[Samba] samba-4.1.19: resolving local unix group failes when there exists a local unix user with same name

Nissl Reinhard Reinhard.Nissl at fee.de
Fri Jul 31 12:07:17 UTC 2015


after upgrading samba from 4.1.17 to 4.1.19 on OpenSuSE 13.2, any shares offered by this machine can nolonger be accessed, when these shares contain an entry "force group" which specifies a local unix group and when there exists a unix user with the same name.

Here's an excerpt from smb.conf:

        comment = FactWork-Downloadportal
        path = /web/Fee/download/factwork
        valid users = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator,fee\svtb3$
        write list = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator
        force group = webadmin
        create mask = 0664
        force create mode = 0664
        directory mask = 0775
        force directory mode = 0775
        writeable = Yes
        guest ok = No

When I try to access that share with smbclient like that, it fails:

smbclient //platon/factwork mySecret -U reinhard.ni -W fee
Domain=[FEE] OS=[Unix] Server=[Samba 4.1.19-11.1-3442-SUSE-oS13.2-x86_64]
tree connect failed: NT_STATUS_NO_SUCH_GROUP

Running smbd interactive with maximum debug level shows the following lines:

looking for user fee\reinhard.ni of domain (ANY) in netgroup fee\g_tb3
lookup_name: fee\g_tb3 => domain=[fee], name=[g_tb3]
lookup_name: flags = 0x077
user_ok_token: share FactWork is ok for unix user FEE\reinhard.ni
lookup_name: FEE\webadmin => domain=[FEE], name=[webadmin]
lookup_name: flags = 0x077
map_name_to_wellknown_sid: looking up webadmin
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
Security token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
failed to unpack map
failed to unpack map
failed to unpack map
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
Finding user webadmin
Trying _Get_Pwnam(), username as lowercase is webadmin
Get_Pwnam_internals did find user [webadmin]!
webadmin is a User, not a group

A further problem (which seems to be caused by the same defect) exists when trying to validate the user against a local unix group (@webadmin in this example). The log output shows similar messages regarding @webadmin being a user while expecting a group. In that case smbclient fails with NT_STATUS_ACCESS_DENIED.

A workaround seems to be, to replace all references to unix group webadmin with "Unix Group\webadmin", i. e.

        valid users = @"Unix Group\webadmin",fee\gabi, at fee\g_tb3,fee\administrator,fee\svtb3$
        write list = @"Unix Group\webadmin",fee\gabi, at fee\g_tb3,fee\administrator
        force group = "Unix Group\webadmin"

Reinhard Ni├čl, TB3, -198

More information about the samba mailing list