Bug 10400 - smbd Version 4.1.3-Debian: Linux-server + Linux-client: "valid users" broken, when used together with "force user" directive
Summary: smbd Version 4.1.3-Debian: Linux-server + Linux-client: "valid users" broken,...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.1.3
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-23 18:45 UTC by Tormen
Modified: 2014-01-23 18:48 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tormen 2014-01-23 18:45:32 UTC
Server + Client == Debian stable 7.3 (Version 4.1.3)


Hi,

if the following holds true, then I found a bug:

  "force user" == the effective user for all disk access on the samba server
                (like which user a new file belongs to) related to this share
                  This user does NOT need to be a smbuser !

  "valid users" == smbusers (having corresponding linux system users) that are allowed to connect to a samba servers share


=========================================================
Server: 

smb.conf:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[global]
   workgroup = LOCALNET
   server string = %h server
   disable netbios = yes
   dns proxy = no
   domain master = no
   preferred master = no
   smb ports = 445
   log level = 1
   log file = /var/log/samba/log.%m
   syslog = 0
   encrypt passwords = yes
   passdb backend = tdbsam
   obey pam restrictions = yes
   pam password change = yes
   map to guest = bad user
   load printers = no
   disable spoolss = yes
[web]
   path = /data/www
   valid users = me
   create mask = 0660
   directory mask = 0770
   force user = xxx
   force group = www-data
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

groups xxx
   xxx : www-data xxx

xxx is NOT a smbuser

groups me
   me : mine cdrom floppy audio dip video plugdev xxx

pdbedit -L me
   me:1000:me


=========================================================
Client:

smbclient -L web -Ume -d1
Enter me's password: 
Domain=[LOCALNET] OS=[Unix] Server=[Samba 4.1.3-Debian]

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       IPC Service (web server)
	web             Disk      web
Connection to web failed (Error NT_STATUS_CONNECTION_REFUSED)
NetBIOS over TCP disabled -- no workgroup available

smbclient //web/web -Ume -d1
Enter me's password: 
Domain=[LOCALNET] OS=[Unix] Server=[Samba 4.1.3-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED








AND WHEN I 
  * comment out the "valid users = me" line on the [web] share

then I get on the CLIENT:

smbclient -L web -Ume -d1
Enter me's password: 
Domain=[LOCALNET] OS=[Unix] Server=[Samba 4.1.3-Debian]

	Sharename       Type      Comment
	---------       ----      -------
	web             Disk      web
	IPC$            IPC       IPC Service (web server)
Connection to web failed (Error NT_STATUS_CONNECTION_REFUSED)
NetBIOS over TCP disabled -- no workgroup available


<<< so this Error there STAYS ...

... BUT the mount succeeds:

smbclient //web/web -Ume -d1                      $1 #46720 me@seven pts/10
Enter me's password: 
Domain=[LOCALNET] OS=[Unix] Server=[Samba 4.1.3-Debian]
smb: \> ls
  .                                   D        0  Thu Jan 23 15:32:38 2014
  ..                                  D        0  Thu Jan 23 15:20:13 2014
  class.krumo.php                     N    24780  Wed Oct 30 22:08:11 2013
  logs                                D        0  Tue Oct  8 11:25:32 2013
  public_html                         D        0  Wed Jan 22 13:59:42 2014
  krumo.ini                           N      418  Wed Oct 30 22:08:11 2013

		44431 blocks of size 524288. 38602 blocks available
smb: \> 


... and on the server:

smbstatus  -d1

Samba version 4.1.3-Debian
PID     Username      Group         Machine                        
-------------------------------------------------------------------
54818     me            mine          172.27.127.7 (ipv4:172.27.127.7:32807)

Service      pid     machine       Connected at
-------------------------------------------------------
web          54818   172.27.127.7  Thu Jan 23 19:40:14 2014

No locked files


Please let me know if you need more info / input.


Tormen