Domain controller XY. Error was NT_STATUS_LOCK_NOT_GRANTED - After Fedora 22 Upgrade
Gerhard Wiesinger
lists at wiesinger.com
Tue Dec 8 12:04:03 UTC 2015
Any comments to fix this major bug with groups?
Ciao,
Gerhard
On 07.08.2015 15:01, Gerhard Wiesinger wrote:
> Any comments?
>
> Ciao,
> Gerhard
>
> On 22.07.2015 16:22, Gerhard Wiesinger wrote:
>> On 03.06.2015 14:59, Gerhard Wiesinger wrote:
>>>
>>> On 02.06.2015 18:12, Gerhard Wiesinger wrote:
>>>> Hello,
>>>>
>>>> After updating from Fedora 21 to Fedora 22
>>>> (samba-4.2.1-8.fc22.x86_64) I'm getting on a NT4 domain member
>>>> server the following error message:
>>>> Domain controller XY. Error was NT_STATUS_LOCK_NOT_GRANTED
>>>>
>>>> Already tried the following on DC and member server:
>>>> allow nt4 crypto = yes
>>>> require strong key = no
>>>> client NTLMv2 auth = no
>>>>
>>>> What's wrong here?
>>>>
>>>> Thank you.
>>>>
>>>> Ciao,
>>>> Gerhard
>>>>
>>>> http://www.wiesinger.com/
>>>
>>
>>
>> Andreas Schneider helped me to find out that winbind was not running
>> after the Fedora 22 upgrade. Nevertheless there are further bugs
>> involved.
>>
>> I'm getting the password dialog when accessing the share. It looks
>> like that there are bugs in the group mapping:
>> # not OK: When group syntax is used
>> valid users = @users
>> # OK: When user syntax is used
>> valid users = gerhard
>>
>> net groupmap list on DC and server look ok (config worked for years).
>>
>> Looks like a bug here:
>>
>> [2015/06/17 12:00:55.452698, 3, pid=27060, effective(0, 0), real(0,
>> 0)] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
>> string_to_sid: SID @users is not in a valid format
>> [2015/06/17 12:00:55.452719, 5, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/auth/user_util.c:147(user_in_netgroup)
>> Unable to get default yp domain, let's try without specifying it
>> [2015/06/17 12:00:55.452730, 5, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/auth/user_util.c:151(user_in_netgroup)
>> looking for user gerhard of domain (ANY) in netgroup users
>> [2015/06/17 12:00:55.452770, 10, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/passdb/lookup_sid.c:77(lookup_name)
>> lookup_name: BIG8\users => domain=[BIG8], name=[users]
>> [2015/06/17 12:00:55.452784, 10, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/passdb/lookup_sid.c:78(lookup_name)
>> lookup_name: flags = 0x077
>> [2015/06/17 12:00:55.452803, 4, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>> [2015/06/17 12:00:55.452816, 4, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/smbd/uid.c:491(push_conn_ctx)
>> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>> [2015/06/17 12:00:55.452827, 4, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>> [2015/06/17 12:00:55.452838, 5, pid=27060, effective(0, 0), real(0,
>> 0)] ../libcli/security/security_token.c:53(security_token_debug)
>> Security token: (NULL)
>> [2015/06/17 12:00:55.452849, 5, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/auth/token_util.c:639(debug_unix_user_token)
>> UNIX token of user 0
>> Primary group is 0 and contains 0 supplementary groups
>> [2015/06/17 12:00:55.452876, 4, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/smbd/sec_ctx.c:421(pop_sec_ctx)
>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2015/06/17 12:00:55.452891, 10, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/passdb/lookup_sid.c:77(lookup_name)
>> lookup_name: Unix Group\users => domain=[Unix Group], name=[users]
>> [2015/06/17 12:00:55.452902, 10, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/passdb/lookup_sid.c:78(lookup_name)
>> lookup_name: flags = 0x077
>> [2015/06/17 12:00:55.455228, 10, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/smbd/share_access.c:215(user_ok_token)
>> User gerhard not in 'valid users'
>> [2015/06/17 12:00:55.455249, 2, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/smbd/service.c:419(create_connection_session_info)
>> user 'gerhard' (from session setup) not permitted to access this
>> share (mmincoming)
>> [2015/06/17 12:00:55.455264, 1, pid=27060, effective(0, 0), real(0,
>> 0)] ../source3/smbd/service.c:552(make_connection_snum)
>> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
>>
>> Strange things here:
>> - string_to_sid: SID @users is not in a valid format => seems to be
>> the main issue
>> - User gerhard not in 'valid users' => access denied is therefore
>> quite logically.
>>
>> Had similar problems at a previous Fedora upgrade with Samba:
>> http://t222459.network-samba-internals.networkforum.info/samba-4-1-6-not-working-after-upgrade-from-3-6-x-fedora-20-t222459.html
>>
>>
>> Changes between 4.1.17 and 4.2.2 which might be the cause in the
>> function dom_sid_parse() are listed below.
>>
>> Any ideas or fixes?
>>
>> Thank you.
>>
>> Ciao,
>> Gerhard
>>
>> http://www.wiesinger.com/
>>
>> @@ -564,24 +576,44 @@ struct security_ace
>> *security_ace_create(TALLOC_CTX *mem_ctx,
>> uint8_t flags)
>>
>> {
>> - struct dom_sid *sid;
>> struct security_ace *ace;
>> + bool ok;
>>
>> ace = talloc_zero(mem_ctx, struct security_ace);
>> if (ace == NULL) {
>> return NULL;
>> }
>>
>> - sid = dom_sid_parse_talloc(ace, sid_str);
>> - if (sid == NULL) {
>> + ok = dom_sid_parse(sid_str, &ace->trustee);
>> + if (!ok) {
>> talloc_free(ace);
>> return NULL;
>> }
>> -
>> - ace->trustee = *sid;
>> ace->type = type;
>> ace->access_mask = access_mask;
>> ace->flags = flags;
>>
>> return ace;
>>
>> --- a/libcli/security/security_token.c
>> +++ b/libcli/security/security_token.c
>> @@ -84,12 +84,14 @@ bool security_token_is_sid(const struct
>> security_token *token, const struct dom_
>> bool security_token_is_sid_string(const struct security_token
>> *token, const char *sid_string)
>> {
>> bool ret;
>> - struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
>> - if (!sid) return false;
>> + struct dom_sid sid;
>>
>> - ret = security_token_is_sid(token, sid);
>> + ret = dom_sid_parse(sid_string, &sid);
>> + if (!ret) {
>> + return false;
>> + }
>>
>> - talloc_free(sid);
>> + ret = security_token_is_sid(token, &sid);
>> return ret;
>> }
>>
>> @@ -117,12 +119,14 @@ bool security_token_has_sid(const struct
>> security_token *token, const struct dom
>> bool security_token_has_sid_string(const struct security_token
>> *token, const char *sid_string)
>> {
>> bool ret;
>> - struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
>> - if (!sid) return false;
>> + struct dom_sid sid;
>>
>> - ret = security_token_has_sid(token, sid);
>> + ret = dom_sid_parse(sid_string, &sid);
>> + if (!ret) {
>> + return false;
>> + }
>>
>> - talloc_free(sid);
>> + ret = security_token_has_sid(token, &sid);
>> return ret;
>> }
>>
>> static void wbc_id_to_sid_done(struct tevent_req *subreq)
>> {
>> - NTSTATUS status = composite_wait(ctx);
>> - DEBUG(5, ("wbc_sids_to_xids_recv called\n"));
>> - if (NT_STATUS_IS_OK(status)) {
>> - struct wbc_idmap_state *state = talloc_get_type_abort(
>> - ctx->private_data,
>> - struct wbc_idmap_state);
>> - *ids = state->ids;
>> + struct tevent_req *req = tevent_req_callback_data(
>> + subreq, struct tevent_req);
>> + struct wbc_id_to_sid_state *state = tevent_req_data(
>> + req, struct wbc_id_to_sid_state);
>> + struct winbindd_response *wbresp;
>> + int ret, err;
>> +
>> + ret = wb_simple_trans_recv(subreq, state, &wbresp, &err);
>> + TALLOC_FREE(subreq);
>> + if (ret == -1) {
>> + tevent_req_error(req, err);
>> + return;
>> }
>> + if ((wbresp->result != WINBINDD_OK) ||
>> + !dom_sid_parse(wbresp->data.sid.sid, &state->sid)) {
>> + tevent_req_error(req, ENOENT);
>> + return;
>> + }
>> + tevent_req_done(req);
>> +}
>>
>>
>
>
More information about the samba-technical
mailing list