Trusted AD user who belongs to "valid users" can not access Samba Server on samba-3.6.5
Richard Sharpe
realrichardsharpe at gmail.com
Wed Jul 25 10:58:24 MDT 2012
On Wed, Jul 25, 2012 at 12:30 AM, jinyunshuai <jinyunshuai at 126.com> wrote:
>
> the log as:
>
> [0030] 00 45 00 53 00 54 00 00 00 3F 3F 3F 3F 3F 00 .E.S.T.. .?????.
> [2012/07/25 15:19:28.998595, 3] smbd/process.c:1467(switch_message)
> switch message SMBtconX (pid 24005) conn 0x0
> [2012/07/25 15:19:28.998682, 4] smbd/sec_ctx.c:318(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/07/25 15:19:28.998765, 5]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2012/07/25 15:19:28.998846, 5]
> auth/token_util.c:527(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2012/07/25 15:19:28.998973, 5] smbd/uid.c:400(change_to_root_user)
> change_to_root_user: now uid=(0,0) gid=(0,0)
> [2012/07/25 15:19:28.999070, 4] smbd/reply.c:794(reply_tcon_and_X)
> Client requested device type [?????] for share [SAMBA-TEST]
> [2012/07/25 15:19:28.999175, 5] smbd/service.c:1321(make_connection)
> making a connection to 'normal' service samba-test
> [2012/07/25 15:19:28.999267, 3] lib/access.c:338(allow_access)
> Allowed connection from 192.168.97.193 (192.168.97.193)
> [2012/07/25 15:19:28.999365, 3]
> ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
> string_to_sid: SID +Adomain\sag1 is not in a valid format
> [2012/07/25 15:19:28.999462, 10] passdb/lookup_sid.c:76(lookup_name)
> lookup_name: Adomain\sag1 => domain=[Adomain], name=[sag1]
> [2012/07/25 15:19:28.999549, 10] passdb/lookup_sid.c:77(lookup_name)
> lookup_name: flags = 0x077
> [2012/07/25 15:19:29.013140, 10] smbd/share_access.c:219(user_ok_token)
> User Bdomain\test1 not in 'valid users'
> [2012/07/25 15:19:29.013246, 2]
> smbd/service.c:627(create_connection_session_info)
> user 'Bdomain\test1' (from session setup) not permitted to access this
> share (samba-test)
> [2012/07/25 15:19:29.013339, 1] smbd/service.c:770(make_connection_snum)
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2012/07/25 15:19:29.013437, 3] smbd/error.c:81(error_packet_set)
> error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
> [2012/07/25 15:19:29.013530, 5] lib/util.c:332(show_msg)
> [2012/07/25 15:19:29.013579, 5] lib/util.c:342(show_msg)
Looks like Samba or winbindd does not believe that Bdomain\test1 is a
member of Adomain\sag1.
Further back in the log there should be a list of SIDs in the user's
token when the logon occurred. Does the SID for Adomain\sag1 show up
in that list?
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list