[Samba] Trouble resolving some group membership after upgrade from 4.8 to 4.10
Matt Magoffin
samba at msqr.us
Sun Mar 8 22:14:41 UTC 2020
Hello,
I had been running Samba 4.8 for a few years without any problems, and then upgraded to 4.10. Since then I’ve been having problems with some accounts connecting, while some connect fine still. I haven’t been able to figure out why. My server is a relatively simple standalone server, using the LDAP password backend.
A failing user authenticates OK and ends up like this in the logs:
[2020/03/09 10:30:41.723101, 1, pid=2475, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
&session_blob: struct smbXsrv_sessionB
version : SMBXSRV_VERSION_0 (0)
reserved : 0x00000000 (0)
info : union smbXsrv_sessionU(case 0)
info0 : *
info0: struct smbXsrv_session
table : *
db_rec : NULL
client : *
local_id : 0xe752a8c6 (3880954054)
global : *
global: struct smbXsrv_session_global0
db_rec : NULL
session_global_id : 0xe752a8c6 (3880954054)
session_wire_id : 0x00000000e752a8c6 (3880954054)
creation_time : Mon Mar 9 10:30:42 2020 NZDT
expiration_time : Thu Jan 1 12:00:00 1970 NZST
auth_time : Mon Mar 9 10:30:42 2020 NZDT
auth_session_info_seqnum : 0x00000001 (1)
auth_session_info : *
auth_session_info: struct auth_session_info
security_token : *
security_token: struct security_token
num_sids : 0x00000009 (9)
sids: ARRAY(9)
sids : S-1-5-21-1502235775-2176147628-3003234742-10103
sids : S-1-5-21-1502235775-2176147628-3003234742-513
sids : S-1-22-2-10001
sids : S-1-22-2-10002
sids : S-1-1-0
sids : S-1-5-2
sids : S-1-5-11
sids : S-1-22-1-10103
sids : S-1-22-2-513
privilege_mask : 0x0000000000000000 (0)
0: SEC_PRIV_MACHINE_ACCOUNT_BIT
0: SEC_PRIV_PRINT_OPERATOR_BIT
0: SEC_PRIV_ADD_USERS_BIT
0: SEC_PRIV_DISK_OPERATOR_BIT
0: SEC_PRIV_REMOTE_SHUTDOWN_BIT
0: SEC_PRIV_BACKUP_BIT
0: SEC_PRIV_RESTORE_BIT
0: SEC_PRIV_TAKE_OWNERSHIP_BIT
0: SEC_PRIV_INCREASE_QUOTA_BIT
0: SEC_PRIV_SECURITY_BIT
0: SEC_PRIV_LOAD_DRIVER_BIT
0: SEC_PRIV_SYSTEM_PROFILE_BIT
0: SEC_PRIV_SYSTEMTIME_BIT
0: SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT
0: SEC_PRIV_INCREASE_BASE_PRIORITY_BIT
0: SEC_PRIV_CREATE_PAGEFILE_BIT
0: SEC_PRIV_SHUTDOWN_BIT
0: SEC_PRIV_DEBUG_BIT
0: SEC_PRIV_SYSTEM_ENVIRONMENT_BIT
0: SEC_PRIV_CHANGE_NOTIFY_BIT
0: SEC_PRIV_UNDOCK_BIT
0: SEC_PRIV_ENABLE_DELEGATION_BIT
0: SEC_PRIV_MANAGE_VOLUME_BIT
0: SEC_PRIV_IMPERSONATE_BIT
0: SEC_PRIV_CREATE_GLOBAL_BIT
rights_mask : 0x00000000 (0)
0: LSA_POLICY_MODE_INTERACTIVE
0: LSA_POLICY_MODE_NETWORK
0: LSA_POLICY_MODE_BATCH
0: LSA_POLICY_MODE_SERVICE
0: LSA_POLICY_MODE_PROXY
0: LSA_POLICY_MODE_DENY_INTERACTIVE
0: LSA_POLICY_MODE_DENY_NETWORK
0: LSA_POLICY_MODE_DENY_BATCH
0: LSA_POLICY_MODE_DENY_SERVICE
0: LSA_POLICY_MODE_REMOTE_INTERACTIVE
0: LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE
0x00: LSA_POLICY_MODE_ALL (0)
0x00: LSA_POLICY_MODE_ALL_NT4 (0)
unix_token : *
unix_token: struct security_unix_token
uid : 0x0000000000002777 (10103)
gid : 0x0000000000000201 (513)
ngroups : 0x00000003 (3)
groups: ARRAY(3)
groups : 0x0000000000000201 (513)
groups : 0x0000000000002711 (10001)
groups : 0x0000000000002712 (10002)
info : *
info: struct auth_user_info
account_name : *
account_name : 'sambamatt'
user_principal_name : NULL
user_principal_constructed: 0x00 (0)
domain_name : *
domain_name : 'X24'
dns_domain_name : NULL
full_name : *
full_name : 'Samba Matt Magoffin'
logon_script : *
logon_script : ''
profile_path : *
profile_path : '\\X24\profiles\sambamatt'
home_directory : *
home_directory : '\\X24\sambamatt'
home_drive : *
home_drive : ''
logon_server : *
logon_server : 'X24'
last_logon : NTTIME(0)
last_logoff : Tue Jan 19 16:14:07 2038 NZDT
acct_expiry : Tue Jan 19 16:14:07 2038 NZDT
last_password_change : Mon Mar 9 10:27:37 2020 NZDT
allow_password_change : Mon Mar 9 10:27:37 2020 NZDT
force_password_change : Tue Jan 19 16:14:07 2038 NZDT
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
acct_flags : 0x00000010 (16)
authenticated : 0x01 (1)
unix_info : *
unix_info: struct auth_user_info_unix
unix_name : *
unix_name : 'sambamatt'
sanitized_username : *
sanitized_username : 'sambamatt'
status : NT_STATUS_OK
compat : *
tcon_table : *
pending_auth : NULL
So you can see the uid is “sambamatt” and is a member of group 10002, which is called “Home” and contains “sambamatt” in a memberUid attribute.
[2020/03/09 10:30:41.752608, 5, pid=2475, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1308(smbldap_search_ext)
smbldap_search_ext: base => [dc=msqr,dc=us], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=Home)(cn=Home)))], scope => [2]
[2020/03/09 10:30:41.753124, 2, pid=2475, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:2396(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 10002
[2020/03/09 10:30:41.753202, 4, pid=2475, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/03/09 10:30:41.753262, 10, pid=2475, effective(0, 0), real(0, 0)] ../../source3/smbd/share_access.c:213(user_ok_token)
User sambamatt not in 'valid users'
If I show the group membership in other ways it appears like sambamatt is a member:
$ getent passwd sambamatt
sambamatt:*:10103:513:System User:/home/sambamatt:/bin/sh
$ getent group Home
Home:*:10002:sambamatt
$ id sambamatt
uid=10103(sambamatt) gid=513(Domain Users) groups=513(Domain Users),10001(Media),10002(Home)
For another account “tm” that does still connect successfully, the logs end like:
[2020/03/09 09:55:20.786162, 5, pid=50323, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1308(smbldap_search_ext)
smbldap_search_ext: base => [dc=msqr,dc=us], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=TimeMachine)(cn=TimeMachine)))], scope => [2]
[2020/03/09 09:55:20.787011, 2, pid=50323, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:2396(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 10000
[2020/03/09 09:55:20.787106, 10, pid=50323, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:137(smbldap_talloc_single_attribute)
attribute description does not exist
[2020/03/09 09:55:20.787206, 4, pid=50323, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/03/09 09:55:20.787281, 10, pid=50323, effective(0, 0), real(0, 0)] ../../source3/smbd/share_access.c:219(user_ok_token)
user_ok_token: share TimeCapsule is ok for unix user tm
My smb.conf looks like this:
[global]
log level = 10 auth:10 winbind:10
workgroup = MSQR
server string = Samba Server Version %v
netbios name = X24
domain master = yes
wins support = yes
host msdfs = no
security = user
map to guest = Bad User
vfs objects = acl_xattr zfsacl catia fruit streams_xattr
map acl inherit = yes
server min protocol = SMB2
server max protocol = SMB3
fruit:aapl = yes
fruit:resource = stream
fruit:metadata = stream
ea support = yes
oplocks = yes
ntlm auth = no
passdb backend = ldapsam:ldap://localhost
ldap suffix = dc=msqr,dc=us
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap ssl = off
ldap passwd sync = yes
# Auth password saved via `smbpasswd -W`
ldap admin dn = cn=Samba Admin,dc=msqr,dc=us
[TimeCapsule]
path = /zdata/backups/timecapsule
vfs objects = zfsacl fruit streams_xattr
browseable = no
writable = yes
read only = no
inherit acls = yes
fruit:time machine = yes
fruit:time machine max size = 1400G
valid users = @TimeMachine
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfszcl:acesort = dontcare
[Home]
path = /zdata/home
browseable = yes
writable = yes
read only = no
force create mode = 0660
force directory mode = 0770
valid users = @Home
[Media]
path = /zdata/media
browseable = yes
writable = yes
read only = no
force create mode = 0660
force directory mode = 0770
valid users = @Media
I’m at a loss now on what might be wrong, or what else to try to troubleshoot the issue. Any ideas/help would be much appreciated.
— m@
More information about the samba
mailing list