), real(0, 0)] smbd/process.c:switch_message(685)
switch message SMBntcreateX (pid 10907)
[2004/01/28 11:59:59, 2, pid=10907, effective(0, 0), real(0, 0)] smbd/uid.c:change_to_user(141)
change_to_user: Invalid vuid used 103 or vuid not permitted access to share.
[2004/01/28 11:59:59, 3, pid=10907, effective(0, 0), real(0, 0)] smbd/error.c:error_packet(114)
error packet at smbd/process.c(739) cmd=162 (SMBntcreateX) NT_STATUS_NETWORK_ACCESS_DENIED
This is trying to create a connection to the $IPC service. The user name is "golem_", and golem's vuid is 103. The $IPC services had been opened by "nobody", which is the "guest" or default user, whose vuid is 100:
[root at r2c1n114 upgradetfs]# smbstatus
Samba version 3.0.1_adaptec
PID Username Group Machine
-------------------------------------------------------------------
10907 golem_ friends r4c5w115 (10.55.45.115)
Service uid gid pid machine (connect from ip) on date
-------------------------------------------------------------------------------------------------------------
golem_ golem_ friends 10907 r4c5w115 (10.55.45.115) Wed Jan 28 11:59:20 2004
upgrade golem_ root 10907 r4c5w115 (10.55.45.115) Wed Jan 28 12:40:19 2004
IPC$ nobody friends 10907 r4c5w115 (10.55.45.115) Wed Jan 28 12:38:38 2004
No locked files
Because of this, the following snippet of code in smbd/uid.c:check_user_ok(68) denies access, because I am using "force group", and "golem_" (vuid=103) does not match user "nobody" (vuid=100).
if ((conn->force_user || conn->force_group)
&& (conn->vuid != vuser->vuid)) {
return False;
}
During the debugging session, I left gdb stopped long enough (while I stared at this) for the process to become stale. The client severed the connection and started a new one. The new connection has no problem accessing "\srvsvc", because it was connected to by the right user:
[root at r2c1n114 /root]# smbstatus
Samba version 3.0.1_adaptec
PID Username Group Machine
-------------------------------------------------------------------
21208 golem_ friends r4c5w115 (10.55.45.115)
Service uid gid pid machine (connect from ip) on date
-------------------------------------------------------------------------------------------------------------
upgrade golem_ root 21208 r4c5w115 (10.55.45.115) Wed Jan 28 12:57:42 2004
IPC$ golem_ friends 21208 r4c5w115 (10.55.45.115) Wed Jan 28 12:57:29 2004
No locked files
So my question is: Is there something I can do to make sure the IPC connection is obtained by or converted for the user of the right user. Or, should I add something to the code on check_user_ok to allow any user's vuid to connect to the IPC service?
I'll try the latter while you're thinking about it.
---
Andrew C. Esh mail:Andrew_Esh[at]adaptec.com
Adaptec, Inc.
2905 Northwest Blvd., Suite 20 763-557-9005 (main)
Plymouth, MN 55441-2644 USA 763-551-6418 (direct)
More information about the samba-technical
mailing list