[Samba] Problem when "valid users" is used

Arnaud BLONDEL - Alter Way Solutions arnaud.blondel at alterway.fr
Wed Sep 29 09:38:35 MDT 2010


Hi,

When I use "valid users" in smb.conf to limit access on my share, I have 
this message with smbclient :


[global]

workgroup 		= MYDOM
domain master           = no
local master            = no
security                = user
passdb backend          = ldapsam:ldap://x.x.x.x:389
ldap admin dn           = cn=admin,dc=company,dc=com
ldap suffix             = dc=company,dc=com
ldap user suffix        = ou=People
ldap group suffix       = ou=Groups
ldap idmap suffix       = ou=Idmap
ldap machine suffix     = ou=Computers
...

[Images]
	...
	valid users = @Developpeurs
	...


# smbclient //x.x.x.x/Images -U test
Enter test's password:
Domain=[SERVER] OS=[Unix] Server=[Samba 3.3.2]
tree connect failed: NT_STATUS_ACCESS_DENIED


I have this log :

2010/09/29 16:19:03,  3] lib/util_sid.c:string_to_sid(228)
   string_to_sid: Sid @Developpeurs does not start with 'S-'.
[2010/09/29 16:19:03,  5] smbd/password.c:user_in_netgroup(425)
   Unable to get default yp domain, let's try without specifying it
[2010/09/29 16:19:03,  5] smbd/password.c:user_in_netgroup(429)
   looking for user test of domain (ANY) in netgroup Developpeurs
[2010/09/29 16:19:03,  5] smbd/password.c:user_in_netgroup(445)
   looking for user test of domain (ANY) in netgroup Developpeurs
[2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(69)
   lookup_name: SERVER\Developpeurs => SERVER (domain), Developpeurs (name)
[2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
   lookup_name: flags = 0x077
[2010/09/29 16:19:03,  3] smbd/sec_ctx.c:push_sec_ctx(224)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/09/29 16:19:03,  3] smbd/uid.c:push_conn_ctx(388)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/09/29 16:19:03,  3] smbd/sec_ctx.c:set_sec_ctx(324)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/09/29 16:19:03,  5] auth/token_util.c:debug_nt_user_token(522)
   NT user token: (NULL)
[2010/09/29 16:19:03,  5] auth/token_util.c:debug_unix_user_token(548)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2010/09/29 16:19:03,  5] lib/smbldap.c:smbldap_search_ext(1205)
   smbldap_search_ext: base => [ou=Groups,dc=company,dc=com], filter => 
[(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Developpeurs)))], 
scope => [2]
[2010/09/29 16:19:03,  2] passdb/pdb_ldap.c:init_group_from_ldap(2348)
   init_group_from_ldap: Entry found for group: 1005
[2010/09/29 16:19:03,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/09/29 16:19:03, 10] passdb/passdb.c:lookup_global_sam_name(620)
   Found group Developpeurs 
(S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain -- 
ignoring.lookup_name: Unix Group\Developpeurs => Unix Group (domain), 
Developpeurs (name)
[2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
   lookup_name: flags = 0x077
[2010/09/29 16:19:03, 10] smbd/share_access.c:user_ok_token(212)
   User test not in 'valid users'
[2010/09/29 16:19:03,  2] smbd/service.c:create_connection_server_info(663)
   user 'test' (from session setup) not permitted to access this share 
(Images)
[2010/09/29 16:19:03,  0] smbd/service.c:make_connection_snum(744)
   create_connection_server_info failed: NT_STATUS_ACCESS_DENIED


I use /etc/nsswitch to get users and groups from LDAP

User "test" is in Developpeurs group :

# id anisimov
uid=1009(anisimov) gid=513(Domain Users) groupes=513(Domain 
Users),1005(Developpeurs)


In LDAP :

cn=Developpeurs,ou=Groups,dc=company,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Developpeurs
gidNumber: 1005
sambaSID: S-1-5-21-1003513250-1319205365-1235820382-101
...
memberUid: test
...

and :

uid=test,ou=People,dc=company,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
...
givenName: anisimov
uid: anisimov
uidNumber: 1009
gidNumber: 513
sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1009
...


Where is the problem ?


SAMBA : Version 3.3.2


More information about the samba mailing list