[Samba] It seems to have bug for @group to set in valid or invalid conf
Jeremy
jeremy55662004 at gmail.com
Fri Jun 5 09:18:22 UTC 2020
Hi all,
I am using samba 4.10.7 and it seems to have bug for using @group in valid
or invalid conf (?). And i can't find fixed patch in later release. I
describe this issue detail below:
1. Firstly, there is my samba conf below (Add @d_group in "invalid users"):
(smb_share.conf)
[f1]
path = /home/f1
write list = "admin" "@Administrator_Group" "@User_Group" "root"
invalid users = "guest" "@d_group"
valid users = "admin" "@Administrator_Group" "@User_Group" "root"
browsable = Yes
public = Yes
force directory mode = 0777
directory mode = 0777
force create mode = 0777
create mask = 0777
recycle:repository = @recycle
recycle:directory_mode = 0777
recycle:keeptree = yes
recycle:versions = yes
recycle:exclude_dir = .streams
recycle:minsize = 1
vfs objects = shadow_copy2 catia fruit streams_xattr streams_depot
aio_pthread recycle
shadow: format = %Y%m%d-%H%M%S
shadow: sort = desc
shadow: snapdir = .snapshot
shadow: localtime = yes
fruit:nfs_aces = no
fruit:veto_appledouble = no
aio read size = 65536
aio write size = 1
aio_pthread:aio num threads = 1024
smb encrypt = disabled
(global.conf)
[global]
deadtime = 1
guest account = guest
map to guest = Never
log file = /home/samba/log/
max log size = 500000
load printers = no
printcap name = /dev/null
printing = bsd
dns proxy = no
max protocol = SMB3
use sendfile = Yes
socket options = SO_SNDBUF=33554432 TCP_NODELAY
inherit acls = Yes
map acl inherit = Yes
store dos attributes = Yes
inherit permissions = Yes
delete veto files = yes
ntlm auth = yes
streams_depot:delete_lost = yes
ldap timeout = 300
smb2 max write = 1048576
state directory = /home/samba_state
lock directory = /var/lock/samba
cache directory = /home/samba_cache
log level = 10
nt acl support = no
2. I add the user bbb in my debian and not in group "d_group":
# getent group
root:x:0:root
Administrator_Group:x:1:admin
User_Group:x:101:admin,aaa,bbb
Guest_Group:x:65534:guest
Hidden_Group:x:201:admin
fuse:x:102:admin
davfs2:x:103:davfs2
a_group:x:1000:aaa,bbb
b_group:x:1001:aaa,bbb
c_group:x:1002:bbb
d_group:x:1003:
3. But when i open samba log and trying use user bbb to login //$myip/f1 on
Windows and i got the denied permission.
But user bbb is not in d_group. There are somethings mess up.
4. I saw the log in samba below:
[2020/06/05 16:40:40.672747, 10, pid=2781, effective(0, 0), real(0, 0),
class=vfs] ../../source3/smbd/vfs.c:65(vfs_find_backend_
vfs_find_backend_entry called for /[Default VFS]/
Successfully loaded vfs module [/[Default VFS]/] with the new modules
system
[2020/06/05 16:40:40.672789, 10, pid=2781, effective(0, 0), real(0, 0)]
../../source3/smbd/service.c:70(set_conn_connectpath)
set_conn_connectpath: service IPC$, connectpath = /tmpfs/tmp
[2020/06/05 16:40:40.672815, 10, pid=2781, effective(0, 0), real(0, 0)]
../../source3/smbd/share_access.c:220(user_ok_token)
user_ok_token: share IPC$ is ok for unix user bbb
[2020/06/05 16:40:40.672840, 10, pid=2781, effective(0, 0), real(0, 0)]
../../source3/smbd/share_access.c:271(is_share_read_only
is_share_read_only_for_user: share IPC$ is read-only for unix user bbb
[2020/06/05 16:40:40.672868, 10, pid=2781, effective(0, 0), real(0, 0)]
../../libcli/security/access_check.c:366(se_file_access_
se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff
[2020/06/05 16:40:40.672915, 4, pid=2781, effective(0, 0), real(0, 0)]
../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (1003, 101) - sec_ctx_stack_ndx = 0
[2020/06/05 16:40:40.672941, 5, pid=2781, effective(0, 0), real(0, 0)]
../../libcli/security/security_token.c:63(security_token
Security token SIDs (15):
SID[ 0]: S-1-5-21-1151667668-222068009-1375177606-1010
SID[ 1]: S-1-5-21-1151667668-222068009-1375177606-513
SID[ 2]: S-1-5-21-1151667668-222068009-1375177606-1003
SID[ 3]: S-1-5-21-1151667668-222068009-1375177606-1006
SID[ 4]: S-1-5-21-1151667668-222068009-1375177606-1008
SID[ 5]: S-1-22-2-1000
SID[ 6]: S-1-1-0
SID[ 7]: S-1-5-2
SID[ 8]: S-1-5-11
SID[ 9]: S-1-5-21-1151667668-222068009-1375177606-1009
SID[ 10]: S-1-22-1-1003
SID[ 11]: S-1-22-2-101
SID[ 12]: S-1-22-2-1001
SID[ 13]: S-1-22-2-1002
SID[ 14]: S-1-22-2-1003
Privileges (0x 0):
Rights (0x 0):
[2020/06/05 16:40:40.673111, 5, pid=2781, effective(0, 0), real(0, 0)]
../../source3/auth/token_util.c:866(debug_unix_user_toke
UNIX token of user 1003
Primary group is 101 and contains 5 supplementary groups
Group[ 0]: 101
Group[ 1]: 1001
Group[ 2]: 1002
Group[ 3]: 1000
Group[ 4]: 1003
5. Why "bbb" user is notin d_group but the Security token SIDs will have
d_group's sid (S-1-5-21-1151667668-222068009-1375177606-1009) ??
I thinks this is the reason why i be denied to access "f1". Because in
program /source3/smbd/share_access.c function "token_contains_name"
will check "nt_token_check_sid" & "user_in_netgroup". But i absolutely
sure my user "bbb" is not in netgroup, the problem
is on function "nt_token_check_sid". Function "nt_token_check_sid" will
check Security token SIDs if match.
# wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1010
XN7004T-FF1628\bbb 1
# wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1003
XN7004T-FF1628\User_Group 4
# wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1006
XN7004T-FF1628\b_group 4
# wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1008
XN7004T-FF1628\c_group 4
# wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1009
XN7004T-FF1628\d_group 4
# wbinfo --sid-to-name=S-1-22-1-1003
Unix User\bbb 1
# wbinfo --sid-to-name=S-1-22-1-101
Unix User\davfs2 1
# wbinfo --sid-to-name=S-1-22-1-1001
Unix User\aaa 1
# wbinfo --sid-to-name=S-1-22-1-1002
Unix User\1002 1
# wbinfo --sid-to-name=S-1-22-1-1003
Unix User\bbb 1
6. My questions are:
1. How samba to get Security token SIDs ?
2. And i wonder whate reason will cause the Security token SIDs mess up ?
Note: This issue is occurs in random. Sometimes you will get the true sids
but sometimes is not.
Thanks,
Jeremy
More information about the samba
mailing list