Samba 2.2.0 -- host access by netgroup is failing to look up host by
name (was Re: samba 2.2.0: host access by netgroup)
Eric Boehm
boehm at nortelnetworks.com
Thu Apr 19 12:16:25 GMT 2001
On Wed, Apr 18, 2001 at 10:08:03AM -0500, Gerald Carter wrote:
>>>>> "Gerald" == Gerald Carter <gcarter at valinux.com> writes:
>>>>> "Christopher" == Christopher Odenbach <odenbach at hni.uni-paderborn.de> writes:
Jerry> I am just fiddeling with 2.2.0 final. I am having trouble with the
Jerry> config files I used with 2.2.0alpha3:
Christopher> check_access: no hostnames in host allow/deny list.
Christopher> [2001/04/18 12:33:37, 3] smbd/server.c:exit_server(473)
Christopher> Server exit (connection denied) [2001/04/18 12:33:37, 5]
Christopher> lib/access.c:string_match(89) looking for 131.234.166.51 of
Christopher> domain hni in netgroup hni_hosts gave No [2001/04/18
Christopher> 12:33:37, 0] lib/access.c:check_access(324) Denied connection
Christopher> from (131.234.166.51) [2001/04/18 12:33:37, 1]
Christopher> smbd/process.c:process_smb(824) Connection denied from
Christopher> 131.234.166.51
Jerry> Looking at you config files, this doesn't make a lot of sense to
Jerry> me (your problem that is). All that is there is
Jerry> hosts allow = @hni_hosts
Jerry> The debug messages above 'no hostnames in host allow/deny list'
Jerry> should only be printed if only_ipaddrs_in_list() returns True on
Jerry> both the allow list and the deny list.
Jerry> Can you send me a larger excerpt of the log for only the client
Jerry> that is denied (log file = /var/log/log.%m)?
I have the same problem. I set debug level to 5 and traced access for samba
2.0.7 and samba 2.2.0. It appears to me that samba 2.2.0 is failing to try
lookup by name in the netgroup after lookup by address fails. I haven't had
time to go into the code and figure out why (yet).
Here are excerpts from the two log files:
Samba 2.0.7:
[2001/04/18 14:19:28, 3, pid=29855] smbd/process.c:(448)
switch message SMBtconX (pid 29855)
[2001/04/18 14:19:28, 4, pid=29855] smbd/reply.c:(311)
Got device type ?????
[2001/04/18 14:19:28, 5, pid=29855] lib/access.c:(89)
looking for 47.142.164.249 of domain bnrrtp in netgroup IDE_CLEARCASE_HOSTS gave No
As you can see, lookup is first by IP address
[2001/04/18 14:19:28, 5, pid=29855] lib/access.c:(89)
looking for wnc0s00u of domain bnrrtp in netgroup IDE_CLEARCASE_HOSTS gave Yes
and then by hostname
[2001/04/18 14:19:28, 2, pid=29855] lib/access.c:(258)
Allowed connection from wnc0s00u (47.142.164.249)
[2001/04/18 14:19:28, 5, pid=29855] lib/username.c:(250)
looking for user boehm of domain bnrrtp in netgroup IDE_CLEARCASE_USERS
[2001/04/18 14:19:28, 5, pid=29855] lib/username.c:(253)
innetgr is TRUE
[2001/04/18 14:19:28, 5, pid=29855] lib/username.c:(250)
looking for user boehm of domain bnrrtp in netgroup IDE_CLEARCASE_USERS
[2001/04/18 14:19:28, 5, pid=29855] lib/username.c:(253)
innetgr is TRUE
[2001/04/18 14:19:28, 3, pid=29855] smbd/password.c:(759)
ACCEPTED: validated uid ok as non-guest
Verifies my username (several times?)
[2001/04/18 14:19:28, 5, pid=29855] lib/username.c:(250)
looking for user boehm of domain bnrrtp in netgroup IDE_CLEARCASE_USERS
[2001/04/18 14:19:28, 5, pid=29855] lib/username.c:(253)
innetgr is TRUE
[2001/04/18 14:19:28, 3, pid=29855] smbd/service.c:(441)
Connect path is /usr
[2001/04/18 14:19:28, 3, pid=29855] smbd/password.c:(192)
boehm is in 14 groups: 2245, 0, 3, 1058, 4417, 2608, 4378, 291, 2938, 602, 333, 4323, 2635, 3675
[2001/04/18 14:19:28, 5, pid=29855] smbd/connection.c:(137)
trying claim /usr/local/samba/var/locks STATUS. 100000
[2001/04/18 14:19:28, 5, pid=29855] lib/username.c:(250)
looking for user boehm of domain bnrrtp in netgroup IDE_CLEARCASE_USERS
[2001/04/18 14:19:28, 5, pid=29855] lib/username.c:(253)
innetgr is TRUE
Verifies my username again (why wasn't above enough?)
[2001/04/18 14:19:28, 5, pid=29855] smbd/uid.c:(264)
become_user uid=(0,20718) gid=(0,2245)
[2001/04/18 14:19:28, 3, pid=29855] lib/doscalls.c:(342)
dos_ChDir to /usr
[2001/04/18 14:19:28, 1, pid=29855] smbd/service.c:(550)
wnc0s00u (47.142.164.249) connect to service usr as user boehm (uid=20718, gid=2245) (pid 29855)
Connection is successful
Samba 2.2.0
[2001/04/18 14:58:15, 4, pid=9070] smbd/reply.c:(315)
Got device type ?????
[2001/04/18 14:58:15, 3, pid=9070] lib/access.c:(304)
check_access: no hostnames in host allow/deny list.
This is the error. The netgroup contains both IP address and hostnames.
[2001/04/18 14:58:15, 5, pid=9070] lib/access.c:(89)
looking for 47.142.164.249 of domain bnrrtp in netgroup IDE_CLEARCASE_HOSTS gave No
Lookup by IP address fails and no further attempts are made.
[2001/04/18 14:58:15, 0, pid=9070] lib/access.c:(324)
Denied connection from (47.142.164.249)
[2001/04/18 14:58:15, 3, pid=9070] smbd/error.c:(141)
error packet at line 165 cmd=117 (SMBtconX) eclass=2 ecode=4
[2001/04/18 14:58:15, 5, pid=9070] lib/util.c:(292)
size=35
smb_com=0x75
smb_rcls=2
smb_reh=0
smb_err=4
smb_flg=136
smb_flg2=1
[2001/04/18 14:58:15, 5, pid=9070] lib/util.c:(298)
smb_tid=0
smb_pid=9069
smb_uid=100
smb_mid=1
smt_wct=0
[2001/04/18 14:58:15, 5, pid=9070] lib/util.c:(308)
smb_bcc=0
[2001/04/18 14:58:15, 3, pid=9070] smbd/process.c:(1055)
end of file from client
[2001/04/18 14:58:15, 3, pid=9070] smbd/sec_ctx.c:(310)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2001/04/18 14:58:15, 5, pid=9070] smbd/uid.c:(217)
unbecome_user now uid=(0,0) gid=(0,0)
[2001/04/18 14:58:15, 2, pid=9070] smbd/server.c:(440)
Closing connections
[2001/04/18 14:58:15, 3, pid=9070] smbd/connection.c:(54)
Yielding connection to
[2001/04/18 14:58:15, 3, pid=9070] smbd/server.c:(473)
Server exit (normal exit)
Looking at lib/access.c. It appears that if it finds one IP address in the
netgroup, it assumes that the whole netgroup is only IP addresses.
At least, that's my guess. I don't have time right now to recompile with
debugging and step through it.
This is Samba on Solaris 8.
My smb.conf files are included below:
Let me know if I should submit a separate bug report.
--
Eric M. Boehm boehm at nortelnetworks.com
smb.conf:
# Global parameters
client code page = 437
# Samba requests 10000 but Solaris has only 1014 to spare
#max open files = 1014
comment = "Samba %v server"
share modes = yes
getwd cache = yes
browseable = yes
load printers = no
local master = no
log file = /usr/local/samba/var/log.%m-%v
username map = /usr/local/samba/lib/username.map
debug pid = yes
dead time = 30
debug level = 5
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=32768 SO_RCVBUF=32768
include = /usr/local/samba/lib/smb.conf.global.%h
include = /usr/local/samba/lib/smb.conf.shares.%h
smb.conf.global.wnc0s00u:
# if security = domain, then password server = * and workgroup is the
# domain of the machine account resource domain
# workgroup = <machine-account-resource domain>
# security = domain
# password server = *
# if security = server, then password server = PDC, BDC ...
# where PDC and BDC are primary and backup domain controllers of
# the user account resource domain
workgroup = AMERICASE
security = server
password server = ZRTPD01T, NRTPDE11, NRTPDE10, NRTPI915, PCNTRTP01, PCNTRTP02
wins server = 47.156.160.179
encrypt passwords = yes
server string = "Test Samba server %h (%L), Samba"
#interfaces = "47.111.65.76/20"
#netbios aliases = <alias1> <alias2>
smb.conf.shares.wnc0s00u
[usr]
comment = brtpsfac /usr
path = /usr
#admin users = vobadm7b albd
hosts allow = @IDE_CLEARCASE_HOSTS
valid users = @IDE_CLEARCASE_USERS
guest ok = no
oplocks = No
directory mask = 0775
map archive = No
writeable = yes
[juliemc]
comment = Auspex home directories
path=/home/juliemc
valid users = @SPM_ADM_USERS
guest ok = No
oplocks = No
directory mask = 0775
map archive = No
writeable = Yes
[boehm]
comment = Auspex home directories
path=/home/boehm
valid users = @SPM_ADM_USERS
guest ok = No
oplocks = No
directory mask = 0775
map archive = No
writeable = Yes
[vnc]
comment =Virtual Network Computing software
path = /usr/local2/software/archive/VNC
hosts allow = @IDE_CLEARCASE_HOSTS
valid users = @IDE_CLEARCASE_USERS
guest ok = no
oplocks = No
directory mask = 0775
map archive = No
writeable = yes
More information about the samba
mailing list