Bug 11396 - Samba using AD distribution groups as users for authentication
Samba using AD distribution groups as users for authentication
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.2.2
x64 Linux
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-09 18:34 UTC by Uraki
Modified: 2015-07-13 07:34 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Uraki 2015-07-09 18:34:29 UTC
There is a local linux 'remedy' user on WEBBOX2.

Arch Linux x86_64 
Samba,smbclient,libwbclient 4.2.2-1

/etc/passwd:

     remedy:x:11451:11451::/home/remedy:/usr/sbin/nologin

Our windows domain (Active Directory) does NOT have a 'remedy' user. It does, however, have a distribution group named 'remedy'.

[root@webbox2 ~]# wbinfo -u | grep remedy
[root@webbox2 ~]#

[root@webbox2 ~]# wbinfo --group-info remedy
remedy:x:11228:
[root@webbox2 ~]#

[root@webbox2 ~]# wbinfo --user-info remedy
remedy:*:11228:11228::/home/CTA/remedy:/bin/bash
[root@webbox2 ~]#

This causes issues when you have a share in your smb.conf defined like this: 

[remedy]
  comment = remedy data files via FTP
  path = /home/remedy
  admin users = uraki, "@Domain Admins", @Administrators
  write list = "@Domain Users", root, uraki
  force user = remedy
  force group = remedy
  read only = No
  create mask = 0777
  inherit permissions = Yes
  inherit owner = Yes

As you will get errors in Windows when trying to access this share. User not found or group not found.

Other shares defined in a similar manner that have local users that don't match anything in the Active Directory domain work with no issue.

If you change the share to look like this (different user):

[remedy]
  comment = remedy data files via FTP
  path = /home/remedy
  admin users = uraki, "@Domain Admins", @Administrators
  write list = "@Domain Users", root, uraki
  force user = uraki
  force group = "@Domain Users"
  read only = No
  create mask = 0777
  inherit permissions = Yes
  inherit owner = Yes

It will work. 

I suspect that Samba/wbinfo/winbind is incorrectly picking up AD distribution groups as users and trying to use them for authentication.

I was seeing things like this in the logs:

[2015/07/09 10:50:04.962977,  3] ../source3/smbd/msdfs.c:971(get_referred_path)  get_referred_path: |remedy| in dfs path \webbox2\remedy is not a dfs root.

Which did not make much sense.