Bug 3949 - valid users with %S or UNIX groups not working with security = ADS (or DOMAIN) in Samba 3.0.23
Summary: valid users with %S or UNIX groups not working with security = ADS (or DOMAIN...
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.23
Hardware: x86 Linux
: P3 critical
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
: 3940 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-07-20 11:08 UTC by Phil Lobbes
Modified: 2006-07-20 13:14 UTC (History)
1 user (show)

See Also:


Attachments
session showing valid users not working with 3.0.23 (19.05 KB, text/plain)
2006-07-20 11:10 UTC, Phil Lobbes
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Phil Lobbes 2006-07-20 11:08:18 UTC
I am seeing problems similar to bug# 3741 and bug# 3940, but the
problem seems to be more a general problem with 'valid users'.  For
some reason samba seems to think that it want to turn UNIX groups into
SIDs (to look like 'S-<something>') which doesn't make sense.

We are running FC4 on x86 and just upgraded samba via RPMs from
3.0.14a-2 to 3.0.23.  With the upgrade to 3.0.23 all shares using
'valid users'.  We have a 'homes' share using valid users = %S and
also shares using UNIX groups, but both have stopped working.  The
only work around I have found is to comment out the 'valid users'
lines in smb.conf altogether.

NOTE: We are not using 'winbindd' and have users setup in /etc/passwd
and /etc/group to give the users that have access the proper UNIX
uid/gid(s).

We were using 'security = DOMAIN' but I switched to 'security = ADS'
with the hopes that the changes might help samba work, however the
changes have not helped to fix the problem.

Relevant info from the config (with company/domain name modified for
their privacy):

  [global]
        log level = 3 auth:10
        workgroup = STK
        realm = STK.LOCAL
        security = ADS

  [homes]
        writable = yes
        valid users = %S

  [webdev]
        path = /usr/local/webdev
        valid users = +stkdev, +stkadm

=================================================================
Info from the log when trying to access 'webdev' (will try to attach full session log):

[2006/07/20 08:49:13, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid +stkdev does not start with 'S-'.
[2006/07/20 08:49:13, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid +stkadm does not start with 'S-'.
[2006/07/20 08:49:13, 2] smbd/service.c:make_connection_snum(571)
  user 'phil' (from session setup) not permitted to access this share (webdev)

When trying to access 'homes' the problem is similar:

[2006/07/20 08:33:03, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid phil does not start with 'S-'.

Both groups exist and user 'phil' is a member of both of those UNIX
groups, in fact his primary group is 'stkdev'.  This worked before we
upgraded to 3.0.23 but not any more.

Any ideas?
Phil
--
Phil Lobbes
<phil at perkpartners.com>
Comment 1 Phil Lobbes 2006-07-20 11:10:13 UTC
Created attachment 2050 [details]
session showing valid users not working with 3.0.23

Full session from connect to access denied with valid users not working for UNIX groups with server = ADS or domain in samba 3.0.23
Comment 2 Gerald (Jerry) Carter (dead mail address) 2006-07-20 13:13:17 UTC
Please retest using the SAMBA_3_0_23 branch.  This is believed to be fixed for
3.0.23a (due in a few days).
Comment 3 Gerald (Jerry) Carter (dead mail address) 2006-07-20 13:14:47 UTC
*** Bug 3940 has been marked as a duplicate of this bug. ***