Bug 4354 - valid users paramter with unix groups not working anymore
Summary: valid users paramter with unix groups not working anymore
Status: RESOLVED DUPLICATE of bug 4353
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.23d
Hardware: x86 Linux
: P3 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-25 08:07 UTC by Ralf Gross
Modified: 2007-01-25 08:19 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf Gross 2007-01-25 08:07:09 UTC
Hi,

I'm about to update our old workgroup server from Solaris 8 with Samba 3.0.22 to Debian 4.0 with Samba 3.0.23d (debian package). With 3.0.22 I was using 'security = server' now I was able to get the server in the AD/Domain and try to use winbind.

As a first step I tried a part of my old config:

[foo]
        comment = foo
        writable = yes
        force create mode = 0660
        create mask = 0660
        force directory mode = 2770
        directory security mask = 2770
        force directory security mode = 0000
        directory mask = 2770
        force security mode = 0000
        force group = +ve
        security mask = 0770
        path = /projekte/foo
        valid users = +ve
        vfs objects = extd_audit

Group ve is a local unix group and AD user ralfgro is member of that group.

$ id -a EMEA\\ralfgro
uid=70000(ralfgro) gid=70000(domain users) Gruppen=70000(domain users),300(ve)

User ralfgro is able to authenticate and to connect to that share if I use 'vali users = EMEA\ralfgro'

[2007/01/25 14:15:33, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid EMEA\ralfgro does not start with 'S-'.
[2007/01/25 14:15:33, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: EMEA\ralfgro => EMEA (domain), ralfgro (name)
[2007/01/25 14:15:33, 10] smbd/share_access.c:user_ok_token(229)
  user_ok_token: share foo is ok for unix user EMEA\ralfgro
[2007/01/25 14:15:33, 10] smbd/share_access.c:is_share_read_only_for_token(271)
  is_share_read_only_for_user: share foo is read-write for unix user EMEA\ralfgro


I'm not able to connect to this share if I use the unix group as I did with 3.0.22.

valid users = +ve

[2007/01/25 14:19:22, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid root does not start with 'S-'
[2007/01/25 14:19:22, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: VU0EM003\ve => VU0EM003 (domain), ve (name)
[2007/01/25 14:19:22, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/01/25 14:19:22, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/01/25 14:19:22, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/01/25 14:19:22, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2007/01/25 14:19:22, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/01/25 14:19:22, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/25 14:19:22, 10] smbd/share_access.c:user_ok_token(208)
  User EMEA\ralfgro not in 'valid users'
[2007/01/25 14:19:22, 2] smbd/service.c:make_connection_snum(580)
  user 'EMEA\ralfgro' (from session setup) not permitted to access this share (foo)
[2007/01/25 14:19:22, 3] smbd/error.c:error_packet(146)
  error packet at smbd/reply.c(676) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED


Using AD groups it working:

valid users = +EMEA\"domain users"

[2007/01/25 14:25:41, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid +EMEA\domain users does not start with 'S-'.
[2007/01/25 14:25:41, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: EMEA\domain users => EMEA (domain), domain users (name)
[2007/01/25 14:25:41, 10] smbd/share_access.c:user_ok_token(229)
  user_ok_token: share foo is ok for unix user EMEA\ralfgro
[2007/01/25 14:25:41, 10] smbd/share_access.c:is_share_read_only_for_token(271)
  is_share_read_only_for_user: share foo is read-write for unix user EMEA\ralfgro


I tried different strings for the valid users parameter that I found in the samba mailing list archive.

+HOSTNAME\ve
+BULTIN\ve
+"Unix Group"\ve

...and some other strings. Nothing worked.

Maybe I'm simply missing something, but I found some mails regarding a similar problem in other samba 3.0.2x versions. 

Ralf
Comment 1 Björn Jacke 2007-01-25 08:19:24 UTC

*** This bug has been marked as a duplicate of 4353 ***