Samba 4.1.6 not working after upgrade from 3.6.x - Fedora 20
Jeremy Allison
jra at samba.org
Mon Mar 17 15:08:08 MDT 2014
On Mon, Mar 17, 2014 at 09:33:58PM +0100, Gerhard Wiesinger wrote:
> On 17.03.2014 21:13, Alexander Bokovoy wrote:
> >Hi,
> >
> >On Mon, Mar 17, 2014 at 8:01 PM, Gerhard Wiesinger <lists at wiesinger.com> wrote:
> >>Hello,
> >>
> >>I upgraded from Fedora 17 (Samba 3.6.12) to Fedora 20 (Samba 4.1.6) and some
> >>shares are not working any more (I'm asked for password or not accessible
> >>message). I did not change anything in the config and the config is the same
> >>as in Fedora 17.
> >>
> >>After some debugging I found the following error messages:
> >>../source3/smbd/service.c:612(make_connection_snum)
> >> Connect path is '/shares/mm' for service [mm]
> >>../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
> >> string_to_sid: SID @users is not in a valid format
> >I don't think this is an issue per se. The message is harmless in your
> >context. What happens is the following. When share connection is
> >established, we do number of checks and calculate access mask for the
> >user in check_user_share_access(). The first thing
> >check_user_share_access() does is to call to user_ok_token(). The
> >latter actually verifies user name against list of invalid and valid
> >users. When going through the lists, we try to take each element of a
> >list and convert to SID. If that succeeds, we do check on the SID
> >instead of going to a more resource-consuming path of name to SID
> >conversion.
> >
> >If that element is not a SID already, we do group checks through
> >various methods. But before that, SID conversion will already complain
> >to the logs that "SID <element> is not in a valid format". This is
> >what you see in the log above.
> >
> >If your share access is denied, it is some other check that is
> >failing. I can reproduce string_to_sid complaint too but for me
> >accessing a share with 'valid users = @users', where users is a group
> >that user belongs to, works fine. To get more detailed answer I'd need
> >to see more logs.
> >
> >Perhaps we could raise the level at which string_to_sid() issues its 'error'.
>
> Hello Alexander,
>
> I found the problem: Samba 4 behaves differently than Samba 3.6.x:
> If "force user" is used in Samba 4 it must be also on the valid
> users list. If not, access is denied.
> In Samba 3.6.x this wasn't necessary.
>
> NOK:
> valid users = @users
> force user = apache
> OK:
> valid users = @users apache
> force user = apache
>
> So this is either a bug or at least it should be documented as a
> different behavior in Samba 4 (with a big explanation marks).
It's logged as bug:
https://bugzilla.samba.org/show_bug.cgi?id=9878
I may have just found a quick and easy fix for this.
Testing right now...
Jeremy.
More information about the samba-technical
mailing list