Samba 4.1.6 not working after upgrade from 3.6.x - Fedora 20

[Alexander Bokovoy]

Hi,

On Mon, Mar 17, 2014 at 8:01 PM, Gerhard Wiesinger <lists at wiesinger.com> wrote:
> Hello,
>
> I upgraded from Fedora 17 (Samba 3.6.12) to Fedora 20 (Samba 4.1.6) and some
> shares are not working any more (I'm asked for password or not accessible
> message). I did not change anything in the config and the config is the same
> as in Fedora 17.
>
> After some debugging I found the following error messages:
> ../source3/smbd/service.c:612(make_connection_snum)
>   Connect path is '/shares/mm' for service [mm]
> ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>   string_to_sid: SID @users is not in a valid format
I don't think this is an issue per se. The message is harmless in your
context. What happens is the following. When share connection is
established, we do number of checks and calculate access mask for the
user in check_user_share_access(). The first thing
check_user_share_access() does is to call to user_ok_token(). The
latter actually verifies user name against list of invalid and valid
users. When going through the lists, we try to take each element of a
list and convert to SID. If that succeeds, we do check on the SID
instead of going to a more resource-consuming path of name to SID
conversion.

If that element is not a SID already, we do group checks through
various methods. But before that, SID conversion will already complain
to the logs that "SID <element> is not in a valid format". This is
what you see in the log above.

If your share access is denied, it is some other check that is
failing. I can reproduce string_to_sid complaint too but for me
accessing a share with 'valid users = @users', where users is a group
that user belongs to, works fine. To get more detailed answer I'd need
to see more logs.

Perhaps we could raise the level at which string_to_sid() issues its 'error'.


-- 
/ Alexander Bokovoy