AD, "valid user" can not access Samba Server

Ewgenij Solovjov ewgenij.solovjov at gmail.com
Sat Sep 29 17:20:16 MDT 2012 

Hello,

i have a problem here. please help.

Users belong to AD group with UNIX-Attributes cannot access share.
Samba 3.6.7 on Solaris 10 Update 9.

Account testuser has testgrp as primary group but can't access share.
Accesing share directly using user-name works  (valid users = testuser)


Here is config:

[global]
        realm = nss.hal.hydro.com
        encrypt passwords = Yes
        security = ADS
        workgroup = EDV-1
        netbios name = nssitfs01
        interfaces = 10.72.160.6/255.255.240.0, 127.0.0.1/255.0.0.0
        bind interfaces only = Yes
        username map = /etc/samba/users.map
        winbind use default domain = yes

        idmap config * : backend = tdb
        idmap config * : range = 1000000-1999999

        idmap config EDV-1 : backend  = ad
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        idmap config EDV-1 : range = 999-501000
        idmap config EDV-1 : schema_mode = rfc2307

        log level = 10

.........

[test-share]
        comment = Test Share
        path = /fileserver-data/home/test-share
#  Is Okay:
#        valid users = testuser
# Do not work:
        valid users = @"EDV-1\testgrp"
        read only = No
        browseable = No

...........

root at arcturus:admin/Update # wbinfo -n testuser
S-1-5-21-128273015-885210391-837300805-3080 SID_USER (1)
root at arcturus:admin/Update # net -P ads sid
S-1-5-21-128273015-885210391-837300805-3080
Got 1 replies

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testuser
description: Unix Test User
givenName: testuser
distinguishedName: CN=testuser,CN=Users,DC=nss,DC=hal,DC=hydro,DC=com
instanceType: 4
whenCreated: 20120928113827.0Z
whenChanged: 20120928115004.0Z
displayName: testuser
uSNCreated: 8212940
uSNChanged: 8212985
name: testuser
objectGUID: 0331b23a-344e-4acd-a75f-f867b8a65be4
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129933061393906250
lastLogoff: 0
lastLogon: 129933064485312500
pwdLastSet: 129933061626718750
primaryGroupID: 513
objectSid: S-1-5-21-128273015-885210391-837300805-3080
accountExpires: 9223372036854775807
logonCount: 4
sAMAccountName: testuser
sAMAccountType: 805306368
userPrincipalName: testuser at nss.hal.hydro.com
lockoutTime: 0
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=nss,DC=hal,DC=hydro,DC=com
uid: testuser
msSFU30Name: testuser
msSFU30NisDomain: nss
uidNumber: 10000
gidNumber: 123456
unixHomeDirectory: /fileserver-data/home/test-share
loginShell: /bin/ksh

root at arcturus:admin/Update # wbinfo -n testgrp
S-1-5-21-128273015-885210391-837300805-3079 SID_DOM_GROUP (2)
root at arcturus:admin/Update # net -P ads sid
S-1-5-21-128273015-885210391-837300805-3079
Got 1 replies

objectClass: top
objectClass: group
cn: testgrp
description: Unic Test Group
distinguishedName: CN=testgrp,CN=Users,DC=nss,DC=hal,DC=hydro,DC=com
instanceType: 4
whenCreated: 20120928113656.0Z
whenChanged: 20120928113727.0Z
uSNCreated: 8212931
uSNChanged: 8212936
name: testgrp
objectGUID: 7b9908f4-6a7e-4ba5-b870-71cf9ae1a197
objectSid: S-1-5-21-128273015-885210391-837300805-3079
sAMAccountName: testgrp
sAMAccountType: 268435456
groupType: -2147483646
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=nss,DC=hal,DC=hydro,DC=com
msSFU30Name: testgrp
msSFU30NisDomain: nss
gidNumber: 123456

root at arcturus:admin/Update #

And here are logs:
log.smbd
..................
[2012/09/28 14:44:33.389278, 10] passdb/lookup_sid.c:1280(legacy_sid_to_gid)
  LEGACY: mapping failed for sid S-1-5-21-128273015-885210391-837300805-513
[2012/09/28 14:44:33.389394, 10] passdb/lookup_sid.c:1218(legacy_sid_to_uid)
  LEGACY: mapping failed for sid S-1-5-21-128273015-885210391-837300805-513
[2012/09/28 14:44:33.389465, 10] auth/auth_util.c:505(create_local_token)
  Could not convert SID S-1-5-21-128273015-885210391-837300805-513 to
gid, ignoring it
[2012/09/28 14:44:33.389544, 10]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (11):
    SID[  0]: S-1-5-21-128273015-885210391-837300805-3080
    SID[  1]: S-1-5-21-128273015-885210391-837300805-513
    SID[  2]: S-1-1-0
    SID[  3]: S-1-5-2
    SID[  4]: S-1-5-11
    SID[  5]: S-1-5-32-545
    SID[  6]: S-1-22-1-10000
    SID[  7]: S-1-22-2-1000000
    SID[  8]: S-1-22-2-1000001
    SID[  9]: S-1-22-2-1000003
    SID[ 10]: S-1-22-2-11001
   Privileges (0x               0):
   Rights (0x               0):
[2012/09/28 14:44:33.389981, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 10000
  Primary group is 123456 and contains 4 supplementary groups
  Group[  0]: 1000000
  Group[  1]: 1000001
  Group[  2]: 1000003
  Group[  3]: 11001
[2012/09/28 14:44:33.390170, 10] smbd/password.c:199(register_initial_vuid)
  register_initial_vuid: allocated vuid = 102
[2012/09/28 14:44:33.390234, 10] smbd/password.c:293(register_existing_vuid)
  register_existing_vuid: (10000,123456) testuser testuser EDV-1 guest=0
[2012/09/28 14:44:33.390309,  3] smbd/password.c:298(register_existing_vuid)
  register_existing_vuid: User name: testuser   Real name: testuser
[2012/09/28 14:44:33.390370,  3] smbd/password.c:308(register_existing_vuid)
  register_existing_vuid: UNIX uid 10000 is UNIX user testuser, and
will be vuid 102
[2012/09/28 14:44:33.390457, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked)
  Locking key 49442F35372F31303200
[2012/09/28 14:44:33.390541, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked)
  Allocated locked data 0xa2d660
[2012/09/28 14:44:33.391374, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr)
  Unlocking key 49442F35372F31303200
[2012/09/28 14:44:33.391456,  7] param/loadparm.c:9834(lp_servicenumber)
  lp_servicenumber: couldn't find testuser
[2012/09/28 14:44:33.391515,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user testuser
[2012/09/28 14:44:33.391575,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is testuser
[2012/09/28 14:44:33.391639,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [testuser]!
[2012/09/28 14:44:33.391699,  3] smbd/password.c:238(register_homes_share)
  Adding homes service for user 'testuser' using home directory:
'/fileserver-data/home/test-share'
[2012/09/28 14:44:33.391765,  7] param/loadparm.c:9834(lp_servicenumber)
  lp_servicenumber: couldn't find homes
[2012/09/28 14:44:33.391896,  6] param/loadparm.c:7490(lp_file_list_changed)
  lp_file_list_changed()
  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Fri
Sep 28 14:44:11 2012
................................................

[2012/09/28 14:44:33.395786, 10] ../lib/util/util.c:415(dump_data)
  [0000] 00 5C 00 5C 00 4E 00 53   00 53 00 49 00 54 00 46   .\.\.N.S .S.I.T.F
  [0010] 00 53 00 30 00 31 00 5C   00 54 00 45 00 53 00 54   .S.0.1.\ .T.E.S.T
  [0020] 00 2D 00 53 00 48 00 41   00 52 00 45 00 00 00 3F   .-.S.H.A .R.E...?
  [0030] 3F 3F 3F 3F 00                                    ????.
[2012/09/28 14:44:33.396204,  3] smbd/process.c:1467(switch_message)
  switch message SMBtconX (pid 57) conn 0x0
[2012/09/28 14:44:33.396270,  4] smbd/sec_ctx.c:314(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/09/28 14:44:33.396332,  5]
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2012/09/28 14:44:33.396385,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/09/28 14:44:33.396475,  5] smbd/uid.c:400(change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2012/09/28 14:44:33.396548,  4] smbd/reply.c:794(reply_tcon_and_X)
  Client requested device type [?????] for share [TEST-SHARE]
[2012/09/28 14:44:33.396630,  5] smbd/service.c:1354(make_connection)
  making a connection to 'normal' service test-share
[2012/09/28 14:44:33.396696,  3] lib/access.c:338(allow_access)
  Allowed connection from 10.72.162.37 (10.72.162.37)
[2012/09/28 14:44:33.396779,  3]
../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
  string_to_sid: SID @EDV-1\testgrp is not in a valid format
[2012/09/28 14:44:33.396996,  5] auth/user_util.c:152(user_in_netgroup)
  looking for user testuser of domain nss.hal.hydro.com in netgroup
EDV-1\testgrp
[2012/09/28 14:44:33.397167, 10] passdb/lookup_sid.c:76(lookup_name)
  lookup_name: EDV-1\testgrp => domain=[EDV-1], name=[testgrp]
[2012/09/28 14:44:33.397233, 10] passdb/lookup_sid.c:77(lookup_name)
  lookup_name: flags = 0x077
[2012/09/28 14:44:33.431275, 10] smbd/share_access.c:219(user_ok_token)
  User testuser not in 'valid users'
[2012/09/28 14:44:33.431367,  2]
smbd/service.c:627(create_connection_session_info)
  user 'testuser' (from session setup) not permitted to access this
share (test-share)
[2012/09/28 14:44:33.431435,  1] smbd/service.c:805(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2012/09/28 14:44:33.431501,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2012/09/28 14:44:33.431574,  5] lib/util.c:332(show_msg)
[2012/09/28 14:44:33.431611,  5] lib/util.c:342(show_msg)


.....

Thank you!

More information about the samba-technical mailing list