Domain controller XY. Error was NT_STATUS_LOCK_NOT_GRANTED - After Fedora 22 Upgrade

Gerhard Wiesinger lists at wiesinger.com
Wed Jul 22 14:22:28 UTC 2015 

On 03.06.2015 14:59, Gerhard Wiesinger wrote:
>
> On 02.06.2015 18:12, Gerhard Wiesinger wrote:
>> Hello,
>>
>> After updating from Fedora 21 to Fedora 22 
>> (samba-4.2.1-8.fc22.x86_64) I'm getting on a NT4 domain member server 
>> the following error message:
>> Domain controller XY. Error was NT_STATUS_LOCK_NOT_GRANTED
>>
>> Already tried the following on DC and member server:
>> allow nt4 crypto = yes
>> require strong key = no
>> client NTLMv2 auth = no
>>
>> What's wrong here?
>>
>> Thank you.
>>
>> Ciao,
>> Gerhard
>>
>> http://www.wiesinger.com/
>


Andreas Schneider helped me to find out that winbind was not running 
after the Fedora 22 upgrade. Nevertheless there are further bugs involved.

I'm getting the password dialog when accessing the share. It looks like 
that there are bugs in the group mapping:
# not OK: When group syntax is used
valid users = @users
# OK: When user syntax is used
valid users = gerhard

net groupmap list on DC and server look ok (config worked for years).

Looks like a bug here:

[2015/06/17 12:00:55.452698,  3, pid=27060, effective(0, 0), real(0, 0)] 
../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
   string_to_sid: SID @users is not in a valid format
[2015/06/17 12:00:55.452719,  5, pid=27060, effective(0, 0), real(0, 0)] 
../source3/auth/user_util.c:147(user_in_netgroup)
   Unable to get default yp domain, let's try without specifying it
[2015/06/17 12:00:55.452730,  5, pid=27060, effective(0, 0), real(0, 0)] 
../source3/auth/user_util.c:151(user_in_netgroup)
   looking for user gerhard of domain (ANY) in netgroup users
[2015/06/17 12:00:55.452770, 10, pid=27060, effective(0, 0), real(0, 0)] 
../source3/passdb/lookup_sid.c:77(lookup_name)
   lookup_name: BIG8\users => domain=[BIG8], name=[users]
[2015/06/17 12:00:55.452784, 10, pid=27060, effective(0, 0), real(0, 0)] 
../source3/passdb/lookup_sid.c:78(lookup_name)
   lookup_name: flags = 0x077
[2015/06/17 12:00:55.452803,  4, pid=27060, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2015/06/17 12:00:55.452816,  4, pid=27060, effective(0, 0), real(0, 0)] 
../source3/smbd/uid.c:491(push_conn_ctx)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2015/06/17 12:00:55.452827,  4, pid=27060, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2015/06/17 12:00:55.452838,  5, pid=27060, effective(0, 0), real(0, 0)] 
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2015/06/17 12:00:55.452849,  5, pid=27060, effective(0, 0), real(0, 0)] 
../source3/auth/token_util.c:639(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2015/06/17 12:00:55.452876,  4, pid=27060, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:421(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2015/06/17 12:00:55.452891, 10, pid=27060, effective(0, 0), real(0, 0)] 
../source3/passdb/lookup_sid.c:77(lookup_name)
   lookup_name: Unix Group\users => domain=[Unix Group], name=[users]
[2015/06/17 12:00:55.452902, 10, pid=27060, effective(0, 0), real(0, 0)] 
../source3/passdb/lookup_sid.c:78(lookup_name)
   lookup_name: flags = 0x077
[2015/06/17 12:00:55.455228, 10, pid=27060, effective(0, 0), real(0, 0)] 
../source3/smbd/share_access.c:215(user_ok_token)
   User gerhard not in 'valid users'
[2015/06/17 12:00:55.455249,  2, pid=27060, effective(0, 0), real(0, 0)] 
../source3/smbd/service.c:419(create_connection_session_info)
   user 'gerhard' (from session setup) not permitted to access this 
share (mmincoming)
[2015/06/17 12:00:55.455264,  1, pid=27060, effective(0, 0), real(0, 0)] 
../source3/smbd/service.c:552(make_connection_snum)
   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

Strange things here:
- string_to_sid: SID @users is not in a valid format => seems to be the 
main issue
- User gerhard not in 'valid users' => access denied is therefore quite 
logically.

Had similar problems at a previous Fedora upgrade with Samba:
http://t222459.network-samba-internals.networkforum.info/samba-4-1-6-not-working-after-upgrade-from-3-6-x-fedora-20-t222459.html

Changes between 4.1.17 and 4.2.2 which might be the cause in the 
function dom_sid_parse() are listed below.

Any ideas or fixes?

Thank you.

Ciao,
Gerhard

http://www.wiesinger.com/

@@ -564,24 +576,44 @@ struct security_ace 
*security_ace_create(TALLOC_CTX *mem_ctx,
                       uint8_t flags)

  {
-    struct dom_sid *sid;
      struct security_ace *ace;
+    bool ok;

      ace = talloc_zero(mem_ctx, struct security_ace);
      if (ace == NULL) {
          return NULL;
      }

-    sid = dom_sid_parse_talloc(ace, sid_str);
-    if (sid == NULL) {
+    ok = dom_sid_parse(sid_str, &ace->trustee);
+    if (!ok) {
          talloc_free(ace);
          return NULL;
      }
-
-    ace->trustee = *sid;
      ace->type = type;
      ace->access_mask = access_mask;
      ace->flags = flags;

      return ace;

--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -84,12 +84,14 @@ bool security_token_is_sid(const struct 
security_token *token, const struct dom_
  bool security_token_is_sid_string(const struct security_token *token, 
const char *sid_string)
  {
      bool ret;
-    struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
-    if (!sid) return false;
+    struct dom_sid sid;

-    ret = security_token_is_sid(token, sid);
+    ret = dom_sid_parse(sid_string, &sid);
+    if (!ret) {
+        return false;
+    }

-    talloc_free(sid);
+    ret = security_token_is_sid(token, &sid);
      return ret;
  }

@@ -117,12 +119,14 @@ bool security_token_has_sid(const struct 
security_token *token, const struct dom
  bool security_token_has_sid_string(const struct security_token *token, 
const char *sid_string)
  {
      bool ret;
-    struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
-    if (!sid) return false;
+    struct dom_sid sid;

-    ret = security_token_has_sid(token, sid);
+    ret = dom_sid_parse(sid_string, &sid);
+    if (!ret) {
+        return false;
+    }

-    talloc_free(sid);
+    ret = security_token_has_sid(token, &sid);
      return ret;
  }

  static void wbc_id_to_sid_done(struct tevent_req *subreq)
  {
-    NTSTATUS status = composite_wait(ctx);
-        DEBUG(5, ("wbc_sids_to_xids_recv called\n"));
-    if (NT_STATUS_IS_OK(status)) {
-        struct wbc_idmap_state *state =    talloc_get_type_abort(
-                            ctx->private_data,
-                            struct wbc_idmap_state);
-        *ids = state->ids;
+    struct tevent_req *req = tevent_req_callback_data(
+        subreq, struct tevent_req);
+    struct wbc_id_to_sid_state *state = tevent_req_data(
+        req, struct wbc_id_to_sid_state);
+    struct winbindd_response *wbresp;
+    int ret, err;
+
+    ret = wb_simple_trans_recv(subreq, state, &wbresp, &err);
+    TALLOC_FREE(subreq);
+    if (ret == -1) {
+        tevent_req_error(req, err);
+        return;
      }
+    if ((wbresp->result != WINBINDD_OK) ||
+        !dom_sid_parse(wbresp->data.sid.sid, &state->sid)) {
+        tevent_req_error(req, ENOENT);
+        return;
+    }
+    tevent_req_done(req);
+}

More information about the samba-technical mailing list