Bug 12276 - Group substitution for connected user fails
Group substitution for connected user fails
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.4.5
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-19 11:59 UTC by Andreas Schneider
Modified: 2016-10-25 07:42 UTC (History)
4 users (show)

See Also:


Attachments
Proposed patch for master (1.07 KB, patch)
2016-09-21 07:23 UTC, Andreas Schneider
no flags Details
patch for 4.5 (2.00 KB, patch)
2016-10-10 10:44 UTC, Andreas Schneider
slow: review+
Details
patch for 4.4 (2.00 KB, patch)
2016-10-10 10:45 UTC, Andreas Schneider
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2016-09-19 11:59:29 UTC
smbclient -UZELTRUST+Administrator%secret -c quit //127.0.0.1/zelshare/
Domain=[ZELTRUST] OS=[Windows 6.1] Server=[Samba 4.4.4]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

Error in log.smbd:
++++++
[2016/09/19 05:03:58.549831,  0, pid=24686, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:808(make_connection_snum) canonicalize_connect_path failed for service zelshare, path /home/DZELTRUST/uZELTRUST+administrator/Uadministrator/gZELTRUST+domain users/G%G
++++++

config:

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        realm = ZELTRUST.ZEL
        workgroup = ZELTRUST
        security = ADS
        server signing = if_required
        create krb5 conf = No
        template homedir = /home/%D/%G/%U
        template shell = /bin/bash
        winbind request timeout = 120
        winbind separator = +
        wins server = 10.34.36.20
        idmap config * : range = 10000-20000
        idmap config * : backend = tdb
                     
[zelshare]                                                                      
        path = /home/D%D/u%u/U%U/g%g/G%G
        read only = No


Patch will follow.
Comment 1 Christian Ambach 2016-09-20 21:02:31 UTC
Dupe of Bug 10286?
Comment 2 Andreas Schneider 2016-09-21 07:22:48 UTC
No, bug #10286 introduced the issue.

diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c
index ce4fbba..4e2ce9b 100644
--- a/source3/lib/substitute.c
+++ b/source3/lib/substitute.c
@@ -500,7 +500,9 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx,
 		case 'G' : {
 			struct passwd *pass;
 
-			if (domain_name != NULL && domain_name[0] != '\0') {
+			if (domain_name != NULL && domain_name[0] != '\0' &&
+			    !strequal(domain_name, my_sam_name()))
+			{
 				r = talloc_asprintf(tmp_ctx,
 						    "%s%c%s",
 						    domain_name,

We are 'security = ADS'

domain_name is MYDOMAIN
lp_workgroup() is MYDOMAIN which is returned by my_sam_name().

So we do a:
    getpwnam(Administrator)

this will fail as there is no such user on our system unless you have 'winbind use default domain' set! In the case of a member server we need to add the domain name!
Comment 3 Andreas Schneider 2016-09-21 07:23:24 UTC
Created attachment 12500 [details]
Proposed patch for master
Comment 4 Andreas Schneider 2016-10-10 10:44:15 UTC
Created attachment 12558 [details]
patch for 4.5
Comment 5 Andreas Schneider 2016-10-10 10:45:01 UTC
Created attachment 12559 [details]
patch for 4.4
Comment 6 Ralph Böhme 2016-10-10 11:37:26 UTC
Reassigning to Karolin for inclusion in 4.4 and 4.5.
Comment 7 Karolin Seeger 2016-10-19 07:49:02 UTC
(In reply to Ralph Böhme from comment #6)
Pushed to autobuild-v4-{5,4}-test.
Comment 8 Karolin Seeger 2016-10-25 07:42:10 UTC
(In reply to Karolin Seeger from comment #7)
Pushed to both branches.
Closing out bug report.

Thanks!