Samba 4.1.6 not working after upgrade from 3.6.x - Fedora 20

Gerhard Wiesinger lists at wiesinger.com
Mon Mar 17 14:33:58 MDT 2014 

On 17.03.2014 21:13, Alexander Bokovoy wrote:
> Hi,
>
> On Mon, Mar 17, 2014 at 8:01 PM, Gerhard Wiesinger <lists at wiesinger.com> wrote:
>> Hello,
>>
>> I upgraded from Fedora 17 (Samba 3.6.12) to Fedora 20 (Samba 4.1.6) and some
>> shares are not working any more (I'm asked for password or not accessible
>> message). I did not change anything in the config and the config is the same
>> as in Fedora 17.
>>
>> After some debugging I found the following error messages:
>> ../source3/smbd/service.c:612(make_connection_snum)
>>    Connect path is '/shares/mm' for service [mm]
>> ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>>    string_to_sid: SID @users is not in a valid format
> I don't think this is an issue per se. The message is harmless in your
> context. What happens is the following. When share connection is
> established, we do number of checks and calculate access mask for the
> user in check_user_share_access(). The first thing
> check_user_share_access() does is to call to user_ok_token(). The
> latter actually verifies user name against list of invalid and valid
> users. When going through the lists, we try to take each element of a
> list and convert to SID. If that succeeds, we do check on the SID
> instead of going to a more resource-consuming path of name to SID
> conversion.
>
> If that element is not a SID already, we do group checks through
> various methods. But before that, SID conversion will already complain
> to the logs that "SID <element> is not in a valid format". This is
> what you see in the log above.
>
> If your share access is denied, it is some other check that is
> failing. I can reproduce string_to_sid complaint too but for me
> accessing a share with 'valid users = @users', where users is a group
> that user belongs to, works fine. To get more detailed answer I'd need
> to see more logs.
>
> Perhaps we could raise the level at which string_to_sid() issues its 'error'.

Hello Alexander,

I found the problem: Samba 4 behaves differently than Samba 3.6.x: If 
"force user" is used in Samba 4 it must be also on the valid users list. 
If not, access is denied.
In Samba 3.6.x this wasn't necessary.

NOK:
         valid users = @users
         force user = apache
OK:
         valid users = @users apache
         force user = apache

So this is either a bug or at least it should be documented as a 
different behavior in Samba 4 (with a big explanation marks).

Thank you.

Ciao,
Gerhard

10, pid=19758, effective(0, 0), real(0, 0)] 
../source3/smbd/share_access.c:215(user_ok_token)
   User apache not in 'valid users'

# NOT OK
[mm]
         path = /shares/mm
# Causes problems here
         valid users = @users
         write list = gerhard
         force user = apache
         force group = apache
         create mask = 0644
         hide dot files = No

# OK
[mm]
         path = /shares/mm
         valid users = @users apache
         write list = gerhard
         force user = apache
         force group = apache
         create mask = 0644
         hide dot files = No

More information about the samba-technical mailing list