[Samba] Serious bug in Samba 3.0.2pre1 !!!

Alex de Vaal A.Vaal at nh-hotels.com
Fri Jan 23 16:26:16 GMT 2004 

Hi Jerry,

I actually read the WHATSNEW of 3.0.2pre1, but it wasn't that obvious
for me that I had to disable "winbind use default domain = yes" in my
configuration.
My samba setup was working with 3.0.0-2 and the only thing I did was
upgrading to 3.0.2pre1 and not changing my smb.conf file.

After the upgrade to 3.0.2pre1 my samba setup wasn't working anymore, of
course I tested a few things, but everything failed. Downgrading to
3.0.0-2 solved "the problem" again, so I thought I had a bug on my
hands.

After your e-mail I changed "winbind use default domain = yes" to
"winbind use default domain = no" and I upgraded my machine again to
3.0.2pre1 and now it is working.

However, I see still in /var/log/samba/<ip-address-W2k-ws>.log
"Username (null) is invalid on this system" appear, when I "net use" two
mappings to my samba machine (one to the "grp" and one to the "pub"
share) via the Wk3 login script.
Subjoined the output of the log file when this workstation gets the 2
mappings to my samba shares:

[2004/01/23 15:34:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
  Username (null) is invalid on this system
[2004/01/23 15:34:28, 1] smbd/service.c:make_connection_snum(705)
  10.15.69.101 (10.15.69.101) connect to service grp initially as user
NH-TEST\fo6 (uid=10004, gid=10000) (pid 1831)
[2004/01/23 15:34:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
  Username (null) is invalid on this system
[2004/01/23 15:34:28, 1] smbd/service.c:make_connection_snum(705)
  10.15.69.101 (10.15.69.101) connect to service pub initially as user
NH-TEST\fo6 (uid=10004, gid=10000) (pid 1831)
[2004/01/23 15:34:29, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
  Username (null) is invalid on this system
[2004/01/23 15:34:29, 1] smbd/service.c:make_connection_snum(705)
  10.15.69.101 (10.15.69.101) connect to service grp initially as user
NH-TEST\fo6 (uid=10004, gid=10000) (pid 1831)
[2004/01/23 15:34:29, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
  Username (null) is invalid on this system
[2004/01/23 15:34:29, 1] smbd/service.c:make_connection_snum(705)
  10.15.69.101 (10.15.69.101) connect to service pub initially as user
NH-TEST\fo6 (uid=10004, gid=10000) (pid 1831)
[2004/01/23 15:35:31, 1] smbd/service.c:close_cnum(887)
  10.15.69.101 (10.15.69.101) closed connection to service grp
[2004/01/23 15:35:31, 1] smbd/service.c:close_cnum(887)
  10.15.69.101 (10.15.69.101) closed connection to service pub 

Both the "grp" and the "pub" share have the following configuration:
valid users = @NH-TEST.NL\FO_GRP
getent group: 
NH-TEST\FO_GRP:x:10014:NH-TEST\fo6
getent passwd:
NH-TEST\fo6:x:10004:10000:fo6:/data/hom/fo6:/bin/bash
"ls -l" of the "grp" share:
drwxrws---    6 root     NH-TEST\FO_GRP     4096 Jan 21 17:34 fog

The "fo6" ADS user can now access the "fog" directory! But where does
the "Username (null) is invalid on this system" still comes from?


When I set "winbind use default domain" to "yes" and set the following
configuration to my "grp" share:
valid users = @FO_GRP
getent group: 
FO_GRP:x:10014:fo6
fo6:x:10004:10000:fo6:/data/hom/fo6:/bin/bash
"ls -l" of the "grp" share:
drwxrws---    6 root     FO_GRP     4096 Jan 21 17:34 fog

then I only see "Username (null) is invalid on this system" and the W2k
ws has NO access to the "grp" share.

What has changed in 3.0.2pre1 compared to 3.0.0-2 that "winbind use
default domain" have to be set to "no" in my original samba setup?
There is no real need for me to see and use the domain component and
that's why I've set "winbind use default domain" to "yes" in my original
samba setup.
But If I want to work only with ADS groups as valid user on a samba
share, I have to set "winbind use default domain" to "yes" to make it
work, right?

Last question; around which week is the final 3.0.2 release expected?
(Just curious, no other strings attached. ;) 

Best regards,
Alex.

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
Sent: Wednesday 21 January 2004 5:07
To: Alex de Vaal

Alex de Vaal wrote:

> Summarization of the bug in Samba 3.0.2pre1:
> It seems that an ADS group is not valid or detected anymore to access 
> a samba share, in case only an ADS group is used a valid user on a 
> Samba share, because Kerberos is reporting: Username (null) is invalid

> on this system. Besides that, connecting to a share (service) reports 
> with Samba 3.0.0-2 REALM\username (NH-TEST.NL\fo6), but with Samba 
> 3.0.2pre1 connecting to a share (service) reports only username (fo6)
> Downgrading to Samba 3.0.0-2 solves this problem!

Please read the release notes (WHATSNEW).

>    winbind use default domain = yes

Disable this parameter and you will get your desired behavior.
- -- 
cheers, jerry


Visit our Web site: http://www.nh-hoteles.com 
This message is from NH HOTELES and it is private and confidential.  
Its content may be legally protected.Reception by a non-intended person does not waive legal protection rights.  
If you receive this message by mistake, please delete it from your system and report the sender. 
Although this message has been cleared for viruses using currently available virus definitions before sending, 
it is the responsibility of the receiver to ensure it is virus-free.Thank you.

More information about the samba mailing list