[Samba] Serious bug in Samba 3.0.2pre1 !!!

Alex de Vaal A.Vaal at nh-hotels.com
Mon Jan 19 15:16:32 GMT 2004 

Summarization of the bug in Samba 3.0.2pre1:
It seems that an ADS group is not valid or detected anymore to access a
samba share, in case only an ADS group is used a valid user on a Samba
share, because Kerberos is reporting: Username (null) is invalid on this
system.
Besides that, connecting to a share (service) reports with Samba 3.0.0-2
REALM\username (NH-TEST.NL\fo6), but with Samba 3.0.2pre1 connecting to
a share (service) reports only username (fo6)
Downgrading to Samba 3.0.0-2 solves this problem!
 
Subjoined the steps to reproduce the bug:
 
 
Windows 2003 native mode
Realm: NH-TEST.NL
 
Red Hat Linux release 9 (Shrike)
Kernel 2.4.20-8 on an i686 
 
Linux (server) newly installed on clean system.
 
Directly after Linux installation:
 
rpmbuild --rebuild krb5-1.3.1-7.src.rpm
Installed the resulting Kerberos packages. (rpm -Uhv  -- force -- nodeps
krb5*)
 
rpmbuild -- rebuild samba-3.0.1-2.src.rpm
Installed the resulting Samba package
 
Samba configured for the use of winbind.
 
Joined NH-TEST.NL realm.
wbinfo -u, wbinfo -g, getent passwd, getent group, wbinfo -I ip_address,
wbinfo -N netbios_name is working.
 
Samba share "grp" 
# Group Directory
[grp]
   writeable = yes
   inherit permissions = yes
   path = /data/grp
   comment = Group Directory
   valid users = @NH-TEST.NL\FO_GRP
   browsable = yes
 
getent group
FO_GRP:x:10014:fo7,fo6
 
chown root:FO_GRP /data/grp/fog
[root at linuxalex data]# ls -l grp
drwxrws---    5 root     FO_GRP       4096 Jan 16 17:34 fog
 
Output log.smbd
[2004/01/15 11:58:27, 0] smbd/server.c:main(747)
  smbd version 3.0.1 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2003
 
On a Win2k workstation logged in on the domain as user fo6 accessing the
"grp" results in 10.15.69.101.log:
[2004/01/15 12:06:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!
 
Left the NH-TEST.NL realm
 
rpmbuild -- rebuild samba-3.0.2pre1-1.src.rpm
rpmbuild -- rebuild samba-3.0.0-2.src.rpm
 
Installed the resulting Samba package: samba-3.0.2pre1-1.i386.rpm
 
Joined NH-TEST.NL realm.
wbinfo -u, wbinfo -g, getent passwd, getent group, wbinfo -I ip_address,
wbinfo -N netbios_name is working.
 
Output log.smbd
[2004/01/16 14:50:24, 0] smbd/server.c:main(747)
  smbd version 3.0.2pre1 started.
 
On a Win2k workstation logged in on the domain as user fo6 accessing the
"grp" share results in 10.15.69.101.log:
[2004/01/16 15:02:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
  Username (null) is invalid on this system
 
And NO access to the "grp" share!!!
 
Changed on the "grp" share in smb.conf
valid users = fo6
(user fo6 is only available as ADS user and not as local Linux user!)
 
On a Win2k workstation logged in on the domain as user fo6 accessing the
"grp" share results in 10.15.69.101.log:
[2004/01/16 15:13:15, 1] smbd/service.c:make_connection_snum(705)
  10.15.69.101 (10.15.69.101) connect to service public initially as
user fo6 (uid=10004, gid=10000) (pid 1161)
 
(getent group: Domain Users:x:10000:)
(getent passwd: fo6:x:10004:10000:fo6:/data/hom/fo6:/bin/bash)
 
and access to the "grp" share!!! However no access to the "fog"
directory!!!
 
[root at linuxalex data]# ls -l grp
drwxrws---    5 root     FO_GRP       4096 Jan 16 17:34 fog
 
chown fo6:FO_GRP /data/grp/fog
[root at linuxalex data]# ls -l grp
drwxrws---    5 fo6     FO_GRP       4096 Jan 16 17:34 fog
 
Now access to the "fog" directory!
 
Left the NH-TEST.NL realm
 
Installed the Samba package: samba-3.0.0-2.i386.rpm
 
Joined NH-TEST.NL realm.
wbinfo -u, wbinfo -g, getent passwd, getent group, wbinfo -I ip_address,
wbinfo -N netbios_name is working.
 
Output log.smbd
[2004/01/16 16:08:49, 0] smbd/server.c:main(747)
  smbd version 3.0.0 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2003
 
Changed on the "grp" share in smb.conf
valid users = @NH-TEST.NL\FO_GRP
 
chown root:FO_GRP /data/grp/fog
[root at linuxalex data]# ls -l grp
drwxrws---    5 root     FO_GRP       4096 Jan 16 17:34 fog
 
On a Win2k workstation logged in on the domain as user fo6 accessing the
"grp" share results in 10.15.69.101.log:
[2004/01/16 16:11:22, 1] smbd/service.c:make_connection_snum(698)
  10.15.69.101 (10.15.69.101) connect to service grp initially as user
NH-TEST.NL\fo6 (uid=10004, gid=10000) (pid 1102)
 
Now I can access as fo6 user the "grp" share and I can access the "fog"
directory and this is possible when the user fo6 is given access to the
"grp" share only as group membership of the ADS group FO_GRP!

  
Summarization of the bug in Samba 3.0.2pre1:
It seems that an ADS group is not valid or detected anymore to access a
samba share, in case only an ADS group is used a valid user on a Samba
share, because Kerberos is reporting: Username (null) is invalid on this
system.
Besides that, connecting to a share (service) reports with Samba 3.0.0-2
REALM\username (NH-TEST.NL\fo6), but with Samba 3.0.2pre1 connecting to
a share (service) reports only username (fo6)
Downgrading to Samba 3.0.0-2 solves this problem!
 
 
smb.conf
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
"testparm"
# to check that you have not made any basic syntactic errors. 
#
#======================= Global Settings
=====================================
[global]
   log file = /var/log/samba/%m.log
   smb passwd file = /etc/samba/smbpasswd
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#"domain master = yes" can't be set in ADS
   domain master = no
   encrypt passwords = yes
   passwd program = /usr/bin/passwd %u
   dns proxy = no 
#netbios name changed for Samba in ADS
   netbios name = LINUX
   level2 oplocks = no
   oplocks = no
   server string = %h server (Samba %v)
   unix password sync = yes
#Workgroup changed for Samba in ADS
   workgroup = NH-TEST
   add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false
-M %u
#Security changed to "ADS" for Samba in ADS
   security = ADS
   max log size = 0
#domain logons set to "No" for ADS domain membership
   domain logons = no
 
#Below added for Samba in ADS
   winbind enum users = yes
   winbind enum groups = yes
   template shell = /bin/bash
   template homedir = /data/hom/%U
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind use default domain = yes
#"realm =" added for Samba in ADS
   realm = NH-TEST.NL
#"password server =" added for Samba in ADS
   password server = tstsrvr01.nh-test.nl
#"client use spnego = yes" set for Windows 2003. Wk3 requires SMB
singing.
   client use spnego = yes
   add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
 
 
# default home share settings
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
##   valid users = %S
   create mode = 0660
   directory mode = 0770
 
# Group Directory
[grp]
   writeable = yes
   inherit permissions = yes
   path = /data/grp
   comment = Group Directory
   valid users = @NH-TEST.NL\FO_GRP, at NH-TEST.NL\SALES_GRP
   browsable = yes
 
# Public Files
[pub]
   path = /data/public
   comment = Public files
   guest ok = yes
   writable = no
   browsable = yes
   write list = @NH-TEST.NL\SALES_GRP
 
# Root data Directory
[root]
   writeable = yes
   inherit permissions = yes
   path = /data
   comment = Root data Directory
   valid users = @NH-TEST.NL\"Domain Admins"
   browsable = yes
 
 
 
krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 ticket_lifetime = 24000
 default_realm = NH-TEST.NL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 forwardable = true
 proxiable = true
 
[realms]
 NH-TEST.NL = {
  kdc = tstsrvr01.nh-test.nl:88
  admin_server = tstsrvr01.nh-test.nl:749
  default_domain = nh-test.nl
 }
 
[domain_realm]
 .nh-test.nl = NH-TEST.NL
 nh-test.nl = NH-TEST.NL
 
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
 
pam.d\login
#%PAM-1.0
auth       required           pam_securetty.so
auth       sufficient          pam_winbind.so
auth       sufficient          pam_unix.so nodelay use_first_pass
auth       required           pam_stack.so service=system-auth
auth       required           pam_nologin.so
account    sufficient        pam_winbind.so
account    required         pam_stack.so service=system-auth
password   required        pam_stack.so service=system-auth
session    required         pam_stack.so service=system-auth
session    optional          pam_console.so
 
 
nsswitch.conf
passwd:     files winbind
shadow:     files
group:      files winbind
hosts:      files winbind dns
 

-- 
Regards, 
Alex de Vaal. 


Visit our Web site: http://www.nh-hoteles.com 
This message is from NH HOTELES and it is private and confidential.  
Its content may be legally protected.Reception by a non-intended person does not waive legal protection rights.  
If you receive this message by mistake, please delete it from your system and report the sender. 
Although this message has been cleared for viruses using currently available virus definitions before sending, 
it is the responsibility of the receiver to ensure it is virus-free.Thank you.

More information about the samba mailing list