[Samba] Problem when "valid users" is used

Harry Jede walk2sun at arcor.de
Thu Sep 30 02:46:52 MDT 2010 

On Mittwoch, 29. September 2010 wrote Arnaud BLONDEL - Alter Way Solutions:
> Hi,
>
> When I use "valid users" in smb.conf to limit access on my share, I
> have this message with smbclient :
>
>
> [global]
>
> workgroup 		= MYDOM
> domain master           = no
> local master            = no
> security                = user
> passdb backend          = ldapsam:ldap://x.x.x.x:389
> ldap admin dn           = cn=admin,dc=company,dc=com
> ldap suffix             = dc=company,dc=com
> ldap user suffix        = ou=People
> ldap group suffix       = ou=Groups
> ldap idmap suffix       = ou=Idmap
> ldap machine suffix     = ou=Computers
> ...
>
> [Images]
> 	...
> 	valid users = @Developpeurs
> 	...
>
>
> # smbclient //x.x.x.x/Images -U test
> Enter test's password:
> Domain=[SERVER] OS=[Unix] Server=[Samba 3.3.2]
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
>
> I have this log :
>
> 2010/09/29 16:19:03,  3] lib/util_sid.c:string_to_sid(228)
>    string_to_sid: Sid @Developpeurs does not start with 'S-'.
> [2010/09/29 16:19:03,  5] smbd/password.c:user_in_netgroup(425)
>    Unable to get default yp domain, let's try without specifying it
> [2010/09/29 16:19:03,  5] smbd/password.c:user_in_netgroup(429)
>    looking for user test of domain (ANY) in netgroup Developpeurs
> [2010/09/29 16:19:03,  5] smbd/password.c:user_in_netgroup(445)
>    looking for user test of domain (ANY) in netgroup Developpeurs
> [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(69)
>    lookup_name: SERVER\Developpeurs => SERVER (domain), Developpeurs
> (name) [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
> lookup_name: flags = 0x077
> [2010/09/29 16:19:03,  3] smbd/sec_ctx.c:push_sec_ctx(224)
>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2010/09/29 16:19:03,  3] smbd/uid.c:push_conn_ctx(388)
>    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2010/09/29 16:19:03,  3] smbd/sec_ctx.c:set_sec_ctx(324)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2010/09/29 16:19:03,  5] auth/token_util.c:debug_nt_user_token(522)
>    NT user token: (NULL)
> [2010/09/29 16:19:03,  5]
> auth/token_util.c:debug_unix_user_token(548) UNIX token of user 0
>    Primary group is 0 and contains 0 supplementary groups
> [2010/09/29 16:19:03,  5] lib/smbldap.c:smbldap_search_ext(1205)
>    smbldap_search_ext: base => [ou=Groups,dc=company,dc=com], filter
> =>
> [(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Dev
>eloppeurs)))], scope => [2]
> [2010/09/29 16:19:03,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2348) init_group_from_ldap:
> Entry found for group: 1005
> [2010/09/29 16:19:03,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/09/29 16:19:03, 10] passdb/passdb.c:lookup_global_sam_name(620)
>    Found group Developpeurs
Try to run the same search as Samba does:

ldapsearch -s sub -b "ou=Groups,dc=company,dc=com" "(&(objectClass=sambaGroupMapping)(|
(displayName=Developpeurs)(cn=Developpeurs)))"

> (S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain --
> ignoring.lookup_name: Unix Group\Developpeurs => Unix Group (domain),
> Developpeurs (name)
Samba find this SID S-1-5-21-1003513250-1319205365-1235820382-1015 for your group, but 
according to your ldif, the SID for Developpeurs is: 
S-1-5-21-1003513250-1319205365-1235820382-101

So you may have a duplicate entry :-( .

> [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
>    lookup_name: flags = 0x077
> [2010/09/29 16:19:03, 10] smbd/share_access.c:user_ok_token(212)
>    User test not in 'valid users'
> [2010/09/29 16:19:03,  2]
> smbd/service.c:create_connection_server_info(663) user 'test' (from
> session setup) not permitted to access this share (Images)
> [2010/09/29 16:19:03,  0] smbd/service.c:make_connection_snum(744)
>    create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
>
>
> I use /etc/nsswitch to get users and groups from LDAP
>
> User "test" is in Developpeurs group :
>
> # id anisimov
> uid=1009(anisimov) gid=513(Domain Users) groupes=513(Domain
> Users),1005(Developpeurs)
>
>
> In LDAP :
>
> cn=Developpeurs,ou=Groups,dc=company,dc=com
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: Developpeurs
> gidNumber: 1005
> sambaSID: S-1-5-21-1003513250-1319205365-1235820382-101
> ...
> memberUid: test
> ...
>
> and :
>
> uid=test,ou=People,dc=company,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> ...
> givenName: anisimov
> uid: anisimov
> uidNumber: 1009
> gidNumber: 513
> sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1009
> ...
>
>
> Where is the problem ?
>
>
> SAMBA : Version 3.3.2



-- 

Regards
	Harry Jede

More information about the samba mailing list