[Samba] It seems to have bug for @group to set in valid or invalid conf

Jeremy jeremy55662004 at gmail.com
Sun Jun 14 15:54:34 UTC 2020 

Thanks, Rowland. i will try your suggestions. Thanks.

Jeremy

On Sat, Jun 13, 2020 at 11:35 PM Jeremy <jeremy55662004 at gmail.com> wrote:

> No one care then i closed it. Thanks.
>
> On Fri, Jun 5, 2020 at 5:18 PM Jeremy <jeremy55662004 at gmail.com> wrote:
>
>> Hi all,
>>
>> I am using samba 4.10.7 and it seems to have bug for using @group in
>> valid or invalid conf (?). And i can't find fixed patch in later release. I
>> describe this issue detail below:
>>
>> 1. Firstly, there is my samba conf below (Add @d_group in "invalid
>> users"):
>> (smb_share.conf)
>> [f1]
>> path = /home/f1
>> write list = "admin" "@Administrator_Group" "@User_Group" "root"
>> invalid users = "guest" "@d_group"
>> valid users = "admin" "@Administrator_Group" "@User_Group" "root"
>> browsable = Yes
>> public = Yes
>> force directory mode = 0777
>> directory mode = 0777
>> force create mode = 0777
>> create mask = 0777
>> recycle:repository = @recycle
>> recycle:directory_mode = 0777
>> recycle:keeptree = yes
>> recycle:versions = yes
>> recycle:exclude_dir = .streams
>> recycle:minsize = 1
>> vfs objects = shadow_copy2 catia fruit streams_xattr streams_depot
>> aio_pthread recycle
>> shadow: format = %Y%m%d-%H%M%S
>> shadow: sort = desc
>> shadow: snapdir = .snapshot
>> shadow: localtime = yes
>> fruit:nfs_aces = no
>> fruit:veto_appledouble = no
>> aio read size = 65536
>> aio write size = 1
>> aio_pthread:aio num threads = 1024
>> smb encrypt = disabled
>> (global.conf)
>> [global]
>> deadtime = 1
>> guest account = guest
>> map to guest = Never
>> log file = /home/samba/log/
>> max log size = 500000
>> load printers = no
>> printcap name = /dev/null
>> printing = bsd
>> dns proxy = no
>> max protocol = SMB3
>> use sendfile = Yes
>> socket options = SO_SNDBUF=33554432 TCP_NODELAY
>> inherit acls = Yes
>> map acl inherit = Yes
>> store dos attributes = Yes
>> inherit permissions = Yes
>> delete veto files = yes
>> ntlm auth = yes
>> streams_depot:delete_lost = yes
>> ldap timeout = 300
>> smb2 max write = 1048576
>> state directory = /home/samba_state
>> lock directory = /var/lock/samba
>> cache directory = /home/samba_cache
>> log level = 10
>> nt acl support = no
>>
>> 2. I add the user bbb in my debian and not in group "d_group":
>> # getent group
>> root:x:0:root
>> Administrator_Group:x:1:admin
>> User_Group:x:101:admin,aaa,bbb
>> Guest_Group:x:65534:guest
>> Hidden_Group:x:201:admin
>> fuse:x:102:admin
>> davfs2:x:103:davfs2
>> a_group:x:1000:aaa,bbb
>> b_group:x:1001:aaa,bbb
>> c_group:x:1002:bbb
>> d_group:x:1003:
>>
>>
>> 3. But when i open samba log and trying use user bbb to login //$myip/f1
>> on Windows and i got the denied permission.
>>    But user bbb is not in d_group. There are somethings mess up.
>>
>> 4. I saw the log in samba below:
>> [2020/06/05 16:40:40.672747, 10, pid=2781, effective(0, 0), real(0, 0),
>> class=vfs] ../../source3/smbd/vfs.c:65(vfs_find_backend_
>>   vfs_find_backend_entry called for /[Default VFS]/
>>   Successfully loaded vfs module [/[Default VFS]/] with the new modules
>> system
>> [2020/06/05 16:40:40.672789, 10, pid=2781, effective(0, 0), real(0, 0)]
>> ../../source3/smbd/service.c:70(set_conn_connectpath)
>>   set_conn_connectpath: service IPC$, connectpath = /tmpfs/tmp
>> [2020/06/05 16:40:40.672815, 10, pid=2781, effective(0, 0), real(0, 0)]
>> ../../source3/smbd/share_access.c:220(user_ok_token)
>>   user_ok_token: share IPC$ is ok for unix user bbb
>> [2020/06/05 16:40:40.672840, 10, pid=2781, effective(0, 0), real(0, 0)]
>> ../../source3/smbd/share_access.c:271(is_share_read_only
>>   is_share_read_only_for_user: share IPC$ is read-only for unix user bbb
>> [2020/06/05 16:40:40.672868, 10, pid=2781, effective(0, 0), real(0, 0)]
>> ../../libcli/security/access_check.c:366(se_file_access_
>>   se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff
>> [2020/06/05 16:40:40.672915,  4, pid=2781, effective(0, 0), real(0, 0)]
>> ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
>>   setting sec ctx (1003, 101) - sec_ctx_stack_ndx = 0
>> [2020/06/05 16:40:40.672941,  5, pid=2781, effective(0, 0), real(0, 0)]
>> ../../libcli/security/security_token.c:63(security_token
>>   Security token SIDs (15):
>>     SID[  0]: S-1-5-21-1151667668-222068009-1375177606-1010
>>     SID[  1]: S-1-5-21-1151667668-222068009-1375177606-513
>>     SID[  2]: S-1-5-21-1151667668-222068009-1375177606-1003
>>     SID[  3]: S-1-5-21-1151667668-222068009-1375177606-1006
>>     SID[  4]: S-1-5-21-1151667668-222068009-1375177606-1008
>>     SID[  5]: S-1-22-2-1000
>>     SID[  6]: S-1-1-0
>>     SID[  7]: S-1-5-2
>>     SID[  8]: S-1-5-11
>>     SID[  9]: S-1-5-21-1151667668-222068009-1375177606-1009
>>     SID[ 10]: S-1-22-1-1003
>>     SID[ 11]: S-1-22-2-101
>>     SID[ 12]: S-1-22-2-1001
>>     SID[ 13]: S-1-22-2-1002
>>     SID[ 14]: S-1-22-2-1003
>>    Privileges (0x               0):
>>    Rights (0x               0):
>> [2020/06/05 16:40:40.673111,  5, pid=2781, effective(0, 0), real(0, 0)]
>> ../../source3/auth/token_util.c:866(debug_unix_user_toke
>>   UNIX token of user 1003
>>   Primary group is 101 and contains 5 supplementary groups
>>   Group[  0]: 101
>>   Group[  1]: 1001
>>   Group[  2]: 1002
>>   Group[  3]: 1000
>>   Group[  4]: 1003
>>
>> 5. Why "bbb" user is notin d_group but the Security token SIDs will have
>> d_group's sid (S-1-5-21-1151667668-222068009-1375177606-1009) ??
>>    I thinks this is the reason why i be denied to access "f1". Because in
>> program /source3/smbd/share_access.c function "token_contains_name"
>>    will check "nt_token_check_sid" & "user_in_netgroup". But i absolutely
>> sure my user "bbb" is not in netgroup, the problem
>>    is on function "nt_token_check_sid". Function "nt_token_check_sid"
>> will check Security token SIDs if match.
>>
>>    # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1010
>>       XN7004T-FF1628\bbb 1
>>    # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1003
>>       XN7004T-FF1628\User_Group 4
>>    # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1006
>>       XN7004T-FF1628\b_group 4
>>    # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1008
>>       XN7004T-FF1628\c_group 4
>>    # wbinfo --sid-to-name=S-1-5-21-1151667668-222068009-1375177606-1009
>>       XN7004T-FF1628\d_group 4
>>    # wbinfo --sid-to-name=S-1-22-1-1003
>>       Unix User\bbb 1
>>    # wbinfo --sid-to-name=S-1-22-1-101
>>       Unix User\davfs2 1
>>    # wbinfo --sid-to-name=S-1-22-1-1001
>>       Unix User\aaa 1
>>    # wbinfo --sid-to-name=S-1-22-1-1002
>>       Unix User\1002 1
>>    # wbinfo --sid-to-name=S-1-22-1-1003
>>       Unix User\bbb 1
>>
>>
>> 6. My questions are:
>>    1. How samba to get Security token SIDs ?
>>    2. And i wonder whate reason will cause the Security token SIDs mess
>> up ?
>>
>>
>> Note: This issue is occurs in random. Sometimes you will get the true
>> sids but sometimes is not.
>>
>>
>>
>> Thanks,
>> Jeremy
>>
>

More information about the samba mailing list