[Samba] Problem when "valid users" is used

Arnaud BLONDEL - Alter Way Solutions arnaud.blondel at alterway.fr
Thu Sep 30 02:20:48 MDT 2010 

I add "loglevel 768" into slapd.conf and I have this in my sulog file :


Sep 30 09:37:19 xxxx slapd[23852]: conn=2110 op=47 SRCH 
base="dc=company,dc=com" scope=2 deref=0 
filter="(&(objectClass=posixGroup)(uniqueMember=cn=developpeurs,ou=groups,dc=company,dc=com))"
Sep 30 09:37:19 xxxx slapd[23852]: conn=2110 op=47 SRCH attr=gidNumber
Sep 30 09:37:19 xxxx slapd[23852]: conn=2110 op=47 SEARCH RESULT tag=101 
err=0 nentries=0 text=


I don't understand why Developpeurs group is not find here (nentries=0).

# ldapsearch -x -b 'ou=groups,dc=company,dc=com' cn=Developpeurs

return :

cn=Developpeurs,ou=Groups,dc=company,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Developpeurs
gidNumber: 1005
sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1015
sambaGroupType: 2
displayName: Developpeurs
description: Le groupe des programmeurs
memberUid: test
...

On 29/09/2010 18:59, Allen Chen wrote:
> Arnaud BLONDEL - Alter Way Solutions wrote:
>> Hi,
>>
>> When I use "valid users" in smb.conf to limit access on my share, I
>> have this message with smbclient :
>>
>>
>> [global]
>>
>> workgroup = MYDOM
>> domain master = no
>> local master = no
>> security = user
>> passdb backend = ldapsam:ldap://x.x.x.x:389
>> ldap admin dn = cn=admin,dc=company,dc=com
>> ldap suffix = dc=company,dc=com
>> ldap user suffix = ou=People
>> ldap group suffix = ou=Groups
>> ldap idmap suffix = ou=Idmap
>> ldap machine suffix = ou=Computers
>> ....
>>
>> [Images]
>> ...
>> valid users = @Developpeurs
>> ...
>>
>>
>> # smbclient //x.x.x.x/Images -U test
>> Enter test's password:
>> Domain=[SERVER] OS=[Unix] Server=[Samba 3.3.2]
>> tree connect failed: NT_STATUS_ACCESS_DENIED
>>
>>
>> I have this log :
>>
>> 2010/09/29 16:19:03, 3] lib/util_sid.c:string_to_sid(228)
>> string_to_sid: Sid @Developpeurs does not start with 'S-'.
>> [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(425)
>> Unable to get default yp domain, let's try without specifying it
>> [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(429)
>> looking for user test of domain (ANY) in netgroup Developpeurs
>> [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(445)
>> looking for user test of domain (ANY) in netgroup Developpeurs
>> [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(69)
>> lookup_name: SERVER\Developpeurs => SERVER (domain), Developpeurs (name)
>> [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
>> lookup_name: flags = 0x077
>> [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:push_sec_ctx(224)
>> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>> [2010/09/29 16:19:03, 3] smbd/uid.c:push_conn_ctx(388)
>> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>> [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:set_sec_ctx(324)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>> [2010/09/29 16:19:03, 5] auth/token_util.c:debug_nt_user_token(522)
>> NT user token: (NULL)
>> [2010/09/29 16:19:03, 5] auth/token_util.c:debug_unix_user_token(548)
>> UNIX token of user 0
>> Primary group is 0 and contains 0 supplementary groups
>> [2010/09/29 16:19:03, 5] lib/smbldap.c:smbldap_search_ext(1205)
>> smbldap_search_ext: base => [ou=Groups,dc=company,dc=com], filter =>
>> [(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Developpeurs)))],
>> scope => [2]
>> [2010/09/29 16:19:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2348)
>> init_group_from_ldap: Entry found for group: 1005
>> [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/09/29 16:19:03, 10] passdb/passdb.c:lookup_global_sam_name(620)
>> Found group Developpeurs
>> (S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain --
>> ignoring.lookup_name: Unix Group\Developpeurs => Unix Group (domain),
>> Developpeurs (name)
>> [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
>> lookup_name: flags = 0x077
>> [2010/09/29 16:19:03, 10] smbd/share_access.c:user_ok_token(212)
>> User test not in 'valid users'
>> [2010/09/29 16:19:03, 2]
>> smbd/service.c:create_connection_server_info(663)
>> user 'test' (from session setup) not permitted to access this share
>> (Images)
>> [2010/09/29 16:19:03, 0] smbd/service.c:make_connection_snum(744)
>> create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
>>
>>
>> I use /etc/nsswitch to get users and groups from LDAP
>>
>> User "test" is in Developpeurs group :
>>
>> # id anisimov
>> uid=1009(anisimov) gid=513(Domain Users) groupes=513(Domain
>> Users),1005(Developpeurs)
>>
>>
>> In LDAP :
>>
>> cn=Developpeurs,ou=Groups,dc=company,dc=com
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: sambaGroupMapping
>> cn: Developpeurs
>> gidNumber: 1005
>> sambaSID: S-1-5-21-1003513250-1319205365-1235820382-101
>> ....
>> memberUid: test
>> ....
>>
>> and :
>>
>> uid=test,ou=People,dc=company,dc=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: sambaSamAccount
>> ....
>> givenName: anisimov
>> uid: anisimov
>> uidNumber: 1009
>> gidNumber: 513
>> sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1009
>> ....
>>
>>
>> Where is the problem ?
>>
>>
>> SAMBA : Version 3.3.2
> Are you talking about uid=anisimov or uid=test ?
>


-- 
Arnaud BLONDEL
Chargé de projets
ALTER WAY SOLUTIONS - Nord

TD: + 33 (0)3 22 84 04 07
FD: + 33 (0)3 22 84 00 73

44, rue Saint Fursy
80200 PERONNE
www.alterway.fr

Nos prochains événements :

Open World Forum, l'évènement Open Source le plus influent de l'année : 
30 sept - 1er oct 2010, Paris. http://bit.ly/aL6BjO

Open CIO Summit, le 1er sommet animé par les DSI pour les DSI : 30 sept, 
Paris http://bit.ly/bucmEs

Petit-déjeuner thématique « Comment monter son Cloud privé / public ? » 
avec Canonical (Ubuntu) et Owlient, éditeur de jeux communautaires en 
ligne, 9 sept, Paris. http://bit.ly/9FL7cu

Conférence "Hébergement & infogérance d'architectures critiques Magento" 
avec le témoignage de Smartbox, Salon E-Commerce, stand L6, 21-23 
septembre Paris. http://bit.ly/c9sVxH

Conférence "Drupal powers sports (and more) at France Télévisions", 
DrupalCon, 23 - 27 août, Copenhague. http://bit.ly/bakOGx

More information about the samba mailing list