[Samba] samba-4.1.19: resolving local unix group failes when there exists a local unix user with same name

Rowland Penny rowlandpenny241155 at gmail.com
Fri Jul 31 13:29:13 UTC 2015 

On 31/07/15 13:07, Nissl Reinhard wrote:
> Hi,
>
> after upgrading samba from 4.1.17 to 4.1.19 on OpenSuSE 13.2, any shares offered by this machine can nolonger be accessed, when these shares contain an entry "force group" which specifies a local unix group and when there exists a unix user with the same name.
>
> Here's an excerpt from smb.conf:
>
> [FactWork]
>          comment = FactWork-Downloadportal
>          path = /web/Fee/download/factwork
>          valid users = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator,fee\svtb3$
>          write list = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator
>          force group = webadmin
>          create mask = 0664
>          force create mode = 0664
>          directory mask = 0775
>          force directory mode = 0775
>          writeable = Yes
>          guest ok = No
>
> When I try to access that share with smbclient like that, it fails:
>
> smbclient //platon/factwork mySecret -U reinhard.ni -W fee
> Domain=[FEE] OS=[Unix] Server=[Samba 4.1.19-11.1-3442-SUSE-oS13.2-x86_64]
> tree connect failed: NT_STATUS_NO_SUCH_GROUP
>
> Running smbd interactive with maximum debug level shows the following lines:
>
> looking for user fee\reinhard.ni of domain (ANY) in netgroup fee\g_tb3
> lookup_name: fee\g_tb3 => domain=[fee], name=[g_tb3]
> lookup_name: flags = 0x077
> user_ok_token: share FactWork is ok for unix user FEE\reinhard.ni
> lookup_name: FEE\webadmin => domain=[FEE], name=[webadmin]
> lookup_name: flags = 0x077
> map_name_to_wellknown_sid: looking up webadmin
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> Security token: (NULL)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> failed to unpack map
> failed to unpack map
> failed to unpack map
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> Finding user webadmin
> Trying _Get_Pwnam(), username as lowercase is webadmin
> Get_Pwnam_internals did find user [webadmin]!
> webadmin is a User, not a group
>
> A further problem (which seems to be caused by the same defect) exists when trying to validate the user against a local unix group (@webadmin in this example). The log output shows similar messages regarding @webadmin being a user while expecting a group. In that case smbclient fails with NT_STATUS_ACCESS_DENIED.
>
> A workaround seems to be, to replace all references to unix group webadmin with "Unix Group\webadmin", i. e.
>
>          valid users = @"Unix Group\webadmin",fee\gabi, at fee\g_tb3,fee\administrator,fee\svtb3$
>          write list = @"Unix Group\webadmin",fee\gabi, at fee\g_tb3,fee\administrator
>          force group = "Unix Group\webadmin"
>
> Bye.
> --
> Reinhard Nißl, TB3, -198
>

Hi, I think there is a bug report open for this: 
https://bugzilla.samba.org/show_bug.cgi?id=11320

Rowland

More information about the samba mailing list