[Samba] winbind bug?

Rowland Penny rowlandpenny at googlemail.com
Thu Mar 27 13:55:39 MDT 2014 

On 27/03/14 19:48, Doug Tucker wrote:
>
>>
>> passwd:         compat winbind
>> group:          compat winbind
>>
>> What this means is, the the first place to look for a user is 
>> /etc/passwd and if the user exists there, then that info is used, 
>
> Correct, that is how it gets the unix uid, home dir, etc.  The we use 
> the domain user map to maps a seas user to the unix user.  The only 
> thing we use AD for at all is authentication.
>> what I think is happening is that your windows 7 user does not exist 
>> there, or more likely is there, but with a different ID number.
> The user is there, just like my own user account is there.  See 
> further down for a grep of /etc/passwd and corresponging wbinfo 
> querying AD.  The correct unix ID number for the user is there. I'm 
> not sure what you mean by a different ID number.  All users real unix 
> ID numbers are there.  This has nothing to do with AD.
>>
>> I will repeat, you cannot have users both in /etc/passwd and AD, if 
>> you want to have users use different home directory paths, look into 
>> using RFC2307 attributes.
>>
>> Rowland
> All of our users information is in /etc/passwd and AD.  Your statement 
> just isn't true.  If it were, then no one would work at all...just 
> those with unix ID is over 11000 on a windows 7 client is affected.  
> They don't correspond to each other, we map them back on the unix side 
> after authentication.
>
> [root at lylesmb1 samba]# grep jghorbanian /etc/passwd
> jghorbanian:pb4DGaSAoY48E:11333:450:Jafar 
> Ghorbanian:/users5/megrad/jghorbanian:/bin/bash
> [root at lylesmb1 samba]# grep tuckerd /etc/passwd
> tuckerd:gnjdnwJVquCzQ:4011:500:Doug Tucker:/users4/enoc/tuckerd:/bin/bash
>
> [root at lylesmb1 samba]# wbinfo -n tuckerd
> S-1-5-21-1863541909-2129596521-199955091-23660 SID_USER (1)
> [root at lylesmb1 samba]# wbinfo -n jghorbanian
> S-1-5-21-1863541909-2129596521-199955091-34660 SID_USER (1)
>
>
> Please...look at these logs and tell me what you see.  First, my user 
> mapping my home directory.
>
> 2014/03/27 14:25:59.997435,  3] auth/auth.c:219(check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user 
> [seas-s]\[tuckerd]@[WIN7-VM] with the new password interface
> [2014/03/27 14:25:59.997589,  3] auth/auth.c:222(check_ntlm_password)
>   check_ntlm_password:  mapped user is: [seas-s]\[tuckerd]@[WIN7-VM]
> *^^^passing to AD for authentication^^^*
>
> [2014/03/27 14:26:00.011119,  3] auth/user_util.c:402(map_username)
>   Mapped user SEAS-S+tuckerd to tuckerd
> *^^^mapping the seas-s user to the unix user^^^*
>
> [2014/03/27 14:26:00.022867,  3] auth/auth.c:268(check_ntlm_password)
>   check_ntlm_password: winbind authentication for user [tuckerd] 
> succeeded
> [2014/03/27 14:26:00.022912,  2] auth/auth.c:309(check_ntlm_password)
>   check_ntlm_password:  authentication for user [tuckerd] -> [tuckerd] 
> -> [tuckerd] succeeded
> *^^^successful auth^^^*
>
>
> [2014/03/27 14:26:12.095829,  3] 
> ../libcli/auth/ntlmssp_sign.c:535(ntlmssp_sign_init)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2014/03/27 14:26:12.095910,  3] 
> ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0xe2088215
> [2014/03/27 14:26:12.095943,  3] 
> smbd/password.c:298(register_existing_vuid)
>   register_existing_vuid: User name: tuckerd    Real name:
> [2014/03/27 14:26:12.095967,  3] 
> smbd/password.c:308(register_existing_vuid)
>   register_existing_vuid: UNIX uid 4011 is UNIX user tuckerd, and will 
> be vuid 100
> [2014/03/27 14:26:12.096090,  3] 
> smbd/password.c:238(register_homes_share)
>   Adding homes service for user 'tuckerd' using home directory: 
> '/users4/enoc/tuckerd'
> [2014/03/27 14:26:12.096148,  3] param/loadparm.c:6582(lp_add_home)
>   adding home's share [tuckerd] for user 'tuckerd' at 
> '/users4/enoc/tuckerd'
> *^^^hands me my share^^^*
>
> [2014/03/27 14:26:12.118542,  3] smbd/process.c:1662(process_smb)
>   Transaction 3 of length 104 (0 toread)
> [2014/03/27 14:26:12.118684,  3] smbd/process.c:1467(switch_message)
>   switch message SMBtconX (pid 7113) conn 0x0
> [2014/03/27 14:26:12.118759,  3] lib/access.c:338(allow_access)
>   Allowed connection from 129.119.103.59 (129.119.103.59)
> [2014/03/27 14:26:12.118792,  3] 
> ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>   string_to_sid: SID root is not in a valid format
> [2014/03/27 14:26:12.119568,  3] smbd/service.c:872(make_connection_snum)
>   Connect path is '/tmp' for service [IPC$]
> [2014/03/27 14:26:12.119742,  3] smbd/vfs.c:102(vfs_init_default)
>   Initialising default vfs hooks
> [2014/03/27 14:26:12.119773,  3] smbd/vfs.c:128(vfs_init_custom)
>   Initialising custom vfs hooks from [/[Default VFS]/]
> [2014/03/27 14:26:12.119844,  3] 
> ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>   string_to_sid: SID root is not in a valid format
> [2014/03/27 14:26:12.120483,  3] 
> smbd/service.c:1114(make_connection_snum)
>   win7-vm (129.119.103.59) connect to service IPC$ initially as user 
> tuckerd (uid=4011, gid=500) (pid 7113)
> [2014/03/27 14:26:12.120553,  3] smbd/reply.c:871(reply_tcon_and_X)
>   tconX service=IPC$
> [2014/03/27 14:26:12.142035,  3] smbd/process.c:1662(process_smb)
>
> [2014/03/27 14:26:17.104989,  3] smbd/trans2.c:2286(call_trans2findfirst)
>   call_trans2findfirst: dirtype = 16, maxentries = 1366, 
> close_after_first=0, close_if_end = 1 requires_resume_key = 1 level = 
> 0x104, max_data_bytes = 16384
> [2014/03/27 14:26:17.105033,  3] smbd/dir.c:580(dptr_create)
>   creating new dirptr 256 for path ., expect_close = 1
> [2014/03/27 14:26:17.105072,  3] smbd/dir.c:1036(smbd_dirptr_get_entry)
>   smbd_dirptr_get_entry mask=[*] found ./. fname=. (.)
> [2014/03/27 14:26:17.105106,  3] smbd/dir.c:1036(smbd_dirptr_get_entry)
>   smbd_dirptr_get_entry mask=[*] found ./.. fname=.. (..)
> [2014/03/27 14:26:17.109911,  3] smbd/dir.c:1036(smbd_dirptr_get_entry)
>   smbd_dirptr_get_entry mask=[*] found ./serv_req_info.txt 
> fname=serv_req_info.txt (serv_req_info.txt)
> [2014/03/27 14:26:17.109968,  3] smbd/dir.c:1036(smbd_dirptr_get_entry)
> *^^^here it is mapped on client, and it is reading through my 
> files...all working as expected^^^*
>
> I can copy paste the user failing.  If I do it on XP, it's look 
> exactly like mine (remove my username and unix UID and GID and replace 
> with his).  If I do it on Windows 7, again, it looks exactly the same, 
> and at the moment where mine starts reading files, his says 
> "permission denied".  If you want me to copy/paste the log for his I 
> will.  Just telling you to save space as this reply is pretty long.
>
> Here is another oddity.  On the windows 7 machine, if instead of 
> mapping via the "map network drive" option in windows explorer. If I 
> bring up the command line and map him via net use on the command line, 
> IT WORKS.  I get the drive mapping.  I can navigate to it.  I can do a 
> DIR and see all of his files.  I can even create a directory.  BUT, 
> once the directory is created, I cannot delete it.
>
>
I am certain that this is all down to the non standard way you are using 
samba and AD, you have a user ID in /etc/passwd and I 'think' that 
winbind is giving your user a different one.

as far as I am concerned, you came up with your non-standard way of 
doing things and do not want to listen to advice from anybody, so you 
fix it!!!

Rowland

More information about the samba mailing list