Bug 1165 - Samba ADS Kerberos login doesnt resolve correct groups when smbd is su'ing to the uid
Samba ADS Kerberos login doesnt resolve correct groups when smbd is su'ing to...
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.2a
Other Linux
: P1 major
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-09 03:21 UTC by Ferdinand Hagethorn
Modified: 2005-08-24 10:15 UTC (History)
2 users (show)

See Also:


Attachments
log level 10 debug output of a smbclient -k login gzipped (8.51 KB, application/gzip)
2004-03-09 07:48 UTC, Ferdinand Hagethorn
no flags Details
patch to fix fill_domain_username() (755 bytes, patch)
2004-03-11 06:21 UTC, Gerald (Jerry) Carter
no flags Details
new patch to fix issues with winbindd use default domain = yes and secondary groups (9.54 KB, patch)
2004-03-16 08:34 UTC, Gerald (Jerry) Carter
no flags Details
new version of patch -- fixed pointer problem (9.54 KB, patch)
2004-03-16 08:39 UTC, Gerald (Jerry) Carter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ferdinand Hagethorn 2004-03-09 03:21:18 UTC
Situation:
-- samba ads configuration
samba 3.0.2a on debian 3.0 woody
net ads join worked, kinit works, windows clients can connect to the server
using the kerberos login.

Now the case:
when logging in with user+pass the smbd daemon is member of the correct groups
when doing this with a kerberos ticket the smbd daemon isn't.

# smbclient //fileserver/export -U username
Password: ****

/proc/8870/status shows the following, notice the Groups entry
User+Password login:
--------------------
Name:   smbd
State:  S (sleeping)
Tgid:   8870
Pid:    8870
PPid:   8525
TracerPid:      0
Uid:    10026   10026   0       10026
Gid:    0       10000   0       10000
FDSize: 32
Groups: 10000 10015 10014 10003 
VmSize:     7672 kB
VmLck:         0 kB
VmRSS:      3332 kB
VmData:     1920 kB
VmStk:        20 kB
VmExe:      2136 kB
VmLib:      3224 kB
SigPnd: 0000000000000000
SigBlk: 0000000000001880
SigIgn: 8000000000001000
SigCgt: 0000000000014661
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 0000000000000000


Now using a kerberos ticket (after a kinit):
# smbclient //fileservertest/export -U username -k
and this also works:
# smbclient //fileservertest/export -k

Kerberos login (file: /proc/8851/status):
---------------
Name:   smbd
State:  S (sleeping)
Tgid:   8851
Pid:    8851
PPid:   8525
TracerPid:      0
Uid:    10026   10026   0       10026
Gid:    0       10000   10000   10000
FDSize: 32
Groups: 10000 10000 
VmSize:     7672 kB
VmLck:         0 kB
VmRSS:      3528 kB
VmData:     1920 kB
VmStk:        20 kB
VmExe:      2136 kB
VmLib:      3224 kB
SigPnd: 0000000000000000
SigBlk: 0000000000001880
SigIgn: 8000000000003000
SigCgt: 0000000000014661
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 0000000000000000

Groups: 10000 10000 -> thats NOT okay

What is happening here??
id username returns the correct groups, so winbind works. but smbd doesnt seem
to find the correct groups when logging in with a correct kerberos ticket.

Is group membership also a part of the kerberos ticket? (I dont know if this is
a samba bug or an incorrect windows dc config) Please help, its driving me nuts!
Comment 1 Ferdinand Hagethorn 2004-03-09 04:20:59 UTC
Found this out:
the user in the supplied example is a domain user

w/ debugging at 10:
logfile entry:
sys_getgrouplist(): disabled winbindd for group lookup [user == username]

I do not think this is supposed to happen in this case, my smb.conf:

[global]
        workgroup = ECHEM
        realm = ECHEM.COM
        netbios name = FILESERVERTEST
        security = ADS
        syslog = 1
        log file = /var/log/samba/log.%m
        printcap name = cups
        os level = 10
        preferred master = No
        local master = No
        domain master = No
        idmap uid = 10000-60000
        idmap gid = 10000-60000
        template homedir = /cluster/homes/homedirs/%U
        winbind separator = %
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        printing = cups
        printer admin = MasterChief, @"Domain Admins"
        log level = 10
        encrypt passwords = true

[export]
        comment = Export share
        path = /cluster/data/export
        admin users = @"Domain Admins"
        read only = No
        create mask = 0660
        directory mask = 2770
Comment 2 Ferdinand Hagethorn 2004-03-09 04:22:16 UTC
winbind separator = %
is supposed to be
winbind separator = +

(pasted from the wrong window :-/ )
Comment 3 Ferdinand Hagethorn 2004-03-09 05:00:49 UTC
changing the winbind seperator doesnt make any difference, samba still thinks
kerberos login users belong to the system and winbind lookups should not be done.
Comment 4 Ferdinand Hagethorn 2004-03-09 05:45:19 UTC
lib/system_smbd.c line 116:
   if ( (p = strchr(user, *lp_winbind_separator())) == NULL ) {

Something goes wrong here, it seems user isnt formatted like "username+DOM.COM",
thats why winbind is not being used for group lookups.

Maybe something is not going well in the kerberos ticket parsing code (which
fills the 'user' variable, but i'm not a coder so i'll leave the bugfixing to you :)
Comment 5 Gerald (Jerry) Carter 2004-03-09 06:02:44 UTC
Please send me a level 10 debug log of the Samba server.  I 
can't reproduce this locally.  Thanks.
Comment 6 Ferdinand Hagethorn 2004-03-09 07:48:53 UTC
Created attachment 431 [details]
log level 10 debug output of a smbclient -k login gzipped

Here is the debug output.

Thanks for taking a look at it.

btw, I've disabled the mentioned check in the source, recompiled the debian
packages and tried it on our testserver. It works for me, but thats not good
enough ;).
Comment 7 Gerald (Jerry) Carter 2004-03-09 13:54:09 UTC
I really need the server side log, not the client.
Comment 8 Ferdinand Hagethorn 2004-03-10 00:30:55 UTC
Dear Jerry,

I got the attached gzipped file from /var/log/samba/log.fileserver, and the
contents is the smbd logging from a smbclient -k login sequence for your
convienence.

So this is the server log, if it isnt i have no idea how smbclient called from a
non-root enviroment can write to /var/log/samba/log.fileserver. :)
Comment 9 Gerald (Jerry) Carter 2004-03-11 05:50:00 UTC
Sorry.  I misread comment #6.

It's another bug in 'winbind use default domain'
Disable that option and see if things work ok.
I'll keep looking into this today.
Comment 10 Gerald (Jerry) Carter 2004-03-11 06:21:27 UTC
Created attachment 433 [details]
patch to fix fill_domain_username()

Here's a patch to make winbindd fill in the 
passwd struct correctly even when 'winbind use default domain = yes'
Comment 11 Ferdinand Hagethorn 2004-03-12 00:18:32 UTC
I'm do not have access to the machine now, but i recall that i've tried to
disable the winbind default domain option (by commenting it out and by setting
it to no). I can't recall that it worked but i can be wrong, i'll patch the
server when i get access again and report back to you. ( i have no idea when
that will be, sorry )
Comment 12 Gerald (Jerry) Carter 2004-03-12 06:21:48 UTC
no problem.  Since I've reproduced this locally and the 
patch does correct it, I'm marking this as fixed.
If you find otherwise, please reopen it.  Thanks.
Comment 13 Gerald (Jerry) Carter 2004-03-15 14:26:51 UTC
reworking patch.  Reopening so I don't forget about it.
Comment 14 Gerald (Jerry) Carter 2004-03-16 07:32:47 UTC
*** Bug 1126 has been marked as a duplicate of this bug. ***
Comment 15 Gerald (Jerry) Carter 2004-03-16 07:33:17 UTC
adding CC from bug 1126
Comment 16 Gerald (Jerry) Carter 2004-03-16 08:33:27 UTC
Comment on attachment 433 [details]
patch to fix fill_domain_username()

>Index: nsswitch/winbindd_util.c
>===================================================================
>RCS file: /data/cvs/samba/source/nsswitch/winbindd_util.c,v
>retrieving revision 1.73.2.47
>diff -u -r1.73.2.47 winbindd_util.c
>--- nsswitch/winbindd_util.c	10 Feb 2004 03:51:19 -0000	1.73.2.47
>+++ nsswitch/winbindd_util.c	11 Mar 2004 14:20:23 -0000
>@@ -568,13 +568,17 @@
> */
> void fill_domain_username(fstring name, const char *domain, const char *user)
> {
>+# if 0 	/* JERRY - break secondary groups */
> 	if (assume_domain(domain)) {
> 		strlcpy(name, user, sizeof(fstring));
> 	} else {
>+#endif	/* JERRY */
> 		slprintf(name, sizeof(fstring) - 1, "%s%s%s",
> 			 domain, lp_winbind_separator(),
> 			 user);
>+#if 0	/* JERRY */
> 	}
>+#endif	/* JERRY */
> }
> 
> /*
Comment 17 Gerald (Jerry) Carter 2004-03-16 08:34:35 UTC
Created attachment 441 [details]
new patch to fix issues with winbindd use default domain = yes and secondary groups
Comment 18 Gerald (Jerry) Carter 2004-03-16 08:35:31 UTC
This is the patch that will go into CVS.  Works locally so 
I'm marking this as fixed.  Please reopen this bug if 
doesn't clear things up for you.
Comment 19 Gerald (Jerry) Carter 2004-03-16 08:39:45 UTC
Created attachment 442 [details]
new version of patch -- fixed pointer problem

New version of patch.  I uploaded the wrong diff previously.
Comment 20 Gerald (Jerry) Carter 2005-08-24 10:15:54 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.