Domain controller XY. Error was NT_STATUS_LOCK_NOT_GRANTED - After Fedora 22 Upgrade
Gerhard Wiesinger
lists at wiesinger.com
Fri Aug 7 13:01:18 UTC 2015
Any comments?
Ciao,
Gerhard
On 22.07.2015 16:22, Gerhard Wiesinger wrote:
> On 03.06.2015 14:59, Gerhard Wiesinger wrote:
>>
>> On 02.06.2015 18:12, Gerhard Wiesinger wrote:
>>> Hello,
>>>
>>> After updating from Fedora 21 to Fedora 22
>>> (samba-4.2.1-8.fc22.x86_64) I'm getting on a NT4 domain member
>>> server the following error message:
>>> Domain controller XY. Error was NT_STATUS_LOCK_NOT_GRANTED
>>>
>>> Already tried the following on DC and member server:
>>> allow nt4 crypto = yes
>>> require strong key = no
>>> client NTLMv2 auth = no
>>>
>>> What's wrong here?
>>>
>>> Thank you.
>>>
>>> Ciao,
>>> Gerhard
>>>
>>> http://www.wiesinger.com/
>>
>
>
> Andreas Schneider helped me to find out that winbind was not running
> after the Fedora 22 upgrade. Nevertheless there are further bugs
> involved.
>
> I'm getting the password dialog when accessing the share. It looks
> like that there are bugs in the group mapping:
> # not OK: When group syntax is used
> valid users = @users
> # OK: When user syntax is used
> valid users = gerhard
>
> net groupmap list on DC and server look ok (config worked for years).
>
> Looks like a bug here:
>
> [2015/06/17 12:00:55.452698, 3, pid=27060, effective(0, 0), real(0,
> 0)] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
> string_to_sid: SID @users is not in a valid format
> [2015/06/17 12:00:55.452719, 5, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/auth/user_util.c:147(user_in_netgroup)
> Unable to get default yp domain, let's try without specifying it
> [2015/06/17 12:00:55.452730, 5, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/auth/user_util.c:151(user_in_netgroup)
> looking for user gerhard of domain (ANY) in netgroup users
> [2015/06/17 12:00:55.452770, 10, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/passdb/lookup_sid.c:77(lookup_name)
> lookup_name: BIG8\users => domain=[BIG8], name=[users]
> [2015/06/17 12:00:55.452784, 10, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/passdb/lookup_sid.c:78(lookup_name)
> lookup_name: flags = 0x077
> [2015/06/17 12:00:55.452803, 4, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2015/06/17 12:00:55.452816, 4, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2015/06/17 12:00:55.452827, 4, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2015/06/17 12:00:55.452838, 5, pid=27060, effective(0, 0), real(0,
> 0)] ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2015/06/17 12:00:55.452849, 5, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/auth/token_util.c:639(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2015/06/17 12:00:55.452876, 4, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:421(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2015/06/17 12:00:55.452891, 10, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/passdb/lookup_sid.c:77(lookup_name)
> lookup_name: Unix Group\users => domain=[Unix Group], name=[users]
> [2015/06/17 12:00:55.452902, 10, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/passdb/lookup_sid.c:78(lookup_name)
> lookup_name: flags = 0x077
> [2015/06/17 12:00:55.455228, 10, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/smbd/share_access.c:215(user_ok_token)
> User gerhard not in 'valid users'
> [2015/06/17 12:00:55.455249, 2, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/smbd/service.c:419(create_connection_session_info)
> user 'gerhard' (from session setup) not permitted to access this
> share (mmincoming)
> [2015/06/17 12:00:55.455264, 1, pid=27060, effective(0, 0), real(0,
> 0)] ../source3/smbd/service.c:552(make_connection_snum)
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
>
> Strange things here:
> - string_to_sid: SID @users is not in a valid format => seems to be
> the main issue
> - User gerhard not in 'valid users' => access denied is therefore
> quite logically.
>
> Had similar problems at a previous Fedora upgrade with Samba:
> http://t222459.network-samba-internals.networkforum.info/samba-4-1-6-not-working-after-upgrade-from-3-6-x-fedora-20-t222459.html
>
>
> Changes between 4.1.17 and 4.2.2 which might be the cause in the
> function dom_sid_parse() are listed below.
>
> Any ideas or fixes?
>
> Thank you.
>
> Ciao,
> Gerhard
>
> http://www.wiesinger.com/
>
> @@ -564,24 +576,44 @@ struct security_ace
> *security_ace_create(TALLOC_CTX *mem_ctx,
> uint8_t flags)
>
> {
> - struct dom_sid *sid;
> struct security_ace *ace;
> + bool ok;
>
> ace = talloc_zero(mem_ctx, struct security_ace);
> if (ace == NULL) {
> return NULL;
> }
>
> - sid = dom_sid_parse_talloc(ace, sid_str);
> - if (sid == NULL) {
> + ok = dom_sid_parse(sid_str, &ace->trustee);
> + if (!ok) {
> talloc_free(ace);
> return NULL;
> }
> -
> - ace->trustee = *sid;
> ace->type = type;
> ace->access_mask = access_mask;
> ace->flags = flags;
>
> return ace;
>
> --- a/libcli/security/security_token.c
> +++ b/libcli/security/security_token.c
> @@ -84,12 +84,14 @@ bool security_token_is_sid(const struct
> security_token *token, const struct dom_
> bool security_token_is_sid_string(const struct security_token *token,
> const char *sid_string)
> {
> bool ret;
> - struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
> - if (!sid) return false;
> + struct dom_sid sid;
>
> - ret = security_token_is_sid(token, sid);
> + ret = dom_sid_parse(sid_string, &sid);
> + if (!ret) {
> + return false;
> + }
>
> - talloc_free(sid);
> + ret = security_token_is_sid(token, &sid);
> return ret;
> }
>
> @@ -117,12 +119,14 @@ bool security_token_has_sid(const struct
> security_token *token, const struct dom
> bool security_token_has_sid_string(const struct security_token
> *token, const char *sid_string)
> {
> bool ret;
> - struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
> - if (!sid) return false;
> + struct dom_sid sid;
>
> - ret = security_token_has_sid(token, sid);
> + ret = dom_sid_parse(sid_string, &sid);
> + if (!ret) {
> + return false;
> + }
>
> - talloc_free(sid);
> + ret = security_token_has_sid(token, &sid);
> return ret;
> }
>
> static void wbc_id_to_sid_done(struct tevent_req *subreq)
> {
> - NTSTATUS status = composite_wait(ctx);
> - DEBUG(5, ("wbc_sids_to_xids_recv called\n"));
> - if (NT_STATUS_IS_OK(status)) {
> - struct wbc_idmap_state *state = talloc_get_type_abort(
> - ctx->private_data,
> - struct wbc_idmap_state);
> - *ids = state->ids;
> + struct tevent_req *req = tevent_req_callback_data(
> + subreq, struct tevent_req);
> + struct wbc_id_to_sid_state *state = tevent_req_data(
> + req, struct wbc_id_to_sid_state);
> + struct winbindd_response *wbresp;
> + int ret, err;
> +
> + ret = wb_simple_trans_recv(subreq, state, &wbresp, &err);
> + TALLOC_FREE(subreq);
> + if (ret == -1) {
> + tevent_req_error(req, err);
> + return;
> }
> + if ((wbresp->result != WINBINDD_OK) ||
> + !dom_sid_parse(wbresp->data.sid.sid, &state->sid)) {
> + tevent_req_error(req, ENOENT);
> + return;
> + }
> + tevent_req_done(req);
> +}
>
>
More information about the samba-technical
mailing list