[Samba] User Administrator (and only it) access denied on member server

Alex Wakizashi alex at wakizashi.info
Sun Oct 27 06:31:42 MDT 2013 

Hello all,

I have really strange problem with Samba 4.1.0 - regarding only one
user - Administrator.

There are 2 servers: NAS (which is DC) and CHEETAH (Which is domain member).

Have spent long time in efforts to sync UID/GID across servers (these
are used both from Linux over NFS and from Windows) - and finally
wrote the scripts to make all users/groups (even including the builtin
one, like "NT AUTHORITY\SYSTEM) consistent on all my Linux systems
through nslcd (just enumerate users and groups through ldbsearch, get
UIDs/GIDs from wbinfo and set these to rfc2307 attributes through
ldbmodify, along with few other POSIX attributes).

So, there are no crazy numeric IDs anymore, everything working fine -
users/groups are visible and ACLs are working, but one issue still
left:

When I trying to access member server as Administrator (which have
UID=0), getting error:
session setup failed: NT_STATUS_ACCESS_DENIED

That happens both from Windows (tried Win7 Ultimate and XP Pro) and from Linux.

- Cut -
root at nas:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at SAMBA.LOCAL.NET

Valid starting    Expires           Service principal
27/10/2013 15:48  28/10/2013 01:48  krbtgt/SAMBA.LOCAL.NET at SAMBA.LOCAL.NET
    renew until 28/10/2013 15:48
27/10/2013 15:48  28/10/2013 01:48  cifs/nas at SAMBA.LOCAL.NET
27/10/2013 15:48  28/10/2013 01:48  cifs/cheetah at SAMBA.LOCAL.NET

root at nas:~# smbclient -k -L cheetah
session setup failed: NT_STATUS_ACCESS_DENIED

root at nas:~# smbclient -k -L nas
Domain=[SAMBA] OS=[Unix] Server=[Samba 4.1.0]

    Sharename       Type      Comment
    ---------       ----      -------
    home            Disk      NAS Home (Read-Only)
    sysvol          Disk
    netlogon        Disk
    IPC$            IPC       IPC Service (Samba 4.1.0)
Domain=[SAMBA] OS=[Unix] Server=[Samba 4.1.0]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
- Cut -

So, it working fine with DC, but does not working on member server

Here is the relevant part of log.smbd on CHEETAH:
- Cut -
[2013/10/27 15:59:49.335505,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username SAMBA\administrator is invalid on this system
[2013/10/27 15:59:49.335604,  1]
../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2013/10/27 15:59:49.335666,  1]
../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session
setup: NT_STATUS_ACCESS_DENIED
- Cut -

And as you can see, it looking for user "SAMBA\administrator", rather
than "Administrator", which is available through nss/nslcd:
- Cut -
root at cheetah:/home/wakizashi# getent passwd | grep Administrator
Administrator:*:0:100::/home/Administrator:/bin/false

root at cheetah:/home/wakizashi# id Administrator
uid=0(Administrator) gid=100(users) группы=100(users)
- Cut -

And here is example of working fine user "test":
- Cut -
root at nas:~# kdestroy
root at nas:~# kinit test
Password for test at SAMBA.LOCAL.NET:
root at nas:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test at SAMBA.LOCAL.NET

Valid starting    Expires           Service principal
27/10/2013 16:15  28/10/2013 02:15  krbtgt/SAMBA.LOCAL.NET at SAMBA.LOCAL.NET
    renew until 28/10/2013 16:15
root at nas:~# smbclient -k -L cheetah
Domain=[SAMBA] OS=[Unix] Server=[Samba 4.1.0]

    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (Samba 4.1.0)
    torrents        Disk      Torrents Disk
Domain=[SAMBA] OS=[Unix] Server=[Samba 4.1.0]

    Server               Comment
    ---------            -------
    CHEETAH              Samba 4.1.0

    Workgroup            Master
    ---------            -------
    SAMBA
- Cut -

As you can see below, user "test" is also available from DC on CHEETAH
(It have crazy UID from DC mapping, BTW):
- Cut -
root at cheetah:/home/wakizashi# getent passwd | grep test
test:*:3000054:100:Test User:/home/test:/bin/false
- Cut -

And here is the log (loglevel increased to 3):
- Cut -
[2013/10/27 16:20:29.490777,  3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
  Found account name from PAC: test [Test User]
[2013/10/27 16:20:29.490827,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [test at SAMBA.LOCAL.NET]
[2013/10/27 16:20:29.490990,  3] ../source3/param/loadparm.c:4838(lp_load_ex)
  lp_load_ex: refreshing parameters
[2013/10/27 16:20:29.491063,  3] ../source3/param/loadparm.c:750(init_globals)
  Initialising global parameters
[2013/10/27 16:20:29.491120,  3] ../lib/util/params.c:550(pm_process)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2013/10/27 16:20:29.491157,  3] ../source3/param/loadparm.c:3564(do_section)
  Processing section "[global]"
[2013/10/27 16:20:29.491439,  2] ../source3/param/loadparm.c:3581(do_section)
  Processing section "[torrents]"
[2013/10/27 16:20:29.491462,  3] ../source3/param/loadparm.c:1773(lp_add_ipc)
  adding IPC service
[2013/10/27 16:20:29.492062,  3]
../source3/smbd/password.c:144(register_homes_share)
  Adding homes service for user 'test' using home directory: '/home/test'
[2013/10/27 16:20:29.493097,  3] ../source3/smbd/process.c:1795(process_smb)
  Transaction 2 of length 84 (0 toread)
[2013/10/27 16:20:29.493136,  3] ../source3/smbd/process.c:1398(switch_message)
  switch message SMBtconX (pid 6974) conn 0x0
[2013/10/27 16:20:29.493290,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from nas (192.168.2.1)
[2013/10/27 16:20:29.493373,  3]
../source3/smbd/service.c:612(make_connection_snum)
  Connect path is '/tmp' for service [IPC$]
[2013/10/27 16:20:29.493436,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2013/10/27 16:20:29.493480,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2013/10/27 16:20:29.493502,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2013/10/27 16:20:29.494696,  2] ../lib/util/modules.c:191(do_smb_load_module)
  Module 'acl_xattr' loaded
[2013/10/27 16:20:29.494743,  2]
../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service IPC$
[2013/10/27 16:20:29.494916,  3]
../source3/smbd/service.c:848(make_connection_snum)
  nas (ipv4:192.168.2.1:34866) connect to service IPC$ initially as
user test (uid=3000054, gid=100) (pid 6974)
- Cut -

So, it's not trying to get something like "SAMBA\test" - and working
fine, using user "test", which is available in the system.

Any thoughts?

Why for "Administrator" it looking for "SAMBA\Administrator", rather
than "Administrator", but for other accounts it's working correctly?

Regards,
  Alex

More information about the samba mailing list