[Samba] Re: S3 domain member shares won't authorize secondary
groups, only for W98
Jérôme Fenal
jerome.fenal at logicacmg.com
Fri Dec 12 10:28:07 GMT 2003
Hi list,
Last message on the topic is long so I won't reproduce it here. You can
still read it at :
http://marc.theaimsgroup.com/?l=samba&m=107099931908523&w=2.
I have more news on this front.
I made level 10 logs from win98 with samba 3.0.1rc2 and 2.2.8a.
It seems that 2.2.8a converts the usename given by win98 to lowercase,
which in turn makes unix return all the groups of the unix user :
[2003/12/12 10:31:35, 10] smbd/password.c:register_vuid(288)
register_vuid: (1000,513) jerome JEROME DOMAIN guest=0
[2003/12/12 10:31:35, 10] smbd/password.c:register_vuid(298)
register_vuid: allocated vuid = 100
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:push_sec_ctx(297)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/12/12 10:31:35, 3] smbd/uid.c:push_conn_ctx(286)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:set_sec_ctx(329)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:get_current_groups(172)
get_current_groups: user is in 4 groups: 513, 550, 103, 102
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:pop_sec_ctx(436)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:get_current_groups(172)
get_current_groups: user is in 4 groups: 513, 550, 103, 102
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
sid_to_gid: winbind lookup for sid
S-1-5-21-1150874807-1180408084-429402335-513 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
sid_to_gid: winbind lookup for sid
S-1-5-21-1150874807-1180408084-429402335-550 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
sid_to_gid: winbind lookup for sid
S-1-5-21-1150874807-1180408084-429402335-1207 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
sid_to_gid: winbind lookup for sid
S-1-5-21-1150874807-1180408084-429402335-1205 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:uid_to_sid(758)
uid_to_sid: local 1000 -> S-1-5-21-889427125-3291125262-439525394-3000
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
gid_to_sid: local 513 -> S-1-5-21-889427125-3291125262-439525394-2027
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
gid_to_sid: local 550 -> S-1-5-21-889427125-3291125262-439525394-2101
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
gid_to_sid: local 103 -> S-1-5-21-889427125-3291125262-439525394-1207
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
gid_to_sid: local 102 -> S-1-5-21-889427125-3291125262-439525394-1205
As you can see, all the lookups are done with a lowercase account name.
And thus find all the groups that the user belongs to.
But samba 3 keeps the user given by win98 in all uppercase :
It starts by the use of username level parameter :
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam(288)
Finding user DOMAIN\JEROME
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(223)
Trying _Get_Pwnam(), username as lowercase is domain\jerome
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(230)
Trying _Get_Pwnam(), username as given is DOMAIN\JEROME
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(247)
Checking combinations of 8 uppercase letters in domain\jerome
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(251)
Get_Pwnam_internals didn't find user [DOMAIN\JEROME]!
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam(288)
Finding user JEROME
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(223)
Trying _Get_Pwnam(), username as lowercase is jerome
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(251)
Get_Pwnam_internals did find user [JEROME]!
[2003/12/12 10:17:15, 10] passdb/pdb_get_set.c:pdb_set_username(593)
pdb_set_username: setting username jerome, was
So one may think that username 'jerome' (all lowercase is used).
Then comes the group membership determination :
[2003/12/12 10:17:15, 10] lib/system_smbd.c:sys_getgrouplist(113)
sys_getgrouplist: user [JEROME]
[2003/12/12 10:17:15, 10] lib/system_smbd.c:sys_getgrouplist(122)
sys_getgrouplist(): disabled winbindd for group lookup [user == JEROME]
[2003/12/12 10:17:15, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/12/12 10:17:15, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/12/12 10:17:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2003/12/12 10:17:15, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 1000
Primary group is 513 and contains 2 supplementary groups
Group[ 0]: 513
Group[ 1]: 513
As /usr/xpg4/bin/id says, JEROME is only member of its primary group
(see precedent posting).
Something funnier (but normal as SIDs come from the SMB wire, and Unix's
come from local PAM) : samba get the secondary group SIDs, but not the
Unix ones.
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_nt_user_token(491)
NT user token of user S-1-5-21-1150874807-1180408084-429402335-3000
contains 8 SIDs
SID[ 0]: S-1-5-21-1150874807-1180408084-429402335-3000
SID[ 1]: S-1-5-21-1150874807-1180408084-429402335-513
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-21-1150874807-1180408084-429402335-550
SID[ 6]: S-1-5-21-1150874807-1180408084-429402335-1207
SID[ 7]: S-1-5-21-1150874807-1180408084-429402335-1205
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 1000
Primary group is 513 and contains 2 supplementary groups
Group[ 0]: 513
Group[ 1]: 513
So, when the windows 98 client tries to mount the share authorized to
the rid=1207 (gid=103) group, it ends by the refusal :
[2003/12/12 10:17:15, 10] lib/username.c:user_in_list(521)
user_in_list: checking user JEROME in list
[2003/12/12 10:17:15, 10] lib/username.c:user_in_list(525)
user_in_list: checking user |JEROME| against |+dsvi|
[2003/12/12 10:17:15, 2] smbd/service.c:make_connection_snum(391)
user 'JEROME' (from session setup) not permitted to access this share
(dsvi)
One thing I have not trid is to use winbind (with an LDAP idmap
reference). I think it would work, but it would be a little overkill as
I already have the LDAP Posix accounts distributed to my Solaris domain
member.
So, dose anybody can tell me if this behaviour change was intentional,
or if :
- it is a bug in the pam libraries (bot in Solaris and in PADL used by
Linux, which should be returning group membership regardless of the
username case ?
- it is a bug in my LDAP directory implementation, eg. I should add both
lowercase *and* uppercase usernames to memberUid attributes to my groups ?
- it is a bug in Samba 2.2.8a, which should behave as samba 3 does ?
- it is a bug in Samba 3.0.x, which finds a username in lowercase
(thanks to username level=8) but does not use it in the call to
sys_getgrouplist?
I'd appreciate an answer, even if it « keep samba 2.2.8a while you're
ripping off your win98 clients », but that one is an easy one ;-)
Best regards,
Jérôme
--
Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>
More information about the samba
mailing list