[Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
Oleg Cherkasov
o1e9.cherkasov at yandex.com
Mon Aug 6 14:37:46 UTC 2018
On 06. aug. 2018 15:15, Oleg Cherkasov via samba wrote:
>
> This morning three of our FreeBSD-11.1-p11 servers with Samba 4.7.7
> installations started to ignore ACL settings and reject user access to
> shares. All three servers are members of DC running on Windows Server
> 2008R2. Everything has been running ok for last few year. I have been
> upgrading Samba and FreeBSD installations and on last Friday upgraded to
> the latest packages from samba47-4.7.6 to samba47-4.7.7 and after
> restarting the services everything worked as expected.
>
> Samba shares are on ZFS volume with ACL settings set to passthrough and
> inherited. If I open Properties->Security then I do not see any of ACL
> settings rather Everyone, root and Administrators set to special
> permissions. ZFS ACLs on files/dirs are just fine according to
> getfacl. wbinfo -u and -g, getent passwd returns users and groups as
> expected. Listing with getfacl shows actual/resolved names. I may
> modify ACL with setfacl of course.
>
> Still If I open shares from Windows7/10 hosts it shows share, give me
> access as an admin however all other users do not have access to those
> shares.
>
> I have tried to remove ACLs with setfacl for some shares and set ACL
> from Windows7/10 Properties from the scratch however the problem
> remains. If I try to modify Security settings I receive a error message
> "The parameter is incorrect" for all files I try to update on.
>
> One of the shares running as virtual server so I did made a snapshot and
> tried to clean up /var/db/samba4/ so to start from scratch however it
> did not help. It still rejects to update ACL/Security from Windows7/10
> and whatever getfacl shows on server the client sees shares and
> Eveybody, Administators (local on server) and root.
>
> Here is an example of smb4.conf from one of the servers. It is
> explicitly set to master (the others are set to master=no). That
> configuration worked just fine for last 2 years or so with Samba 4.6.*
> and recently 4.7.6 version and worked just fine on 4.7.7 after upgrade.
>
> [global]
> security = ADS
> workgroup = DOMAIN.LO
> realm = DOMAIN.LO
> password server = 10.54.148.9
>
> os level = 66
> preferred master = yes
>
> bind interfaces only = yes
> interfaces = 10.54.148.51
>
> log file = /var/log/samba4/%m.log
> log level = 5
>
> veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
> delete veto files = yes
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-79999
> idmap config DOMAIN-LO : backend = rid
> idmap config DOMAIN-LO : range = 80000-3000000
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 64800
> winbind max domain connections = 1
> winbind normalize names = no
> winbind offline logon = true
>
> use sendfile = no
> use mmap = yes
> aio read size = 2048
> aio write size = 2048
> min receivefile size = 2048
> write cache size = 2048
> socket options = TCP_NODELAY IPTOS_LOWDELAY
> large readwrite = yes
> strict locking = no
> strict sync = no
> getwd cache = yes
> read raw = yes
> write raw = yes
> unix extensions = no
>
> map acl inherit = yes
> nt acl support = yes
> store dos attributes = yes
> inherit acls = yes
> inherit owner = yes
> inherit permissions = yes
> map archive = no
> map readonly = no
> vfs objects = zfsacl streams_xattr
> nfs4:mode = special
> nfs4:acedup = merge
> nfs4:chown = no
>
> browseable = yes
> guest ok = no
> writable = yes
> create mask = 0775
> directory mask = 0775
> csc policy = disable
>
> access based share enum = yes
> hide unreadable = yes
>
> vfs objects = full_audit
> full_audit:prefix = %u|%m|%S
> full_audit:success = mkdir rmdir write pwrite rename unlink
> full_audit:failure = mkdir rmdir write pwrite rename unlink
> full_audit:facility = local5
> full_audit:priority = info
>
> [ShareA]
> path = /data/sharea
> admin users = @"DOMAIN-LO\LocalAdmins"
> valid users = @"DOMAIN-LO\Domain Users"
>
> [ShareB]
> path = /data/shareb
> admin users = @"DOMAIN-LO\LocalAdmins"
> valid users = @"DOMAIN-LO\Domain Users"
>
Eventually log.wb-LO reports:
[2018/08/06 16:30:36.602929, 50, pid=1218, effective(0, 0), real(0, 0),
class=tevent] ../lib/util/tevent_debug.c:66(samba_tevent_debug)
samba_tevent: Run immediate event "tevent_req_trigger": 0x813478d60
[2018/08/06 16:30:36.603163, 3, pid=1218, effective(0, 0), real(0, 0)]
../source3/libsmb/cliconnect.c:1678(cli_session_setup_creds_done_spnego)
SPNEGO login failed: The attempted logon is invalid. This is either
due to a bad username or authentication information.
[2018/08/06 16:30:36.603366, 1, pid=1218, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cm.c:1118(cm_prepare_connection)
authenticated session setup to DM-LO-DC01.lo using
DOMAIN-LO\TEST02NO$ failed with NT_STATUS_LOGON_FAILURE
[2018/08/06 16:30:36.603596, 3, pid=1218, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cm.c:665(cm_get_ipc_userpass)
cm_get_ipc_userpass: No auth-user defined
[2018/08/06 16:30:36.603813, 3, pid=1218, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cm.c:665(cm_get_ipc_userpass)
cm_get_ipc_userpass: No auth-user defined
[2018/08/06 16:30:36.604181, 1, pid=1218, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cm.c:1258(cm_prepare_connection)
Failed to prepare SMB connection to DM-LO-DC01.lo:
NT_STATUS_LOGON_FAILURE
[2018/08/06 16:30:36.604365, 10, pid=1218, effective(0, 0), real(0, 0),
class=tdb] ../source3/lib/gencache.c:304(gencache_set_data_blob)
Did not store value for NEG_CONN_CACHE/LO,DM-LO-DC01.lo, we already
got it
[2018/08/06 16:30:36.604532, 9, pid=1218, effective(0, 0), real(0, 0)]
../source3/libsmb/conncache.c:189(add_failed_connection_entry)
add_failed_connection_entry: added domain LO (DM-LO-DC01.lo) to
failed conn cache
[2018/08/06 16:30:36.604726, 10, pid=1218, effective(0, 0), real(0, 0),
class=tdb] ../source3/lib/gencache.c:397(gencache_del)
Deleting cache entry (key=[SAFJOIN/DOMAIN/LO])
[2018/08/06 16:30:36.605180, 10, pid=1218, effective(0, 0), real(0, 0),
class=tdb] ../source3/lib/gencache.c:397(gencache_del)
Deleting cache entry (key=[SAF/DOMAIN/LO])
[2018/08/06 16:30:36.605372, 10, pid=1218, effective(0, 0), real(0, 0),
class=tdb] ../source3/lib/gencache.c:304(gencache_set_data_blob)
Did not store value for NEG_CONN_CACHE/lo,DM-LO-DC01.lo, we already
got it
[2018/08/06 16:30:36.605558, 9, pid=1218, effective(0, 0), real(0, 0)]
../source3/libsmb/conncache.c:189(add_failed_connection_entry)
add_failed_connection_entry: added domain lo (DM-LO-DC01.lo) to
failed conn cache
[2018/08/06 16:30:36.605744, 10, pid=1218, effective(0, 0), real(0, 0),
class=tdb] ../source3/lib/gencache.c:397(gencache_del)
Deleting cache entry (key=[SAFJOIN/DOMAIN/LO])
[2018/08/06 16:30:36.605939, 10, pid=1218, effective(0, 0), real(0, 0),
class=tdb] ../source3/lib/gencache.c:397(gencache_del)
Deleting cache entry (key=[SAF/DOMAIN/LO])
[2018/08/06 16:30:36.606168, 10, pid=1218, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cm.c:399(set_domain_offline)
set_domain_offline: called for domain LO
[2018/08/06 16:30:36.606373, 50, pid=1218, effective(0, 0), real(0, 0),
class=tevent] ../lib/util/tevent_debug.c:66(samba_tevent_debug)
samba_tevent: Added timed event "check_domain_online_handler":
0x81344e820
[2018/08/06 16:30:36.606545, 10, pid=1218, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cm.c:443(set_domain_offline)
set_domain_offline: added event handler for domain LO
[2018/08/06 16:30:36.606823, 50, pid=1218, effective(0, 0), real(0, 0),
class=tevent] ../lib/util/tevent_debug.c:66(samba_tevent_debug)
samba_tevent: Added timed event "messaging_dgm_out_idle_handler":
0x81344cc60
[2018/08/06 16:30:36.606997, 10, pid=1218, effective(0, 0), real(0, 0)]
../source3/lib/messages_dgm.c:1344(messaging_dgm_send)
messaging_dgm_send: Sending message to 1210
[2018/08/06 16:30:37.678915, 50, pid=1218, effective(0, 0), real(0, 0),
class=tevent] ../lib/util/tevent_debug.c:66(samba_tevent_debug)
samba_tevent: Running timer event 0x81344cc60
"messaging_dgm_out_idle_handler"
[2018/08/06 16:30:37.679191, 50, pid=1218, effective(0, 0), real(0, 0),
class=tevent] ../lib/util/tevent_debug.c:66(samba_tevent_debug)
samba_tevent: Ending timer event 0x81344cc60
"messaging_dgm_out_idle_handler"
Not sure if "SPNEGO login failed: The attempted logon is invalid. This
is either due to a bad username or authentication information." related
to my issue but I do not see any suspicious messages in logs.
I made a quick test and deployed new virtual host similar to existing
servers but based on FreeBSD 11.2 and Samba47-4.7.7 and the problem may
be reproduced indeed. So I wonder if it is something wrong with our DC :(
More information about the samba
mailing list