[Samba] winbind bug?
Rowland Penny
rowlandpenny at googlemail.com
Thu Mar 27 13:55:39 MDT 2014
On 27/03/14 19:48, Doug Tucker wrote:
>
>>
>> passwd: compat winbind
>> group: compat winbind
>>
>> What this means is, the the first place to look for a user is
>> /etc/passwd and if the user exists there, then that info is used,
>
> Correct, that is how it gets the unix uid, home dir, etc. The we use
> the domain user map to maps a seas user to the unix user. The only
> thing we use AD for at all is authentication.
>> what I think is happening is that your windows 7 user does not exist
>> there, or more likely is there, but with a different ID number.
> The user is there, just like my own user account is there. See
> further down for a grep of /etc/passwd and corresponging wbinfo
> querying AD. The correct unix ID number for the user is there. I'm
> not sure what you mean by a different ID number. All users real unix
> ID numbers are there. This has nothing to do with AD.
>>
>> I will repeat, you cannot have users both in /etc/passwd and AD, if
>> you want to have users use different home directory paths, look into
>> using RFC2307 attributes.
>>
>> Rowland
> All of our users information is in /etc/passwd and AD. Your statement
> just isn't true. If it were, then no one would work at all...just
> those with unix ID is over 11000 on a windows 7 client is affected.
> They don't correspond to each other, we map them back on the unix side
> after authentication.
>
> [root at lylesmb1 samba]# grep jghorbanian /etc/passwd
> jghorbanian:pb4DGaSAoY48E:11333:450:Jafar
> Ghorbanian:/users5/megrad/jghorbanian:/bin/bash
> [root at lylesmb1 samba]# grep tuckerd /etc/passwd
> tuckerd:gnjdnwJVquCzQ:4011:500:Doug Tucker:/users4/enoc/tuckerd:/bin/bash
>
> [root at lylesmb1 samba]# wbinfo -n tuckerd
> S-1-5-21-1863541909-2129596521-199955091-23660 SID_USER (1)
> [root at lylesmb1 samba]# wbinfo -n jghorbanian
> S-1-5-21-1863541909-2129596521-199955091-34660 SID_USER (1)
>
>
> Please...look at these logs and tell me what you see. First, my user
> mapping my home directory.
>
> 2014/03/27 14:25:59.997435, 3] auth/auth.c:219(check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [seas-s]\[tuckerd]@[WIN7-VM] with the new password interface
> [2014/03/27 14:25:59.997589, 3] auth/auth.c:222(check_ntlm_password)
> check_ntlm_password: mapped user is: [seas-s]\[tuckerd]@[WIN7-VM]
> *^^^passing to AD for authentication^^^*
>
> [2014/03/27 14:26:00.011119, 3] auth/user_util.c:402(map_username)
> Mapped user SEAS-S+tuckerd to tuckerd
> *^^^mapping the seas-s user to the unix user^^^*
>
> [2014/03/27 14:26:00.022867, 3] auth/auth.c:268(check_ntlm_password)
> check_ntlm_password: winbind authentication for user [tuckerd]
> succeeded
> [2014/03/27 14:26:00.022912, 2] auth/auth.c:309(check_ntlm_password)
> check_ntlm_password: authentication for user [tuckerd] -> [tuckerd]
> -> [tuckerd] succeeded
> *^^^successful auth^^^*
>
>
> [2014/03/27 14:26:12.095829, 3]
> ../libcli/auth/ntlmssp_sign.c:535(ntlmssp_sign_init)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2014/03/27 14:26:12.095910, 3]
> ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0xe2088215
> [2014/03/27 14:26:12.095943, 3]
> smbd/password.c:298(register_existing_vuid)
> register_existing_vuid: User name: tuckerd Real name:
> [2014/03/27 14:26:12.095967, 3]
> smbd/password.c:308(register_existing_vuid)
> register_existing_vuid: UNIX uid 4011 is UNIX user tuckerd, and will
> be vuid 100
> [2014/03/27 14:26:12.096090, 3]
> smbd/password.c:238(register_homes_share)
> Adding homes service for user 'tuckerd' using home directory:
> '/users4/enoc/tuckerd'
> [2014/03/27 14:26:12.096148, 3] param/loadparm.c:6582(lp_add_home)
> adding home's share [tuckerd] for user 'tuckerd' at
> '/users4/enoc/tuckerd'
> *^^^hands me my share^^^*
>
> [2014/03/27 14:26:12.118542, 3] smbd/process.c:1662(process_smb)
> Transaction 3 of length 104 (0 toread)
> [2014/03/27 14:26:12.118684, 3] smbd/process.c:1467(switch_message)
> switch message SMBtconX (pid 7113) conn 0x0
> [2014/03/27 14:26:12.118759, 3] lib/access.c:338(allow_access)
> Allowed connection from 129.119.103.59 (129.119.103.59)
> [2014/03/27 14:26:12.118792, 3]
> ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
> string_to_sid: SID root is not in a valid format
> [2014/03/27 14:26:12.119568, 3] smbd/service.c:872(make_connection_snum)
> Connect path is '/tmp' for service [IPC$]
> [2014/03/27 14:26:12.119742, 3] smbd/vfs.c:102(vfs_init_default)
> Initialising default vfs hooks
> [2014/03/27 14:26:12.119773, 3] smbd/vfs.c:128(vfs_init_custom)
> Initialising custom vfs hooks from [/[Default VFS]/]
> [2014/03/27 14:26:12.119844, 3]
> ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
> string_to_sid: SID root is not in a valid format
> [2014/03/27 14:26:12.120483, 3]
> smbd/service.c:1114(make_connection_snum)
> win7-vm (129.119.103.59) connect to service IPC$ initially as user
> tuckerd (uid=4011, gid=500) (pid 7113)
> [2014/03/27 14:26:12.120553, 3] smbd/reply.c:871(reply_tcon_and_X)
> tconX service=IPC$
> [2014/03/27 14:26:12.142035, 3] smbd/process.c:1662(process_smb)
>
> [2014/03/27 14:26:17.104989, 3] smbd/trans2.c:2286(call_trans2findfirst)
> call_trans2findfirst: dirtype = 16, maxentries = 1366,
> close_after_first=0, close_if_end = 1 requires_resume_key = 1 level =
> 0x104, max_data_bytes = 16384
> [2014/03/27 14:26:17.105033, 3] smbd/dir.c:580(dptr_create)
> creating new dirptr 256 for path ., expect_close = 1
> [2014/03/27 14:26:17.105072, 3] smbd/dir.c:1036(smbd_dirptr_get_entry)
> smbd_dirptr_get_entry mask=[*] found ./. fname=. (.)
> [2014/03/27 14:26:17.105106, 3] smbd/dir.c:1036(smbd_dirptr_get_entry)
> smbd_dirptr_get_entry mask=[*] found ./.. fname=.. (..)
> [2014/03/27 14:26:17.109911, 3] smbd/dir.c:1036(smbd_dirptr_get_entry)
> smbd_dirptr_get_entry mask=[*] found ./serv_req_info.txt
> fname=serv_req_info.txt (serv_req_info.txt)
> [2014/03/27 14:26:17.109968, 3] smbd/dir.c:1036(smbd_dirptr_get_entry)
> *^^^here it is mapped on client, and it is reading through my
> files...all working as expected^^^*
>
> I can copy paste the user failing. If I do it on XP, it's look
> exactly like mine (remove my username and unix UID and GID and replace
> with his). If I do it on Windows 7, again, it looks exactly the same,
> and at the moment where mine starts reading files, his says
> "permission denied". If you want me to copy/paste the log for his I
> will. Just telling you to save space as this reply is pretty long.
>
> Here is another oddity. On the windows 7 machine, if instead of
> mapping via the "map network drive" option in windows explorer. If I
> bring up the command line and map him via net use on the command line,
> IT WORKS. I get the drive mapping. I can navigate to it. I can do a
> DIR and see all of his files. I can even create a directory. BUT,
> once the directory is created, I cannot delete it.
>
>
I am certain that this is all down to the non standard way you are using
samba and AD, you have a user ID in /etc/passwd and I 'think' that
winbind is giving your user a different one.
as far as I am concerned, you came up with your non-standard way of
doing things and do not want to listen to advice from anybody, so you
fix it!!!
Rowland
More information about the samba
mailing list