[Samba] Using +<group> in "valid users" is not working

Lee, Andrien Andrien.Lee at railcorp.nsw.gov.au
Sun Jul 11 22:19:48 MDT 2010 

Hello to all,

I have recently upgraded to SAMBA 3.4.2 on Solaris 10, and reconfigured it to use domain authentication (security = domain).  We slapped guest authentication on most shares, with an explicit "valid users = ...." on a small number of sensitive shares.  Due to the number of users we were looking at, we set up two UNIX groups "payroll" and "payoff" and then set "valid users = +payoff +payroll" or some combination of the two.

The problem I am having is that when a user that is a member of these UNIX groups connects they are rejected.  I also tried using @payoff or @payroll, with the same results.  Authentication works if the user's login is explicitly placed in the valid users line, but not if the same user is just a member of one of the +/@<group>'s entered.

I have included a level 3 log from log.smbd up to the first rejection, along with the relevant smb.conf info that I am aware of.  The log is for a connection to a share with "valid users = @payoff", where bbancroft is a member of the payoff group.

Any assistance that you could provide would be extremely appreciated.

####################
# log.smbd extract #
####################

[2010/07/12 13:17:28,  3] libsmb/ntlmssp_sign.c:342(ntlmssp_sign_init)
  NTLMSSP Sign/Seal - Initialising with flags:
[2010/07/12 13:17:28,  3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xa2088205
[2010/07/12 13:17:28,  3] smbd/password.c:269(register_existing_vuid)
  register_existing_vuid: User name: bbancroft  Real name:
[2010/07/12 13:17:28,  3] smbd/password.c:279(register_existing_vuid)
  register_existing_vuid: UNIX uid 60194 is UNIX user bbancroft, and will be vuid 100
[2010/07/12 13:17:28,  3] smbd/password.c:211(register_homes_share)
  Adding homes service for user 'bbancroft' using home directory: '/dev/null'
[2010/07/12 13:17:28,  3] smbd/process.c:1459(process_smb)
  Transaction 3 of length 102 (0 toread)
[2010/07/12 13:17:28,  3] smbd/process.c:1273(switch_message)
  switch message SMBtconX (pid 8648) conn 0x0
[2010/07/12 13:17:28,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28,  3] lib/util_sid.c:228(string_to_sid)
  string_to_sid: Sid root does not start with 'S-'.
[2010/07/12 13:17:28,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/07/12 13:17:28,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/07/12 13:17:28,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28,  3] lib/util_sid.c:228(string_to_sid)
  string_to_sid: Sid @payoff does not start with 'S-'.
[2010/07/12 13:17:28,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/07/12 13:17:28,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28,  2] smbd/service.c:595(create_connection_server_info)
  user 'bbancroft' (from session setup) not permitted to access this share (rl6pd_payoff)
[2010/07/12 13:17:28,  1] smbd/service.c:676(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/07/12 13:17:28,  3] smbd/error.c:60(error_packet_set)
  error packet at smbd/reply.c(684) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

####################
# smb.conf extract #
####################

[global]
    workgroup = rail
    update encrypted = Yes
    ldap ssl = no
    invalid users = root
    encrypt passwords = yes
    security = domain
    password server = <--deleted-->
    guest account = <--deleted-->
    map to guest = bad user
    create mask = 0664
    log level = 3

[rl6pd_payoff]
    comment = ellrl6pd payoffice
    path = /samba/ellrl6pd/payoffice
    read only = No
    valid users = @payoff
    browseable = no

###############
# /etc/passwd #
###############

bbancroft:x:60194:5003:SAMBA User:/dev/null:/bin/false

##############
# /etc/group #
##############

payoff::5003:bbancroft



Many thanks in advance!




This e-mail and any attachments may contain confidential information that is intended solely for the use of the intended recipient and may be subject to copyright. If you receive this e-mail in error, please notify the sender immediately and delete the email and its attachments from your system. You must not disclose, copy or use any part of this e-mail if you are not the intended recipient. Any opinion expressed in this e-mail and any attachments is not an opinion of RailCorp unless stated or apparent from its content. RailCorp is not responsible for any unauthorised alterations to this e-mail or any attachments. RailCorp will not incur any liability resulting directly or indirectly as a result of the recipient accessing any of the attached files that may contain a virus.

More information about the samba mailing list