Bug 4184 - valid users does not work any more after update from 3.0.23.b to 3.0.23.c
valid users does not work any more after update from 3.0.23.b to 3.0.23.c
Status: RESOLVED INVALID
Product: Samba 3.0
Classification: Unclassified
Component: Config Files
3.0.23c
Other Windows XP
: P3 critical
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
: 4185 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-23 07:50 UTC by Dag
Modified: 2011-03-21 19:30 UTC (History)
2 users (show)

See Also:


Attachments
build info (10.27 KB, text/plain)
2008-04-10 12:37 UTC, Devin Nate
no flags Details
testing smb.conf for tests - configured for the same as debug log to follow (i.e. with valid users = +testgrp) (1.83 KB, text/plain)
2008-04-10 14:06 UTC, Devin Nate
no flags Details
log files of failure, per previously attached smb.conf file (347.83 KB, application/x-gzip)
2008-04-10 14:18 UTC, Devin Nate
no flags Details
these are the logfiles of a semi-success, smb.conf identical except without valid users (300.33 KB, application/x-gzip)
2008-04-10 14:20 UTC, Devin Nate
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dag 2006-10-23 07:50:19 UTC
Probably a error with a variable asignment that makes the 

for example:

valid users = @management

not to work with Fedora Directory Server / LDAP against the ou attribute

in the /etc/samba/smb.conf file
Comment 1 Björn Jacke 2006-10-30 12:37:58 UTC
*** Bug 4185 has been marked as a duplicate of this bug. ***
Comment 2 Matt Temple 2007-06-19 13:55:34 UTC
We found that this is an issue only in the X86_64 versions of Samba, starting with
3.0.23 and continuing in 3.0.24.   There was a note in one of the discussions somewhere on line that got us a workaround.   The "@" before the group name
means Samba should check first NIS groups then Unix group.   But if the "@" is changed to a "+" then the NIS check is bypassed.   In the i386 versions, all of this works as advertised, but in the X86_64 versions (FC5), it fails, always.
We don't use NIS, so changing all of the "@"s to "+"s fixed the problem for us.
I don't know if this means the NIS logic is broker, or if the switch from NIS to 
Unix groups is broken.

This bug does not affect /home directories.
Comment 3 brian Wang 2007-06-19 22:55:24 UTC
we are seeing the problem with" valid users" doesn't work at all after 3.0.22. not just the group.

if "valid user" is specified, all attempt to map/mount will be denied.

if we use winbind 3.0.22 with samba 3.0.24, it works, once we change to use samba 3.0.25, it stops working.

any attempt to fix this?
Comment 4 Devin Nate 2008-04-10 11:04:54 UTC
This may be the same as bug 5260. I've added notes there also.
We have the same problem. The problem for us is evidenced by using 'valid users
= +UNIXGROUP'. We've tried all documented combinations of + / @ / &, and using
'Unix Group\group', which appear in various internet threads. No success.

We have determined that Samba does not appear to care about the unix group. So
for instance, if we do 'valid users = +DOMAIN\group' it works as expected, only
permitting users of the indicated domain group to access the share.

However, using 'valid users = +unixgroup' does not work as expected. What would
be expected (as it has worked in the past), is that if a user is a member of
'unixgroup', either by way of their primary group or of their full grouplist,
would be able to access the share. Instead, a user can access the share if
their primary group is unixgroup, however supplementary grouplist membership is
ignored.

Also looking for a fix. Our platform is AIX 5.3 TL7 all maint patches. Heimdal
krb5 ver 1.1 and openldap current stable.

Thanks,
Devin Nate 
Comment 5 Jeremy Allison 2008-04-10 12:26:03 UTC
I cannot reproduce this problem with Samba 3.0.28a running on Linux. Can you ensure your Samba version is up to date ?
Jeremy.
Comment 6 Devin Nate 2008-04-10 12:37:59 UTC
Created attachment 3258 [details]
build info
Comment 7 Devin Nate 2008-04-10 12:42:21 UTC
I can confirm up to date build. It's 3.0.28a downloaded as the single source tarball. Test on (at least) AIX 5.2 w/ current patches and AIX 5.3 w/ current patches. Operates the same on both. krb5 is heimdal 1.1, openldap 2.3.39.

I've reviewed the build config, and it appears configure properly finds initgroups, setgroups, and the other functions I'd expect to see for getting suplementary group info.

winbindd is running on these hosts, in proxy-only mode. AIX servers are not using the NSS functionality of winbindd.
Comment 8 Volker Lendecke 2008-04-10 13:14:23 UTC
Next step: Your smb.conf and a full debug level 10 log of smbd failing.

Volker
Comment 9 Devin Nate 2008-04-10 13:33:28 UTC
incoming shortly (as I assemble files)

Thanks,
Devin Nate
Comment 10 Devin Nate 2008-04-10 14:04:20 UTC
Testing setup as follows: smb.conf as attached shortly.

Testing using user id 'nated'

Attempting to use share 'debug'

Attempting to restrict access to the 'debug' share to only users in the 'testgrp' Unix Group

'debug' share references the directory /home/debugshare, which is created as follows:

# ls -ald /home/debugshare
drwxrws---   2 root     testgrp         256 Apr 10 12:35 /home/debugshare

unix group 'testgrp' has only 1 member, user 'nated'

user nated has 'testgrp' as the primary group

nated:!:227:243::/home/nated:/usr/bin/ksh

UNLIKE my previous comment, having my primary group or supplementary group set to testgrp does not seem to help in any way. There's probably something more to this, because having the group be the primary group has worked sometimes.

Test cases:

A- Test without Valid Users line
1. stop samba services (smbd,nmbd,winbindd).
2. have smb.conf without a valid users line for share 'debug'
3. Start samba services.
4. Attempt to connect to debug. [ SUCCESS ]
5. Attempt to create a file in debug share [ SUCCESS ]
6. Attempt to rename file in debug share [ FAILURE ] ?????????????????????
7. chmod 777 /home/debugshare
8. Attempt to rename file (duplicate #6) [ SUCCESS ]

B- Test with Valid Users: valid users = +testgrp
1. stop samba services (smbd,nmbd,winbindd).
2. have smb.conf with a valid users line for share 'debug'
3. Start samba services.
4. Attempt to connect to debug [ FAILURE, Win Vista asks for Username & Passwd ]
5. Connect to a different share [ SUCCESS ]

C- Test with Valid Users: valid users = "+Unix Group\testgrp"
1. stop samba services (smbd,nmbd,winbindd).
2. have smb.conf with a valid users line for share 'debug'
3. Start samba services.
4. Attempt to connect to debug [ FAILURE, Win Vista asks for Username & Passwd ]
5. Connect to a different share [ SUCCESS ]

Commentary: It's like samba just doesn't know about Unix Group testgrp at all. it cannot write to the directory if it's mode 770 with testgrp (except it can write to it, as a file/dir create succeeds-but a move/rename fails), even though the user should be able to write to it. And if valid users are used, it really doesn't work.

smb.conf to be attached right away.

Thanks,
Devin Nate












Comment 11 Devin Nate 2008-04-10 14:06:07 UTC
Created attachment 3259 [details]
testing smb.conf for tests - configured for the same as debug log to follow (i.e. with valid users = +testgrp)
Comment 12 Devin Nate 2008-04-10 14:18:14 UTC
Created attachment 3260 [details]
log files of failure, per previously attached smb.conf file

These are the logfiles. Test procedure:

1. shut down smb services.
2. update smb.conf with debug level = 10 and remove max log file size
3. delete all current samba log files
4. start samba
5. connect to server at \\qaserver, get a listing of shares [ success ]
6. attempt to connect to 'debug' share [ failure, get a windows username & password window ]
7. attempt #6 again
8. shut down samba services
9. tar files and submit
Comment 13 Devin Nate 2008-04-10 14:20:02 UTC
Created attachment 3261 [details]
these are the logfiles of a semi-success, smb.conf identical except without valid users

These are the logfiles of a (semi) success WITHOUT valid users line. Test procedure:

1. shut down smb services.
2. update smb.conf with debug level = 10 and remove max log file size
3. delete all current samba log files
4. start samba
5. connect to server at \\qaserver, get a listing of shares [ success ]
6. attempt to connect to 'debug' share [ success ]
7. attempt to create file [ success ]
8. attempt to rename file [ FAILURE ] ??????????????????????????
9. shut down samba services
10. tar files and submit
Comment 14 Volker Lendecke 2008-04-10 14:36:20 UTC
This pretty much works as designed. You logged in as CLINICARE\nated who from Samba's point of view has nothing to do with the user nated in /etc/passwd except that the uid is used. This is the big change that came with 3.0.25, and it was necessary as more and more bugs and unexpected behaviour due to the ambiguities with names. SIDs are much more reliable. You have two options: Use a group in CLINICARE, or add local groups to group mapping using net sam createlocalgroup & friends.

Volker
Comment 15 Devin Nate 2008-04-10 15:37:08 UTC
Hmm, a couple questions. I've played around with the net sam createlocalgroup, and net groupmap commands, etc., and couldn't find a way to accomplish what I was looking for.

In particular, all I found I could do was create a local group, and then I still had to manually add users to to the local group (i.e. I couldn't create a local group and have the group membership inherited from /etc/group / /etc/passwd.

To your point that CLINICARE\nated has nothing to do with the /etc/passwd entry of nated, I somewhat agree. But somewhere samba is figuring out to map CLINICARE\nated -> unix\nated because all files get created with that UID. I can conceptually understand that a domain user has nothing to do with a local user, except for the part where the local userid gets used. So my question is, if it already does a become_user(nated), why doesn't it handle the groups. (as a development shop, I can understand that things change- but if there's a possibility for this to work, then I'll try to ask ;)

As an alternative interface, assuming your answer might have been what the answer was.. I was wondering about an alternative command. For example, use a different symbol to represent the unix group (e.g. valid users = %unixgrp).

Furthermore, that was only 1 bug encountered in testing. User CLINICARE\nated. The share permissions itself prevented renaming a file, but creation and saving to the document were unaffected. That doesn't seem correct.

Finally, I guess my question is: is this new model the direction of samba, or is it a temporary development situation? Is this the definitive answer for how samba >= 3.0.25 is going to operate. How about Samba 3.2.0?

If this is the new model, it basically means that when using Samba+ADS, the Unix shares essentially need to be mode 777, or some use of force user/force group need to be employed. Both are rather ugly interfaces, almost making Samba+ADS without NSS a non-deployable option (yes, I realize that's my opinion). If this is the case, can I suggest at least a mention in the smb.conf(5) documentation indicating how valid users actually gets applied.

Thanks,
Devin Nate

Comment 16 Volker Lendecke 2008-04-11 16:29:44 UTC
You should be able to trigger access checks via /etc/group by mapping users with the username map option. If you put a mapping into the user name map for each user in /etc/passwd you will lose the domain groups, but you will gain the local nss groups. And generating the username map along the lines

nated = DOMAIN\nated

(or "nated = nated", just try it) should be a simple awk job.

Hope that helps,

Volker
Comment 17 Björn Jacke 2011-03-21 19:30:13 UTC
comment #14 says: works as designed. closing out.