Trusted AD user who belongs to "valid users" can not access Samba Server on samba-3.6.5
jinyunshuai
jinyunshuai at 126.com
Thu Jul 26 21:00:27 MDT 2012
I have posted log.smbd logs with log level = 10
from the log of log.smbd , the list of SIDs in the user test1's token as follows not include
Adomain\sag1's SID : sid:S-1-5-21-1122027669-4162194335-1793782112-1619
log:
[2012/07/25 15:19:28.972211, 2] auth/auth.c:309(check_ntlm_password)
check_ntlm_password: authentication for user [test1] -> [test1] -> [Bdomain\test1] succeeded
[2012/07/25 15:19:28.972836, 10] auth/token_util.c:223(create_local_nt_token_from_info3)
Create local NT token for test1
[2012/07/25 15:19:28.972965, 4] smbd/sec_ctx.c:214(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/07/25 15:19:28.973058, 4] smbd/uid.c:460(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/07/25 15:19:28.973142, 4] smbd/sec_ctx.c:318(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/07/25 15:19:28.973225, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2012/07/25 15:19:28.973307, 5] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2012/07/25 15:19:28.973532, 4] smbd/sec_ctx.c:426(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/07/25 15:19:28.973668, 4] lib/privileges.c:97(get_privileges)
get_privileges: No privileges assigned to SID [S-1-5-21-617921265-4113386574-2758986863-1107]
[2012/07/25 15:19:28.973780, 4] lib/privileges.c:97(get_privileges)
get_privileges: No privileges assigned to SID [S-1-5-21-617921265-4113386574-2758986863-513]
[2012/07/25 15:19:28.973900, 5] lib/privileges.c:175(get_privileges_for_sids)
get_privileges_for_sids: sid = S-1-1-0
Privilege set: 0x0
[2012/07/25 15:19:28.974037, 4] lib/privileges.c:97(get_privileges)
get_privileges: No privileges assigned to SID [S-1-5-2]
[2012/07/25 15:19:28.974136, 4] lib/privileges.c:97(get_privileges)
get_privileges: No privileges assigned to SID [S-1-5-11]
[2012/07/25 15:19:28.974400, 10] ../libcli/security/security_token.c:63(security_token_debug)
Security token SIDs (10):
SID[ 0]: S-1-5-21-617921265-4113386574-2758986863-1107
SID[ 1]: S-1-5-21-617921265-4113386574-2758986863-513
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-22-1-10012
SID[ 6]: S-1-22-2-1006
SID[ 7]: S-1-22-2-1002
SID[ 8]: S-1-22-2-1003
SID[ 9]: S-1-22-2-1004
Privileges (0x 0):
Rights (0x 0):
[2012/07/25 15:19:28.974968, 10] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 10012
Primary group is 10012 and contains 4 supplementary groups
Group[ 0]: 1006
Group[ 1]: 1002
Group[ 2]: 1003
Group[ 3]: 1004
if use a Adomain user which belongs to Adomain\sag1 to access samba server, his token includes Adomain\sag1's SID : sid:S-1-5-21-1122027669-4162194335-1793782112-1619
thanks
At 2012-07-26 00:58:24,"Richard Sharpe" <realrichardsharpe at gmail.com> wrote:
>On Wed, Jul 25, 2012 at 12:30 AM, jinyunshuai <jinyunshuai at 126.com> wrote:
>>
>> the log as:
>>
>> [0030] 00 45 00 53 00 54 00 00 00 3F 3F 3F 3F 3F 00 .E.S.T.. .?????.
>> [2012/07/25 15:19:28.998595, 3] smbd/process.c:1467(switch_message)
>> switch message SMBtconX (pid 24005) conn 0x0
>> [2012/07/25 15:19:28.998682, 4] smbd/sec_ctx.c:318(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2012/07/25 15:19:28.998765, 5]
>> ../libcli/security/security_token.c:53(security_token_debug)
>> Security token: (NULL)
>> [2012/07/25 15:19:28.998846, 5]
>> auth/token_util.c:527(debug_unix_user_token)
>> UNIX token of user 0
>> Primary group is 0 and contains 0 supplementary groups
>> [2012/07/25 15:19:28.998973, 5] smbd/uid.c:400(change_to_root_user)
>> change_to_root_user: now uid=(0,0) gid=(0,0)
>> [2012/07/25 15:19:28.999070, 4] smbd/reply.c:794(reply_tcon_and_X)
>> Client requested device type [?????] for share [SAMBA-TEST]
>> [2012/07/25 15:19:28.999175, 5] smbd/service.c:1321(make_connection)
>> making a connection to 'normal' service samba-test
>> [2012/07/25 15:19:28.999267, 3] lib/access.c:338(allow_access)
>> Allowed connection from 192.168.97.193 (192.168.97.193)
>> [2012/07/25 15:19:28.999365, 3]
>> ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>> string_to_sid: SID +Adomain\sag1 is not in a valid format
>> [2012/07/25 15:19:28.999462, 10] passdb/lookup_sid.c:76(lookup_name)
>> lookup_name: Adomain\sag1 => domain=[Adomain], name=[sag1]
>> [2012/07/25 15:19:28.999549, 10] passdb/lookup_sid.c:77(lookup_name)
>> lookup_name: flags = 0x077
>> [2012/07/25 15:19:29.013140, 10] smbd/share_access.c:219(user_ok_token)
>> User Bdomain\test1 not in 'valid users'
>> [2012/07/25 15:19:29.013246, 2]
>> smbd/service.c:627(create_connection_session_info)
>> user 'Bdomain\test1' (from session setup) not permitted to access this
>> share (samba-test)
>> [2012/07/25 15:19:29.013339, 1] smbd/service.c:770(make_connection_snum)
>> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
>> [2012/07/25 15:19:29.013437, 3] smbd/error.c:81(error_packet_set)
>> error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
>> NT_STATUS_ACCESS_DENIED
>> [2012/07/25 15:19:29.013530, 5] lib/util.c:332(show_msg)
>> [2012/07/25 15:19:29.013579, 5] lib/util.c:342(show_msg)
>
>Looks like Samba or winbindd does not believe that Bdomain\test1 is a
>member of Adomain\sag1.
>
>Further back in the log there should be a list of SIDs in the user's
>token when the logon occurred. Does the SID for Adomain\sag1 show up
>in that list?
>
>--
>Regards,
>Richard Sharpe
>(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list