[Samba] domain/unix groups and valid users parameter

Ralf Gross Ralf-Lists at ralfgross.de
Fri Jan 26 09:22:53 GMT 2007


Ralf Gross schrieb:
> I want to switch from 'security = server' to 'security = ADS'.
> Kerberos is working and I can login to the server.
> 
> With Samba 3.0.22 I was able to restrict access to shares with the
> 'valid users' directive. ve is local unix group.
> 
> [foo]
>         comment = foo
>         writable = yes
>         force create mode = 0660
>         create mask = 0660
>         force directory mode = 2770
>         directory security mask = 2770
>         force directory security mode = 0000
>         directory mask = 2770
>         force security mode = 0000
>         force group = +ve
>         security mask = 0770
>         path = /projekte/foo
>         valid users = +ve
>         vfs objects = extd_audit
> 
> 
> If I now try to connect to share foo, I get
> 
> Domain=[EMEA] OS=[Unix] Server=[Samba 3.0.23d]
> tree connect failed: NT_STATUS_ACCESS_DENIED
> 
> And in the samba log:
> 
> [2007/01/25 13:14:49, 3] lib/util_sid.c:string_to_sid(223)
>   string_to_sid: Sid +ve does not start with 'S-'.
> [...]
> [2007/01/25 13:14:49, 2] smbd/service.c:make_connection_snum(580)
>   user 'EMEA\ralfgro' (from session setup) not permitted to access this share (foo)
> 
> 
> I tried differnt settings for 'valid users' that I found in the list archives.
> No change.

I did some more testing. For local unix users everything is working as expected.

local unix user rg, added with 'smbpasswd -a rg'. Member of unix group ve.

[2007/01/26 08:27:02, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid +ve does not start with 'S-'.
[2007/01/26 08:27:02, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: VU0EM003\ve => VU0EM003 (domain), ve (name)
[2007/01/26 08:27:02, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/01/26 08:27:02, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/01/26 08:27:02, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/01/26 08:27:02, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2007/01/26 08:27:02, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/01/26 08:27:02, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/26 08:27:02, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: Unix Group\ve => Unix Group (domain), ve (name)
[2007/01/26 08:27:02, 10] smbd/share_access.c:user_ok_token(229)
  user_ok_token: share foo is ok for unix user rg
[2007/01/26 08:27:02, 10] smbd/share_access.c:is_share_read_only_for_token(271)
  is_share_read_only_for_user: share foo is read-write for unix user rg
[2007/01/26 08:27:02, 4] lib/sharesec.c:get_share_security(130)
  get_share_security: using default secdesc for foo
[2007/01/26 08:27:02, 10] lib/util_seaccess.c:se_map_generic(176)
  se_map_generic(): mapped mask 0x10000000 to 0x001f01ff
[2007/01/26 08:27:02, 10] lib/util_seaccess.c:se_access_check(233)
  se_access_check: requested access 0x00000002, for NT token with 22 entries an



But for AD users the local group membership seems to be ignored.

AD user emea\ralfgro which I added to the local unix group ve with gpasswd:

$ gpasswd -a emea\\ralfgro ve
Adding user emea\ralfgro to group ve

$ id -a emea\\ralfgro
uid=70000(ralfgro) gid=70000(domain users) Gruppen=70000(domain users),300(ve)

So, AD user ralfgro is clearly member of unix group ve. But samba thinks it is
not in the list of valid users.

User EMEA\ralfgro not in 'valid users'


[2007/01/26 08:29:10, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid +ve does not start with 'S-'.
[2007/01/26 08:29:10, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: VU0EM003\ve => VU0EM003 (domain), ve (name)
[2007/01/26 08:29:10, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/01/26 08:29:10, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/01/26 08:29:10, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/01/26 08:29:10, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2007/01/26 08:29:10, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/01/26 08:29:10, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/26 08:29:10, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: Unix Group\ve => Unix Group (domain), ve (name)
[2007/01/26 08:29:10, 10] smbd/share_access.c:user_ok_token(208)
  User EMEA\ralfgro not in 'valid users'
[2007/01/26 08:29:10, 2] smbd/service.c:make_connection_snum(580)
  user 'EMEA\ralfgro' (from session setup) not permitted to access this share
(foo)
[2007/01/26 08:29:10, 3] smbd/error.c:error_packet(146)
  error packet at smbd/reply.c(676) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED


Is there somethign obvious I'm missing here? Shouldn't winbind respect the unix
group membership of the domain user? Is there anything I have to perform to get this working?

Ralf



More information about the samba mailing list