Created attachment 10610 [details] Patch for passwd_to_SamInfo3 Going from 4.1 to 4.2rc3 it appears that in the new 4.2 function passwd_to_SamInfo3() the code to handle the "Unix Users" domain is missing. Similar code is found in samu_to_SamInfo3() and looks to be necessary in passwd_to_SamInfo3 as well. For example I see the error messages in the samba log when trying to authenticate using Kerberos/OpenLdap (not AD): [2015/01/08 12:10:06.667139, 10, pid=21045, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1088(legacy_gid_to_sid) LEGACY: gid 548597 -> sid S-1-22-2-548597 [2015/01/08 12:10:06.667256, 1, pid=21045, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info.c:628(passwd_to_SamInfo3) The primary group domain sid(S-1-5-21-1497163937-2947169817-3520470860-513) does not match the domain sid(S-1-22-1) for mtester(S-1-22-1-521) [2015/01/08 12:10:06.667297, 1, pid=21045, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:254(make_session_info_krb5) make_server_info_[sam|pw] failed: NT_STATUS_INVALID_SID! [2015/01/08 12:10:06.667352, 1, pid=21045, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac) Failed to map kerberos pac to server info (NT_STATUS_INVALID_SID) [2015/01/08 12:10:06.667460, 10, pid=21045, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2690(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:130 I created a patch to passwd_to_SamInfo3 and now the authentication works again, as it used to prior to 4.2: [2015/01/08 15:37:19.382202, 10, pid=5603, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info.c:633(passwd_to_SamInfo3) Unix User found in passwd. Rid marked as special and sid (S-1-22-1-521) saved as extra sid
Oh, nice catch. First glance that looks correct for master and 4.2.0. Let me investigate some more..
My biggest concern is not fixing this, but ensuring it doesn't happen again by having a robust testsuite that catches that.
Oh, this is a blocker for 4.2.0 :-(. Given the following share: [utest] path = /tmp force user = gdm where gdm doesn't exist in the tdb password database but is a UNIX user. Connect as user jra, who does exist in the tdb passdb. We get: /usr/local/samba/bin/smbclient //127.0.0.1/utest -Ujra%PASSWORD Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.0pre1-GIT-42aee0e] tree connect failed: NT_STATUS_INVALID_SID This breaks a large number of file server cases. Reassgning to jra as this is a file server-only bug :-(.
I think I can see how we can test this in autobuild...
Sorry Andrew, forgot to re-add you in cc: list. I'll post patches + tests to the samba-technical list for master shortly.
Created attachment 10618 [details] Patch for master - includes test. This is based on the original fix from Michael Zeis <mzeis.quantum@gmail.com>, but factors the code out into a utility function rather than using cut-and-paste, plus adds a test for the bug. Will post to the mailing list and get into master first, then back-port for 4.2.0.
Jeremy, I think this needs to be backported 4.1 too!
Created attachment 10621 [details] Cherry-pick from master for 4.2. Includes master commit refs.
(In reply to Andreas Schneider from comment #7) No, I can't reproduce the problem in 4.1 - access to the [utest] share works fine. This looks like a 4.2.0 problem only.
Jeremy, take a look at https://lists.samba.org/archive/samba/2013-January/171091.html and I have a but at Red Hat with the same log output. To reproduce this use smb.conf: [global] kerberos method = system keytab realm = MYDOMAIN.COM security = ads
(In reply to Andreas Schneider from comment #10) Sure, I'll take a look, but in the meantime can you +1 the 4.2 patch so we can get this into the v4-2-test tree. Thanks !
Comment on attachment 10621 [details] Cherry-pick from master for 4.2. +1'ing this with a caveat: Jeremy, please assign to Karolin only after a successful private autobuild. She got pretty frustrated because many autobuilds did not go through recently. I don't have the time right now to do it, sorry.
Comment on attachment 10621 [details] Cherry-pick from master for 4.2. ACK
Gosh, Volker was faster than me again. :-)
I think I was wrong Jeremy. Ignore me :)
Karolin, please add the patch to 4.2. Thanks!
(In reply to Volker Lendecke from comment #12) I already tested a local full make test, and it passes as much as a local make test does for me (the local DC stuff always fucks up for me on local make test).
Just to be clear - this patch is ready (and required ! :-) for 4.2.0-final. Thanks ! Jeremy.
(In reply to Jeremy Allison from comment #18) Sure. Pushed to autobuild-v4-2-test, thx.
Pushed to autobuild-v4-2-test...
Pushed to v4-2-test. Closing out bug report. Thanks!