Bug 3949 - valid users with %S or UNIX groups not working with security = ADS (or DOMAIN) in Samba 3.0.23
Summary: valid users with %S or UNIX groups not working with security = ADS (or DOMAIN...
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.23
Hardware: x86 Linux
: P3 critical
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
: 3940 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-07-20 11:08 UTC by Phil Lobbes
Modified: 2006-07-20 13:14 UTC (History)
1 user (show)

See Also:

Attachments
session showing valid users not working with 3.0.23 (19.05 KB, text/plain)
2006-07-20 11:10 UTC, Phil Lobbes 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Phil Lobbes 2006-07-20 11:08:18 UTC 
I am seeing problems similar to bug# 3741 and bug# 3940, but the
problem seems to be more a general problem with 'valid users'.  For
some reason samba seems to think that it want to turn UNIX groups into
SIDs (to look like 'S-<something>') which doesn't make sense.

We are running FC4 on x86 and just upgraded samba via RPMs from
3.0.14a-2 to 3.0.23.  With the upgrade to 3.0.23 all shares using
'valid users'.  We have a 'homes' share using valid users = %S and
also shares using UNIX groups, but both have stopped working.  The
only work around I have found is to comment out the 'valid users'
lines in smb.conf altogether.

NOTE: We are not using 'winbindd' and have users setup in /etc/passwd
and /etc/group to give the users that have access the proper UNIX
uid/gid(s).

We were using 'security = DOMAIN' but I switched to 'security = ADS'
with the hopes that the changes might help samba work, however the
changes have not helped to fix the problem.

Relevant info from the config (with company/domain name modified for
their privacy):

  [global]
        log level = 3 auth:10
        workgroup = STK
        realm = STK.LOCAL
        security = ADS

  [homes]
        writable = yes
        valid users = %S

  [webdev]
        path = /usr/local/webdev
        valid users = +stkdev, +stkadm

=================================================================
Info from the log when trying to access 'webdev' (will try to attach full session log):

[2006/07/20 08:49:13, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid +stkdev does not start with 'S-'.
[2006/07/20 08:49:13, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid +stkadm does not start with 'S-'.
[2006/07/20 08:49:13, 2] smbd/service.c:make_connection_snum(571)
  user 'phil' (from session setup) not permitted to access this share (webdev)

When trying to access 'homes' the problem is similar:

[2006/07/20 08:33:03, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid phil does not start with 'S-'.

Both groups exist and user 'phil' is a member of both of those UNIX
groups, in fact his primary group is 'stkdev'.  This worked before we
upgraded to 3.0.23 but not any more.

Any ideas?
Phil
--
Phil Lobbes
<phil at perkpartners.com>
Comment 1 Phil Lobbes 2006-07-20 11:10:13 UTC 
Created attachment 2050 [details]
session showing valid users not working with 3.0.23

Full session from connect to access denied with valid users not working for UNIX groups with server = ADS or domain in samba 3.0.23
Comment 2 Gerald (Jerry) Carter (dead mail address) 2006-07-20 13:13:17 UTC 
Please retest using the SAMBA_3_0_23 branch.  This is believed to be fixed for
3.0.23a (due in a few days).
Comment 3 Gerald (Jerry) Carter (dead mail address) 2006-07-20 13:14:47 UTC 
*** Bug 3940 has been marked as a duplicate of this bug. ***