[Samba] It seems to have bug for @group to set in valid or invalid conf
Jeremy
jeremy55662004 at gmail.com
Sun Jun 14 15:54:34 UTC 2020
Thanks, Rowland. i will try your suggestions. Thanks.
Jeremy
On Sat, Jun 13, 2020 at 11:35 PM Jeremy <jeremy55662004 at gmail.com> wrote:
> No one care then i closed it. Thanks.
>
> On Fri, Jun 5, 2020 at 5:18 PM Jeremy <jeremy55662004 at gmail.com> wrote:
>
>> Hi all,
>>
>> I am using samba 4.10.7 and it seems to have bug for using @group in
>> valid or invalid conf (?). And i can't find fixed patch in later release. I
>> describe this issue detail below:
>>
>> 1. Firstly, there is my samba conf below (Add @d_group in "invalid
>> users"):
>> (smb_share.conf)
>> [f1]
>> path = /home/f1
>> write list = "admin" "@Administrator_Group" "@User_Group" "root"
>> invalid users = "guest" "@d_group"
>> valid users = "admin" "@Administrator_Group" "@User_Group" "root"
>> browsable = Yes
>> public = Yes
>> force directory mode = 0777
>> directory mode = 0777
>> force create mode = 0777
>> create mask = 0777
>> recycle:repository = @recycle
>> recycle:directory_mode = 0777
>> recycle:keeptree = yes
>> recycle:versions = yes
>> recycle:exclude_dir = .streams
>> recycle:minsize = 1
>> vfs objects = shadow_copy2 catia fruit streams_xattr streams_depot
>> aio_pthread recycle
>> shadow: format = %Y%m%d-%H%M%S
>> shadow: sort = desc
>> shadow: snapdir = .snapshot
>> shadow: localtime = yes
>> fruit:nfs_aces = no
>> fruit:veto_appledouble = no
>> aio read size = 65536
>> aio write size = 1
>> aio_pthread:aio num threads = 1024
>> smb encrypt = disabled
>> (global.conf)
>> [global]
>> deadtime = 1
>> guest account = guest
>> map to guest = Never
>> log file = /home/samba/log/
>> max log size = 500000
>> load printers = no
>> printcap name = /dev/null
>> printing = bsd
>> dns proxy = no
>> max protocol = SMB3
>> use sendfile = Yes
>> socket options = SO_SNDBUF=33554432 TCP_NODELAY
>> inherit acls = Yes
>> map acl inherit = Yes
>> store dos attributes = Yes
>> inherit permissions = Yes
>> delete veto files = yes
>> ntlm auth = yes
>> streams_depot:delete_lost = yes
>> ldap timeout = 300
>> smb2 max write = 1048576
>> state directory = /home/samba_state
>> lock directory = /var/lock/samba
>> cache directory = /home/samba_cache
>> log level = 10
>> nt acl support = no
>>
>> 2. I add the user bbb in my debian and not in group "d_group":
>> # getent group
>> root:x:0:root
>> Administrator_Group:x:1:admin
>> User_Group:x:101:admin,aaa,bbb
>> Guest_Group:x:65534:guest
>> Hidden_Group:x:201:admin
>> fuse:x:102:admin
>> davfs2:x:103:davfs2
>> a_group:x:1000:aaa,bbb
>> b_group:x:1001:aaa,bbb
>> c_group:x:1002:bbb
>> d_group:x:1003:
>>
>>
>> 3. But when i open samba log and trying use user bbb to login //$myip/f1
>> on Windows and i got the denied permission.
>> But user bbb is not in d_group. There are somethings mess up.
>>
>> 4. I saw the log in samba below:
>> [2020/06/05 16:40:40.672747, 10, pid=2781, effective(0, 0), real(0, 0),
>> class=vfs] ../../source3/smbd/vfs.c:65(vfs_find_backend_
>> vfs_find_backend_entry called for /[Default VFS]/
>> Successfully loaded vfs module [/[Default VFS]/] with the new modules
>> system
>> [2020/06/05 16:40:40.672789, 10, pid=2781, effective(0, 0), real(0, 0)]
>> ../../source3/smbd/service.c:70(set_conn_connectpath)
>> set_conn_connectpath: service IPC$, connectpath = /tmpfs/tmp
>> [2020/06/05 16:40:40.672815, 10, pid=2781, effective(0, 0), real(0, 0)]
>> ../../source3/smbd/share_access.c:220(user_ok_token)
>> user_ok_token: share IPC$ is ok for unix user bbb
>> [2020/06/05 16:40:40.672840, 10, pid=2781, effective(0, 0), real(0, 0)]
>> ../../source3/smbd/share_access.c:271(is_share_read_only
>> is_share_read_only_for_user: share IPC$ is read-only for unix user bbb
>> [2020/06/05 16:40:40.672868, 10, pid=2781, effective(0, 0), real(0, 0)]
>> ../../libcli/security/access_check.c:366(se_file_access_
>> se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff
>> [2020/06/05 16:40:40.672915, 4, pid=2781, effective(0, 0), real(0, 0)]
>> ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
>> setting sec ctx (1003, 101) - sec_ctx_stack_ndx = 0
>> [2020/06/05 16:40:40.672941, 5, pid=2781, effective(0, 0), real(0, 0)]
>> ../../libcli/security/security_token.c:63(security_token
>> Security token SIDs (15):
>> SID[ 0]: S-1-5-21-1151667668-222068009-1375177606-1010
>> SID[ 1]: S-1-5-21-1151667668-222068009-1375177606-513
>> SID[ 2]: S-1-5-21-1151667668-222068009-1375177606-1003
>> SID[ 3]: S-1-5-21-1151667668-222068009-1375177606-1006
>> SID[ 4]: S-1-5-21-1151667668-222068009-1375177606-1008
>> SID[ 5]: S-1-22-2-1000
>> SID[ 6]: S-1-1-0
>> SID[ 7]: S-1-5-2
>> SID[ 8]: S-1-5-11
>> SID[ 9]: S-1-5-21-1151667668-222068009-1375177606-1009
>> SID[ 10]: S-1-22-1-1003
>> SID[ 11]: S-1-22-2-101
>> SID[ 12]: S-1-22-2-1001
>> SID[ 13]: S-1-22-2-1002
>> SID[ 14]: S-1-22-2-1003
>> Privileges (0x 0):
>> Rights (0x 0):
>> [2020/06/05 16:40:40.673111, 5, pid=2781, effective(0, 0), real(0, 0)]
>> ../../source3/auth/token_util.c:866(debug_unix_user_toke
>> UNIX token of user 1003
>> Primary group is 101 and contains 5 supplementary groups
>> Group[ 0]: 101
>> Group[ 1]: 1001
>> Group[ 2]: 1002
>> Group[ 3]: 1000
>> Group[ 4]: 1003
>>
>> 5. Why "bbb" user is notin d_group but the Security token SIDs will have
>> d_group's sid (S-1-5-21-1151667668-222068009-1375177606-1009) ??
>> I thinks this is the reason why i be denied to access "f1". Because in
>> program /source3/smbd/share_access.c function "token_contains_name"
>> will check "nt_token_check_sid" & "user_in_netgroup". But i absolutely
>> sure my user "bbb" is not in netgroup, the problem
>> is on function "nt_token_check_sid". Function "nt_token_check_sid"
>> will check Security token SIDs if match.
>>
>> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1010
>> XN7004T-FF1628\bbb 1
>> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1003
>> XN7004T-FF1628\User_Group 4
>> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1006
>> XN7004T-FF1628\b_group 4
>> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1008
>> XN7004T-FF1628\c_group 4
>> # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1009
>> XN7004T-FF1628\d_group 4
>> # wbinfo --sid-to-name=S-1-22-1-1003
>> Unix User\bbb 1
>> # wbinfo --sid-to-name=S-1-22-1-101
>> Unix User\davfs2 1
>> # wbinfo --sid-to-name=S-1-22-1-1001
>> Unix User\aaa 1
>> # wbinfo --sid-to-name=S-1-22-1-1002
>> Unix User\1002 1
>> # wbinfo --sid-to-name=S-1-22-1-1003
>> Unix User\bbb 1
>>
>>
>> 6. My questions are:
>> 1. How samba to get Security token SIDs ?
>> 2. And i wonder whate reason will cause the Security token SIDs mess
>> up ?
>>
>>
>> Note: This issue is occurs in random. Sometimes you will get the true
>> sids but sometimes is not.
>>
>>
>>
>> Thanks,
>> Jeremy
>>
>
More information about the samba
mailing list