[Samba] It seems to have bug for @group to set in valid or invalid conf

Jeremy jeremy55662004 at gmail.com
Sat Jun 13 15:35:01 UTC 2020 

No one care then i closed it. Thanks.

On Fri, Jun 5, 2020 at 5:18 PM Jeremy <jeremy55662004 at gmail.com> wrote:

> Hi all,
>
> I am using samba 4.10.7 and it seems to have bug for using @group in valid
> or invalid conf (?). And i can't find fixed patch in later release. I
> describe this issue detail below:
>
> 1. Firstly, there is my samba conf below (Add @d_group in "invalid users"):
> (smb_share.conf)
> [f1]
> path = /home/f1
> write list = "admin" "@Administrator_Group" "@User_Group" "root"
> invalid users = "guest" "@d_group"
> valid users = "admin" "@Administrator_Group" "@User_Group" "root"
> browsable = Yes
> public = Yes
> force directory mode = 0777
> directory mode = 0777
> force create mode = 0777
> create mask = 0777
> recycle:repository = @recycle
> recycle:directory_mode = 0777
> recycle:keeptree = yes
> recycle:versions = yes
> recycle:exclude_dir = .streams
> recycle:minsize = 1
> vfs objects = shadow_copy2 catia fruit streams_xattr streams_depot
> aio_pthread recycle
> shadow: format = %Y%m%d-%H%M%S
> shadow: sort = desc
> shadow: snapdir = .snapshot
> shadow: localtime = yes
> fruit:nfs_aces = no
> fruit:veto_appledouble = no
> aio read size = 65536
> aio write size = 1
> aio_pthread:aio num threads = 1024
> smb encrypt = disabled
> (global.conf)
> [global]
> deadtime = 1
> guest account = guest
> map to guest = Never
> log file = /home/samba/log/
> max log size = 500000
> load printers = no
> printcap name = /dev/null
> printing = bsd
> dns proxy = no
> max protocol = SMB3
> use sendfile = Yes
> socket options = SO_SNDBUF=33554432 TCP_NODELAY
> inherit acls = Yes
> map acl inherit = Yes
> store dos attributes = Yes
> inherit permissions = Yes
> delete veto files = yes
> ntlm auth = yes
> streams_depot:delete_lost = yes
> ldap timeout = 300
> smb2 max write = 1048576
> state directory = /home/samba_state
> lock directory = /var/lock/samba
> cache directory = /home/samba_cache
> log level = 10
> nt acl support = no
>
> 2. I add the user bbb in my debian and not in group "d_group":
> # getent group
> root:x:0:root
> Administrator_Group:x:1:admin
> User_Group:x:101:admin,aaa,bbb
> Guest_Group:x:65534:guest
> Hidden_Group:x:201:admin
> fuse:x:102:admin
> davfs2:x:103:davfs2
> a_group:x:1000:aaa,bbb
> b_group:x:1001:aaa,bbb
> c_group:x:1002:bbb
> d_group:x:1003:
>
>
> 3. But when i open samba log and trying use user bbb to login //$myip/f1
> on Windows and i got the denied permission.
>    But user bbb is not in d_group. There are somethings mess up.
>
> 4. I saw the log in samba below:
> [2020/06/05 16:40:40.672747, 10, pid=2781, effective(0, 0), real(0, 0),
> class=vfs] ../../source3/smbd/vfs.c:65(vfs_find_backend_
>   vfs_find_backend_entry called for /[Default VFS]/
>   Successfully loaded vfs module [/[Default VFS]/] with the new modules
> system
> [2020/06/05 16:40:40.672789, 10, pid=2781, effective(0, 0), real(0, 0)]
> ../../source3/smbd/service.c:70(set_conn_connectpath)
>   set_conn_connectpath: service IPC$, connectpath = /tmpfs/tmp
> [2020/06/05 16:40:40.672815, 10, pid=2781, effective(0, 0), real(0, 0)]
> ../../source3/smbd/share_access.c:220(user_ok_token)
>   user_ok_token: share IPC$ is ok for unix user bbb
> [2020/06/05 16:40:40.672840, 10, pid=2781, effective(0, 0), real(0, 0)]
> ../../source3/smbd/share_access.c:271(is_share_read_only
>   is_share_read_only_for_user: share IPC$ is read-only for unix user bbb
> [2020/06/05 16:40:40.672868, 10, pid=2781, effective(0, 0), real(0, 0)]
> ../../libcli/security/access_check.c:366(se_file_access_
>   se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff
> [2020/06/05 16:40:40.672915,  4, pid=2781, effective(0, 0), real(0, 0)]
> ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
>   setting sec ctx (1003, 101) - sec_ctx_stack_ndx = 0
> [2020/06/05 16:40:40.672941,  5, pid=2781, effective(0, 0), real(0, 0)]
> ../../libcli/security/security_token.c:63(security_token
>   Security token SIDs (15):
>     SID[  0]: S-1-5-21-1151667668-222068009-1375177606-1010
>     SID[  1]: S-1-5-21-1151667668-222068009-1375177606-513
>     SID[  2]: S-1-5-21-1151667668-222068009-1375177606-1003
>     SID[  3]: S-1-5-21-1151667668-222068009-1375177606-1006
>     SID[  4]: S-1-5-21-1151667668-222068009-1375177606-1008
>     SID[  5]: S-1-22-2-1000
>     SID[  6]: S-1-1-0
>     SID[  7]: S-1-5-2
>     SID[  8]: S-1-5-11
>     SID[  9]: S-1-5-21-1151667668-222068009-1375177606-1009
>     SID[ 10]: S-1-22-1-1003
>     SID[ 11]: S-1-22-2-101
>     SID[ 12]: S-1-22-2-1001
>     SID[ 13]: S-1-22-2-1002
>     SID[ 14]: S-1-22-2-1003
>    Privileges (0x               0):
>    Rights (0x               0):
> [2020/06/05 16:40:40.673111,  5, pid=2781, effective(0, 0), real(0, 0)]
> ../../source3/auth/token_util.c:866(debug_unix_user_toke
>   UNIX token of user 1003
>   Primary group is 101 and contains 5 supplementary groups
>   Group[  0]: 101
>   Group[  1]: 1001
>   Group[  2]: 1002
>   Group[  3]: 1000
>   Group[  4]: 1003
>
> 5. Why "bbb" user is notin d_group but the Security token SIDs will have
> d_group's sid (S-1-5-21-1151667668-222068009-1375177606-1009) ??
>    I thinks this is the reason why i be denied to access "f1". Because in
> program /source3/smbd/share_access.c function "token_contains_name"
>    will check "nt_token_check_sid" & "user_in_netgroup". But i absolutely
> sure my user "bbb" is not in netgroup, the problem
>    is on function "nt_token_check_sid". Function "nt_token_check_sid" will
> check Security token SIDs if match.
>
>    # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1010
>       XN7004T-FF1628\bbb 1
>    # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1003
>       XN7004T-FF1628\User_Group 4
>    # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1006
>       XN7004T-FF1628\b_group 4
>    # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1008
>       XN7004T-FF1628\c_group 4
>    # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1009
>       XN7004T-FF1628\d_group 4
>    # wbinfo --sid-to-name=S-1-22-1-1003
>       Unix User\bbb 1
>    # wbinfo --sid-to-name=S-1-22-1-101
>       Unix User\davfs2 1
>    # wbinfo --sid-to-name=S-1-22-1-1001
>       Unix User\aaa 1
>    # wbinfo --sid-to-name=S-1-22-1-1002
>       Unix User\1002 1
>    # wbinfo --sid-to-name=S-1-22-1-1003
>       Unix User\bbb 1
>
>
> 6. My questions are:
>    1. How samba to get Security token SIDs ?
>    2. And i wonder whate reason will cause the Security token SIDs mess up
> ?
>
>
> Note: This issue is occurs in random. Sometimes you will get the true sids
> but sometimes is not.
>
>
>
> Thanks,
> Jeremy
>

More information about the samba mailing list