'Re: [Samba] samba-4.1.19: resolving local unix group failes when there exists a local unix user with'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba
Subject:    Re: [Samba] samba-4.1.19: resolving local unix group failes when there exists a local unix user with
From:       Rowland Penny <rowlandpenny241155 () gmail ! com>
Date:       2015-07-31 13:29:13
Message-ID: 55BB7829.8060008 () gmail ! com
[Download RAW message or body]

On 31/07/15 13:07, Nissl Reinhard wrote:
> Hi,
> 
> after upgrading samba from 4.1.17 to 4.1.19 on OpenSuSE 13.2, any shares offered by \
> this machine can nolonger be accessed, when these shares contain an entry "force \
> group" which specifies a local unix group and when there exists a unix user with \
> the same name. 
> Here's an excerpt from smb.conf:
> 
> [FactWork]
> comment = FactWork-Downloadportal
> path = /web/Fee/download/factwork
> valid users = @webadmin,fee\gabi,@fee\g_tb3,fee\administrator,fee\svtb3$
> write list = @webadmin,fee\gabi,@fee\g_tb3,fee\administrator
> force group = webadmin
> create mask = 0664
> force create mode = 0664
> directory mask = 0775
> force directory mode = 0775
> writeable = Yes
> guest ok = No
> 
> When I try to access that share with smbclient like that, it fails:
> 
> smbclient //platon/factwork mySecret -U reinhard.ni -W fee
> Domain=[FEE] OS=[Unix] Server=[Samba 4.1.19-11.1-3442-SUSE-oS13.2-x86_64]
> tree connect failed: NT_STATUS_NO_SUCH_GROUP
> 
> Running smbd interactive with maximum debug level shows the following lines:
> 
> looking for user fee\reinhard.ni of domain (ANY) in netgroup fee\g_tb3
> lookup_name: fee\g_tb3 => domain=[fee], name=[g_tb3]
> lookup_name: flags = 0x077
> user_ok_token: share FactWork is ok for unix user FEE\reinhard.ni
> lookup_name: FEE\webadmin => domain=[FEE], name=[webadmin]
> lookup_name: flags = 0x077
> map_name_to_wellknown_sid: looking up webadmin
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> Security token: (NULL)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> failed to unpack map
> failed to unpack map
> failed to unpack map
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> Finding user webadmin
> Trying _Get_Pwnam(), username as lowercase is webadmin
> Get_Pwnam_internals did find user [webadmin]!
> webadmin is a User, not a group
> 
> A further problem (which seems to be caused by the same defect) exists when trying \
> to validate the user against a local unix group (@webadmin in this example). The \
> log output shows similar messages regarding @webadmin being a user while expecting \
> a group. In that case smbclient fails with NT_STATUS_ACCESS_DENIED. 
> A workaround seems to be, to replace all references to unix group webadmin with \
> "Unix Group\webadmin", i. e. 
> valid users = @"Unix \
> Group\webadmin",fee\gabi,@fee\g_tb3,fee\administrator,fee\svtb3$ write list = \
> @"Unix Group\webadmin",fee\gabi,@fee\g_tb3,fee\administrator force group = "Unix \
> Group\webadmin" 
> Bye.
> --
> Reinhard Nißl, TB3, -198
> 

Hi, I think there is a bug report open for this: 
https://bugzilla.samba.org/show_bug.cgi?id=11320

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic