Trusted AD user who belongs to "valid users" can not access Samba Server on samba-3.6.5

jinyunshuai jinyunshuai at 126.com
Tue Jul 31 00:15:50 MDT 2012 

when gdb samba-3.6.5 code, I find

1> after run wbc_status = wbcAuthenticateUserEx(&params, &info,
&err)(source3/auth/auth_winbind.c:98),
  info->sids struct have included Adomain\sag1's SID

2> but when run
make_server_info_wbcAuthUserInfo(source3/auth/auth_winbind.c:126) call "info3 =
wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info)"(source3/auth/auth_util.c:1297)
which copy the content of info to info3, the Adomain\sag1's SID  was dropped.

3> the cause of Adomain\sag1's SID dropped is
Adomain\sag1 and Bdomain\test1 belong to different domains.
the code is libcli/security/util_sid.c:sid_peek_check_rid()




thanks



At 2012-07-27 11:00:27,jinyunshuai <jinyunshuai at 126.com> wrote:
>I have posted log.smbd logs with log level = 10
>
>from the log of log.smbd , the list of SIDs in the user test1's token as follows not include
>Adomain\sag1's SID : sid:S-1-5-21-1122027669-4162194335-1793782112-1619
> 
>log: 
>[2012/07/25 15:19:28.972211,  2] auth/auth.c:309(check_ntlm_password)
>  check_ntlm_password:  authentication for user [test1] -> [test1] -> [Bdomain\test1] succeeded
>[2012/07/25 15:19:28.972836, 10] auth/token_util.c:223(create_local_nt_token_from_info3)
>  Create local NT token for test1
>[2012/07/25 15:19:28.972965,  4] smbd/sec_ctx.c:214(push_sec_ctx)
>  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>[2012/07/25 15:19:28.973058,  4] smbd/uid.c:460(push_conn_ctx)
>  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>[2012/07/25 15:19:28.973142,  4] smbd/sec_ctx.c:318(set_sec_ctx)
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>[2012/07/25 15:19:28.973225,  5] ../libcli/security/security_token.c:53(security_token_debug)
>  Security token: (NULL)
>[2012/07/25 15:19:28.973307,  5] auth/token_util.c:527(debug_unix_user_token)
>  UNIX token of user 0
>  Primary group is 0 and contains 0 supplementary groups
>[2012/07/25 15:19:28.973532,  4] smbd/sec_ctx.c:426(pop_sec_ctx)
>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>[2012/07/25 15:19:28.973668,  4] lib/privileges.c:97(get_privileges)
>  get_privileges: No privileges assigned to SID [S-1-5-21-617921265-4113386574-2758986863-1107]
>[2012/07/25 15:19:28.973780,  4] lib/privileges.c:97(get_privileges)
>  get_privileges: No privileges assigned to SID [S-1-5-21-617921265-4113386574-2758986863-513]
>[2012/07/25 15:19:28.973900,  5] lib/privileges.c:175(get_privileges_for_sids)
>  get_privileges_for_sids: sid = S-1-1-0
>  Privilege set: 0x0
>[2012/07/25 15:19:28.974037,  4] lib/privileges.c:97(get_privileges)
>  get_privileges: No privileges assigned to SID [S-1-5-2]
>[2012/07/25 15:19:28.974136,  4] lib/privileges.c:97(get_privileges)
>  get_privileges: No privileges assigned to SID [S-1-5-11]
>[2012/07/25 15:19:28.974400, 10] ../libcli/security/security_token.c:63(security_token_debug)
>  Security token SIDs (10):
>    SID[  0]: S-1-5-21-617921265-4113386574-2758986863-1107
>    SID[  1]: S-1-5-21-617921265-4113386574-2758986863-513
>    SID[  2]: S-1-1-0
>    SID[  3]: S-1-5-2
>    SID[  4]: S-1-5-11
>    SID[  5]: S-1-22-1-10012
>    SID[  6]: S-1-22-2-1006
>    SID[  7]: S-1-22-2-1002
>    SID[  8]: S-1-22-2-1003
>    SID[  9]: S-1-22-2-1004
>   Privileges (0x               0):
>   Rights (0x               0):
>[2012/07/25 15:19:28.974968, 10] auth/token_util.c:527(debug_unix_user_token)
>  UNIX token of user 10012
>  Primary group is 10012 and contains 4 supplementary groups
>  Group[  0]: 1006
>  Group[  1]: 1002
>  Group[  2]: 1003
>  Group[  3]: 1004
>
>if use a Adomain user which belongs to  Adomain\sag1 to access samba server,  his token includes Adomain\sag1's SID : sid:S-1-5-21-1122027669-4162194335-1793782112-1619
>thanks
>  At 2012-07-26 00:58:24,"Richard Sharpe" <realrichardsharpe at gmail.com> wrote:
>>On Wed, Jul 25, 2012 at 12:30 AM, jinyunshuai <jinyunshuai at 126.com> wrote:
>>>
>>> the  log as:
>>>
>>>  [0030] 00 45 00 53 00 54 00 00   00 3F 3F 3F 3F 3F 00     .E.S.T.. .?????.
>>> [2012/07/25 15:19:28.998595,  3] smbd/process.c:1467(switch_message)
>>>   switch message SMBtconX (pid 24005) conn 0x0
>>> [2012/07/25 15:19:28.998682,  4] smbd/sec_ctx.c:318(set_sec_ctx)
>>>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>> [2012/07/25 15:19:28.998765,  5]
>>> ../libcli/security/security_token.c:53(security_token_debug)
>>>   Security token: (NULL)
>>> [2012/07/25 15:19:28.998846,  5]
>>> auth/token_util.c:527(debug_unix_user_token)
>>>   UNIX token of user 0
>>>   Primary group is 0 and contains 0 supplementary groups
>>> [2012/07/25 15:19:28.998973,  5] smbd/uid.c:400(change_to_root_user)
>>>   change_to_root_user: now uid=(0,0) gid=(0,0)
>>> [2012/07/25 15:19:28.999070,  4] smbd/reply.c:794(reply_tcon_and_X)
>>>   Client requested device type [?????] for share [SAMBA-TEST]
>>> [2012/07/25 15:19:28.999175,  5] smbd/service.c:1321(make_connection)
>>>   making a connection to 'normal' service samba-test
>>> [2012/07/25 15:19:28.999267,  3] lib/access.c:338(allow_access)
>>>   Allowed connection from 192.168.97.193 (192.168.97.193)
>>> [2012/07/25 15:19:28.999365,  3]
>>> ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>>>   string_to_sid: SID +Adomain\sag1 is not in a valid format
>>> [2012/07/25 15:19:28.999462, 10] passdb/lookup_sid.c:76(lookup_name)
>>>   lookup_name: Adomain\sag1 => domain=[Adomain], name=[sag1]
>>> [2012/07/25 15:19:28.999549, 10] passdb/lookup_sid.c:77(lookup_name)
>>>   lookup_name: flags = 0x077
>>> [2012/07/25 15:19:29.013140, 10] smbd/share_access.c:219(user_ok_token)
>>>   User Bdomain\test1 not in 'valid users'
>>> [2012/07/25 15:19:29.013246,  2]
>>> smbd/service.c:627(create_connection_session_info)
>>>   user 'Bdomain\test1' (from session setup) not permitted to access this
>>> share (samba-test)
>>> [2012/07/25 15:19:29.013339,  1] smbd/service.c:770(make_connection_snum)
>>>   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
>>> [2012/07/25 15:19:29.013437,  3] smbd/error.c:81(error_packet_set)
>>>   error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
>>> NT_STATUS_ACCESS_DENIED
>>> [2012/07/25 15:19:29.013530,  5] lib/util.c:332(show_msg)
>>> [2012/07/25 15:19:29.013579,  5] lib/util.c:342(show_msg)
>>
>>Looks like Samba or winbindd does not believe that Bdomain\test1 is a
>>member of Adomain\sag1.
>>
>>Further back in the log there should be a list of SIDs in the user's
>>token when the logon occurred. Does the SID for Adomain\sag1 show up
>>in that list?
>>
>>-- 
>>Regards,
>>Richard Sharpe
>>(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list