[Samba] 3.0.23 and group behavior
Stewart, Eric
eric at lib.usf.edu
Mon Jul 17 13:04:55 GMT 2006
Okay, first the admisssions:
I'll admit that I haven't been following the development as
closely as I probably should have. And I'll admit in this case I might
not be using Samba in the most efficient way possible. Also, I'm not
100% sure if I'm encountering a bug or just a seriously stupid
misconfiguration issue. And I'm still collecting data on exactly what
happened. Finally, I've read the release notes but I'm wondering if I'm
"just not getting it".
The whys and hows, and setups:
Currently using samba on a file server to server home and shared
directories.
Domain is W2K3 AD.
Server is RHEL4, and Samba was upgraded from 3.0.22 (works) to
3.0.23 (had an issue).
Winbind is not used, mainly because I'm not comfortable with the
mapping situation of Windows to Unix and how the Ids can change. So,
every valid user has both an AD account and a Unix account.
Group access to multiuser shares is controlled using Unix
groups.
Pertinent config info:
[global]
guest account = nobody
hosts allow = <the ranges we want>
workgroup = <my short domain>
realm = <my realm, basically long domain>
use kerberos keytab = true
client use spnego = yes
security = ADS
encrypt passwords = yes
password server = *
browseable = no
local master = no
os level = 1
wins server = <wins server>
preserve case = yes
log level = 3 ; <we have some stuff to track who deletes what>
invalid users = root mail daemon
; This next option sets a separate log file for each client. Remove
; it if you want a combined log file.
log file = /usr/local/samba/var/log.%m
lock directory = /usr/local/samba/var/locks
share modes = yes
allow trusted domains = no
max log size = 0
[cats]
comment = Share directory for cats (T:\)
browseable = yes
path = /home/dudley/cats/CATS
read only = no
valid users = +cats, @ldc, @staff
force group = cats
force create mode = 0660
create mask = 0660
directory mask = 0770
force directory mode = 0770
veto oplock files = /*.mdb/*.MDB/*.xls/*.XLS/
Okay, that should all be fairly straight forward, yes? But with
3.0.23, folks in the cats unix group (which prior to troubleshooting the
problem, was specified as @cats, but both @cats and +cats had problems)
were not allowed access to or even able to map the share.
Finally, here's a bit of debugging info from a log file; I'm
sure you probably want more than this but I don't want to spam the list
too hard, so if you want a more full log sent here or to another
address, let me know:
[2006/07/17 08:16:30, 3] smbd/process.c:process_smb(1110)
Transaction 34 of length 80
[2006/07/17 08:16:30, 3] smbd/process.c:switch_message(914)
switch message SMBtrans2 (pid 8392) conn 0x8979958
[2006/07/17 08:16:30, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (10119, 1010) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:30, 3] smbd/trans2.c:call_trans2qfilepathinfo(2908)
call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2006/07/17 08:16:30, 3] smbd/trans2.c:call_trans2qfilepathinfo(2959)
call_trans2qfilepathinfo . (fnum = -1) level=1004 call=5 total_data=0
[2006/07/17 08:16:30, 3] smbd/process.c:process_smb(1110)
Transaction 35 of length 74
[2006/07/17 08:16:30, 3] smbd/process.c:switch_message(914)
switch message SMBtrans2 (pid 8392) conn 0x8979958
[2006/07/17 08:16:30, 3] smbd/trans2.c:call_trans2qfsinfo(2167)
call_trans2qfsinfo: level = 258
[2006/07/17 08:16:30, 3] smbd/process.c:process_smb(1110)
Transaction 36 of length 74
[2006/07/17 08:16:30, 3] smbd/process.c:switch_message(914)
switch message SMBtrans2 (pid 8392) conn 0x8979958
[2006/07/17 08:16:30, 3] smbd/trans2.c:call_trans2qfsinfo(2167)
call_trans2qfsinfo: level = 261
[2006/07/17 08:16:30, 3] smbd/process.c:process_smb(1110)
Transaction 37 of length 74
[2006/07/17 08:16:30, 3] smbd/process.c:switch_message(914)
switch message SMBtrans2 (pid 8392) conn 0x8979958
[2006/07/17 08:16:30, 3] smbd/trans2.c:call_trans2qfsinfo(2167)
call_trans2qfsinfo: level = 261
[2006/07/17 08:16:31, 3] smbd/process.c:process_smb(1110)
Transaction 38 of length 82
[2006/07/17 08:16:31, 3] smbd/process.c:switch_message(914)
switch message SMBtconX (pid 8392) conn 0x0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] lib/access.c:check_access(313)
check_access: no hostnames in host allow/deny list.
[2006/07/17 08:16:31, 2] lib/access.c:check_access(324)
Allowed connection from (131.247.112.9)
[2006/07/17 08:16:31, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid root does not start with 'S-'.
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid mail does not start with 'S-'.
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid daemon does not start with 'S-'.
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid @cats does not start with 'S-'.
[2006/07/17 08:16:31, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid @ldc does not start with 'S-'.
[2006/07/17 08:16:31, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid @staff does not start with 'S-'.
[2006/07/17 08:16:31, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid pcamp does not start with 'S-'.
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 2] smbd/service.c:make_connection_snum(571)
user 'eric' (from session setup) not permitted to access this share
(cats)
[2006/07/17 08:16:31, 3] smbd/error.c:error_packet(146)
error packet at smbd/reply.c(676) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
[2006/07/17 08:16:31, 3] smbd/process.c:process_smb(1110)
Transaction 39 of length 1426
[2006/07/17 08:16:31, 3] smbd/process.c:switch_message(914)
switch message SMBsesssetupX (pid 8392) conn 0x0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sesssetup.c:reply_sesssetup_and_X(845)
wct=12 flg2=0xc807
[2006/07/17 08:16:31, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(656)
Doing spnego session setup
[2006/07/17 08:16:31, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(687)
NativeOS=[Windows Server 2003 3790 Service Pack 1] NativeLanMan=[]
PrimaryDomain=[Windows Server 2003 5.2]
[2006/07/17 08:16:31, 3] smbd/sesssetup.c:reply_spnego_negotiate(547)
Got OID 1 2 840 48018 1 2 2
[2006/07/17 08:16:31, 3] smbd/sesssetup.c:reply_spnego_negotiate(547)
Got OID 1 2 840 113554 1 2 2
[2006/07/17 08:16:31, 3] smbd/sesssetup.c:reply_spnego_negotiate(547)
Got OID 1 3 6 1 4 1 311 2 2 10
[2006/07/17 08:16:31, 3] smbd/sesssetup.c:reply_spnego_negotiate(550)
Got secblob of size 1164
[2006/07/17 08:16:31, 3]
libads/kerberos_verify.c:ads_keytab_verify_ticket(134)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab
succeeded for principal cifs/dudley.lib.usf.edu at LIB.USF.EDU
[2006/07/17 08:16:31, 3] smbd/sesssetup.c:reply_spnego_kerberos(207)
Ticket name is [MARGE$@LIB.USF.EDU]
[2006/07/17 08:16:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(310)
Username LIB\MARGE$ is invalid on this system
[2006/07/17 08:16:31, 3] smbd/error.c:error_packet(146)
error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2006/07/17 08:17:25, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:17:25, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:17:25, 1] smbd/service.c:close_cnum(1141)
131.247.112.9 (131.247.112.9) closed connection to service eric
[2006/07/17 08:17:25, 3] smbd/connection.c:yield_connection(69)
Yielding connection to eric
[2006/07/17 08:17:25, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:17:25, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2006/07/17 08:17:25, 3] smbd/server.c:exit_server_common(675)
Server exit (termination signal)
Eric Stewart - Network Admin, USF Tampa Library - eric at lib.usf.edu
Given a problem to solve or an intriguing thread to follow from moment
to moment, that sort of geek will focus so sharply that they
forget to eat when hungry. - Feen, Benjy: Origins of Sysadmins
http://www.monkeybagel.com/sysadmin.html
More information about the samba
mailing list