[Samba] Samba 4.4.16 %g translation fails for some users
Rowland Penny
rpenny at samba.org
Thu Jan 4 19:28:26 UTC 2018
On Thu, 4 Jan 2018 19:03:24 +0000
Daulton Theodore via samba <samba at lists.samba.org> wrote:
> Hi all,
>
> Just migrated users to a samba 4 server on built on Solaris 11 samba
> pkg. Some users are mapping all required drives (G:, H:, and I:) but
> some are not able to map them. The affected users user log files
> indicate that the %g variable is being translated to '-1' instead of
> the users Unix group.
>
> I would welcome any feedback or suggestions on how to resolve this
> issue.
>
> From my log file (successful map):
> <snip>
> [2018/01/04 11:42:32.080787,
> 2] ../source3/smbd/service.c:787(make_connection_snum) 134.117.97.141
> (ipv4:134.117.97.141:58747) connect to service homedir initially as
> user dtheodor (uid=2223, gid=1021) (pid 26156) [2018/01/04
> 11:42:32.080845,
> 5] ../lib/dbwrap/dbwrap.c:177(dbwrap_check_lock_order) check lock
> order 1 for /var/samba/lock/smbXsrv_tcon_global.tdb [2018/01/04
> 11:42:32.080907,
> 5] ../lib/dbwrap/dbwrap.c:145(dbwrap_lock_order_state_destructor)
> release lock order 1 for /var/samba/lock/smbXsrv_tcon_global.tdb
> [2018/01/04 11:42:32.080960,
> 5] ../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu) signed SMB2
> message [2018/01/04 11:42:39.182065,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) <snip>
>
> From log file for unsuccessful user:
> <snip>
> [2018/01/02 07:59:32.253188,
> 3] ../source3/smbd/service.c:536(make_connection_snum) Connect path
> is '/departments/-1/ablake' for service [homedir] [2018/01/02
> 07:59:32.253286,
> 3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
> string_to_sid: SID root is not in a valid format [2018/01/02
> 07:59:32.253627, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2018/01/02
> 07:59:32.253676, 4] ../source3/smbd/uid.c:490(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2018/01/02
> 07:59:32.253710,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) <snip>
>
> /departments/-1/homedir should have been /departments/librss/homedir.
> The unix group 'librss'. Others in that group are able to login
> successfully with %g being translated as expected.
>
> Here is a snip from smb.conf:
> # Global parameters
> [globals]
> netbios name = willow
> server string = %L
> workgroup = WORKGROUP NAME
> browsable = no
> local master = no
>
> allow hosts = list of hosts allowed in
>
> hosts deny = 0.0.0.0/0
>
> security = ADS
> realm = <realm deleted>
>
>
> machine password timeout = 314496000
> name resolve order = wins lmhosts host bcast
>
> remote announce = x.x.x.x
>
> # wins support = yes
> wins server = v.v.v.v w.w.w.w
> winbind use default domain = true
>
> # force Samba to bind only to public network
> interfaces = a.b.c.d/255.255.255.0
> bind interfaces only = yes
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
> deadtime = 0
>
> # added 20150422
> server signing = auto
> client signing = auto
>
> client lanman auth = no
> client ntlmv2 auth = yes
> client plaintext auth = no
> client use spnego = yes
> client schannel = yes
> lanman auth = no
> ntlm auth = no
>
> server min protocol = SMB2_10
> client min protocol = SMB2
> client max protocol = SMB3
>
> # Encrypt all passwords stored in /etc/sfw/samba/private/smbpasswd
> encrypt passwords = yes
> username map = /etc/samba/lib/nt-names
>
>
> # not allowed to log in
> invalid users = root daemon bin sys adm lp listen sshd\
> erl webspirs samba rob jan daulton
>
> writeable = yes
>
> # Debug Logging information
> log level = 5
> log file = /etc/samba/var/log.%m:%U:%I
> max log size = 2000
> debug timestamp = yes
>
> # ---------------------------------------
> # Home Directory - G drive
> # ---------------------------------------
> [homedir]
> comment = %u
> path = /departments/%g/%u
> browseable = no
> writeable = yes
> create mode = 0700
>
> # ------------------------------------
> # Shared directory for each department - H drive
> # ------------------------------------
> [deptshr]
> comment = %g Shared Directory
> path = /departments/%g/common
> read only = no
> create mask = 0770
> force create mode = 0770
> directory mask = 0770
> writable = yes
> browseable = yes
> invalid users = +circdesk
>
> # --------------------------------------
> # shared directory for ALL staff - I drive
> # --------------------------------------
> [libshare]
> comment = Library staff shared directory
> path = /departments/common
> browseable = yes
> writeable = yes
> create mask = 0777
> force create mode = 0777
> directory mask = 0777
> valid users = +libsys +libmgmt +libacq +libtech +libarc +libcat
> +libcirc +librs +librss +libmdgc +libgift +libcoll +libtrain +libill
> +libgis +libarch +libstack +libaxs +libssc +studemp +studempl
> +eserials +pserials +syshead +ebooks mmcclint refstud catstud
>
> invalid users = +circdesk train1 train2 train3 train4 train5
> train6 train7 train8 train9 train10 train11 train12 train13 train14
> train15 train16 train17 train18 circstud madstud ssdata1 edox1
> circdesk mlspine +librsch
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~
> Daulton Theodore
> Carleton University
> Library, Systems Department
> Vmail: (613) 520-2600, ext. 8352
>
>
I am actually surprised it works at all, you have this in smb.conf:
security = ADS
You don't appear to have anything in smb.conf for authentication, but
there is this in the log fragments you posted:
dtheodor (uid=2223, gid=1021)
I have this sinking feeling you have a user called 'dtheodor' with the
uid '2223' in /etc/passwd
The 'ADS' means that your computer is a Unix domain member and ALL
your users must be in AD. they should also have uidNumbers and use the
winbind 'ad' backend or you use the 'rid' backend, in which case you
don't need to add anything to AD. You cannot have a user in /etc/passwd
and AD with the same username.
Can I suggest you read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Follow the links on the wiki page to get the info for the winbind
backend you choose.
Any question, please ask.
Rowland
More information about the samba
mailing list