Trusted AD user who belongs to "valid users" can not access Samba Server on samba-3.6.5

jinyunshuai jinyunshuai at 126.com
Wed Jul 25 01:30:03 MDT 2012 

 
the  log as:
 
 [0030] 00 45 00 53 00 54 00 00   00 3F 3F 3F 3F 3F 00     .E.S.T.. .?????.
[2012/07/25 15:19:28.998595,  3] smbd/process.c:1467(switch_message)
  switch message SMBtconX (pid 24005) conn 0x0
[2012/07/25 15:19:28.998682,  4] smbd/sec_ctx.c:318(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/07/25 15:19:28.998765,  5] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2012/07/25 15:19:28.998846,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/07/25 15:19:28.998973,  5] smbd/uid.c:400(change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2012/07/25 15:19:28.999070,  4] smbd/reply.c:794(reply_tcon_and_X)
  Client requested device type [?????] for share [SAMBA-TEST]
[2012/07/25 15:19:28.999175,  5] smbd/service.c:1321(make_connection)
  making a connection to 'normal' service samba-test
[2012/07/25 15:19:28.999267,  3] lib/access.c:338(allow_access)
  Allowed connection from 192.168.97.193 (192.168.97.193)
[2012/07/25 15:19:28.999365,  3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
  string_to_sid: SID +Adomain\sag1 is not in a valid format
[2012/07/25 15:19:28.999462, 10] passdb/lookup_sid.c:76(lookup_name)
  lookup_name: Adomain\sag1 => domain=[Adomain], name=[sag1]
[2012/07/25 15:19:28.999549, 10] passdb/lookup_sid.c:77(lookup_name)
  lookup_name: flags = 0x077
[2012/07/25 15:19:29.013140, 10] smbd/share_access.c:219(user_ok_token)
  User Bdomain\test1 not in 'valid users'
[2012/07/25 15:19:29.013246,  2] smbd/service.c:627(create_connection_session_info)
  user 'Bdomain\test1' (from session setup) not permitted to access this share (samba-test)
[2012/07/25 15:19:29.013339,  1] smbd/service.c:770(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2012/07/25 15:19:29.013437,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2012/07/25 15:19:29.013530,  5] lib/util.c:332(show_msg)
[2012/07/25 15:19:29.013579,  5] lib/util.c:342(show_msg)


At 2012-07-24 23:04:06,"Richard Sharpe" <realrichardsharpe at gmail.com> wrote:
>On Tue, Jul 24, 2012 at 1:57 AM, jinyunshuai <jinyunshuai at 126.com> wrote:
>> Hi folks,
>>
>> I found a new issue on samba-3.6.5 : "Trusted AD user who belongs to "valid users" can
>> not access Samba Server on samba-3.6.5"
>>
>> Adomain and Bdomain are trusted eath other.
>> samba server is joined to Adomain.
>> user test1 is a normal AD user from Bdomain.test, but it is a member of group "Adomain\sag1"
>>
>> Edit smb.conf, then set "valid users" to be an AD group for samba share named
>> valid-users-test
>> ---------------------------------
>> [valid-users-test]
>>     path = /valid-users-test
>>     public = no
>>     valid users = +Adomain\sag1
>>     writable = yes
>>
>> Try to access samba server via test1.
>> --------------------------------
>> root at ubdesk1004x64v2:/# smbclient -U 'Bdomain\test1'%'pas$word'  //samba-server/valid-users-test
>>
>> Domain=[ASMB] OS=[Unix] Server=[Samba 3.6.5]
>> tree connect failed: NT_STATUS_ACCESS_DENIED
>>
>> this issue dose not exist on samba-3.5.11
>
>The first step here is to get a level 10 debug log and see why the
>TreeConnect is failing.
>
>-- 
>Regards,
>Richard Sharpe
>(何以解憂?唯有杜康。--曹操)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.smbd
Type: application/octet-stream
Size: 66920 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120725/e106895a/attachment.obj>

More information about the samba-technical mailing list