Bug 5260 - Cannot connect to share while using "valid users = @group_name" unless group_name is Primary Group
Cannot connect to share while using "valid users = @group_name" unless group_...
Status: RESOLVED WORKSFORME
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.25b
Other Windows XP
: P3 major
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-13 20:24 UTC by Jorge Adrian Salaices
Modified: 2013-09-05 10:04 UTC (History)
2 users (show)

See Also:


Attachments
computer's samba log (159.22 KB, text/plain)
2008-02-13 20:27 UTC, Jorge Adrian Salaices
no flags Details
Second Computer's Samba log after wbinfo -u and wbinfo -g (390 bytes, text/plain)
2008-02-14 09:40 UTC, Jorge Adrian Salaices
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jorge Adrian Salaices 2008-02-13 20:24:59 UTC
After upgrading from CENTOS4 to CENTOS5 (3.0.11 to 3.0.25b) 
Samba can no longer associate the user with its secondary groups. 

I can connect to shares only that are match the user's Primary GID.

This is the error on the /var/log/samba/<machine> log

 user 'userid' (from session setup) not permitted to access this share (share_name)
[2008/02/13 20:00:49, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

Funny thing about it is that ldap retrieves the GID membership correctly

[2008/02/13 20:00:49, 5] lib/smbldap.c:smbldap_search_ext(1182)
  smbldap_search_ext: base => [ou=Groups,dc=mydomain,dc=com], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=shop)(cn=group_name)))], scope => [2]
[2008/02/13 20:00:49, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
  init_group_from_ldap: Entry found for group: 10001

Note that 10001 is the GID of the group that is set on the share itself: 

[share_name]
   comment = shop share
   path = /u01/share/shoptest
   valid users = "@domain admins" "@group_name"
   browseable = yes
   public = no
   writable = yes
   printable = no
   create mask = 0775
   create mode = 0775
   directory mask= 0775

The directory is also correctly chowned and chmoded 

drwxrwxr-x  2 shop1     group_name         4096 Feb 11 05:12 shoptest

I am trying to access it by using mydomain.com\userid 
and the User's particulars are: 

From getent group 

group_name:*:10001:user_id,other1,other2, ...

id userid 

uid=10000(userid) gid=513(Domain Users) groups=513(Domain Users)

id -G 
513 

as you can see id -G shows only primary group. 

This was working fine before doing an upgrade, but a serious continuous LDAP crash issue forced me to do an update To CENTOS5 .

The related packages are : 

samba-client-3.0.25b-1.el5_1.4
samba-3.0.25b-1.el5_1.4
samba-common-3.0.25b-1.el5_1.4
smbldap-tools-0.9.4-1.el5.rf
pam_smb-1.1.7-7.2.1
nss_ldap-253-5.el5
compat-openldap-2.3.27_2.2.29-8
openldap-clients-2.3.27-8
openldap-servers-2.3.27-8
openldap-2.3.27-8
openldap-devel-2.3.27-8


My smb.conf 

[global]
        unix charset = LOCALE
        workgroup = MY_DOMAIN.COM
        server string = SERVER_NAME
        interfaces = eth0, lo
        bind interfaces only = Yes
        passdb backend = ldapsam:ldap://127.0.0.1
        username map = /etc/samba/smbusers
        log level = 6
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 1050
        smb ports = 139
        name resolve order = wins bcast hosts
        time server = Yes
        printcap name = CUPS
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        logon script = scripts/logon.bat
        logon path = \\SERVER_NAME.MY_DOMAIN.COM\profiles\%U
        logon drive = X:
        domain logons = Yes
        preferred master = Yes
        wins support = Yes
        ldap admin dn = cn=Manager,dc=my_domain,dc=com
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=People
        ldap suffix = dc=avatas,dc=com
        ldap user suffix = ou=People
        idmap backend = ldap:ldap://127.0.0.1
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = \        
        winbind cache time = 10
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        map acl inherit = Yes



Any help will be greatly appreciated.
Comment 1 Jorge Adrian Salaices 2008-02-13 20:27:23 UTC
Created attachment 3140 [details]
computer's samba log

This is the log of the actual samba transaction.
Comment 2 Jorge Adrian Salaices 2008-02-14 09:15:23 UTC
Note the output of the following commands : 

wbinfo -u 

Error looking up domain users

wbinfo -g 

BUILTIN\users

wbinfo -a "userid%password"
plaintext password authentication succeeded
challenge/response password authentication succeeded

wbinfo -D avatas.com
Name              : AVATAS.COM
Alt_Name          : 
SID               : S-1-5-21-2953885461-2572836322-187695268
Active Directory  : No
Native            : No
Primary           : Yes
Sequence          : -1

wbinfo --get-auth-user 
AVATAS.COM\        winbind cache time = 10root%verysecret

wbinfo -p
Ping to winbindd succeeded on fd 4

wbinfo -i userid
:*:10000:0::/home/AVATAS.COM/:/bin/false

wbinfo --own-domain
AVATAS.COM

wbinfo -r userid
513
10000

getent passwd | grep -i 10000
userid:x:10000:513:my name goes here:/home/userid:/bin/bash

getent group 

root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
..
..
Domain Admins:*:512:root,userid,user,user,user
Domain Users:*:513:userid,user,user
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:userid,user
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
Power Users:*:553:
Domain Power Users:*:554:
shop:*:10001:shop1,userid,user,user
Remote Desktop Users:*:555:userid,user,user
Users:*:10014:userid,user
...
...

[root@lsv-df-dc1 samba]# wbinfo -t
checking the trust secret via RPC calls succeeded


wbinfo -V
Version 3.0.25b-1.el5_1.4


 net groupmap list
Domain Admins (S-1-5-21-2953885461-2572836322-187695268-512) -> Domain Admins
Domain Users (S-1-5-21-2953885461-2572836322-187695268-513) -> Domain Users
Domain Guests (S-1-5-21-2953885461-2572836322-187695268-514) -> Domain Guests
Domain Computers (S-1-5-21-2953885461-2572836322-187695268-515) -> Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
Users (S-1-5-32-545) -> 10000
Power Users (S-1-5-21-2953885461-2572836322-187695268-2107) -> Power Users
Domain Power Users (S-1-5-21-2953885461-2572836322-187695268-2109) -> Domain Power Users
shop (S-1-5-21-2953885461-2572836322-187695268-21003) -> shop
Remote Desktop Users (S-1-5-21-2953885461-2572836322-187695268-2111) -> Remote Desktop Users
QC Data Importers (S-1-5-21-2953885461-2572836322-187695268-2113) -> QC Data Importers
CT Accounting Users (S-1-5-21-2953885461-2572836322-187695268-21029) -> CT Accounting Users
FAS Users (S-1-5-21-2953885461-2572836322-187695268-2115) -> FAS Users
CT Shared Users (S-1-5-21-2953885461-2572836322-187695268-21023) -> CT Shared Users
AV Accounting Users (S-1-5-21-2953885461-2572836322-187695268-2117) -> AV Accounting Users
..
..

net rpc group members "shop" 
Password:
AVATAS.COM\shop1
AVATAS.COM\shop2
AVATAS.COM\userid 
..
..


[root@lsv-df-dc1 samba]# net rpc info -S localhost
Password:
Domain Name: AVATAS.COM
Domain SID: S-1-5-21-2953885461-2572836322-187695268
Sequence number: 1203001771
Num users: 114
Num domain groups: 15
Num local groups: 0




[root@lsv-df-dc1 samba]# net getlocalsid
SID for domain LSV-DF-DC1 is: S-1-5-21-2953885461-2572836322-187695268

[root@lsv-df-dc1 samba]# net rpc rights list accounts -S localhost
Password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

Everyone
No privileges assigned


Comment 3 Jorge Adrian Salaices 2008-02-14 09:40:26 UTC
Created attachment 3141 [details]
Second Computer's Samba log after wbinfo -u and wbinfo -g

This log was generated when trying a wbinfo -u and wbinfo -g
Comment 4 Devin Nate 2008-04-10 11:03:42 UTC
may be the same problem as bug 4184.

We have the same problem. The problem for us is evidenced by using 'valid users = +UNIXGROUP'. We've tried all documented combinations of + / @ / &, and using 'Unix Group\group', which appear in various internet threads. No success.

We have determined that Samba does not appear to care about the unix group. So for instance, if we do 'valid users = +DOMAIN\group' it works as expected, only permitting users of the indicated domain group to access the share.

However, using 'valid users = +unixgroup' does not work as expected. What would be expected (as it has worked in the past), is that if a user is a member of 'unixgroup', either by way of their primary group or of their full grouplist, would be able to access the share. Instead, a user can access the share if their primary group is unixgroup, however supplementary grouplist membership is ignored.

Also looking for a fix. Our platform is AIX 5.3 TL7 all maint patches. Heimdal krb5 ver 1.1 and openldap current stable.

Thanks,
Devin Nate 
Comment 5 Nikolaus Filus 2008-10-06 10:20:46 UTC
I was just hit by the same problem. I'm using
   samba3-3.0.31-35
   samba3-utils-3.0.31-35
   samba3-winbind-3.0.31-35
from sernet on SLES10. My setup is samba as domain member (ADS mode) using
        idmap backend = ad 
        winbind use default domain = yes
        winbind separator = +
        winbind enum users = yes   
        winbind enum groups = yes 
        winbind cache time = 10
        winbind nested groups = yes
as stated in http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/

Now I discovered that
        valid users = S-1-5-21-2585826257-3449007166-164352979-1145
works as expected. I noticed in the log files the parser is expecting an "S-" value.

Is there any progress regarding this bug or more official fixes?
Comment 6 Jorge Adrian Salaices 2008-10-06 10:57:08 UTC
By the Way .. 
This issue got "carried on" when I applied the suggested patches: 

I am now @   

samba-client-3.0.28-1.el5_2.1
samba-3.0.28-1.el5_2.1
samba-common-3.0.28-1.el5_2.1
 
(and the issue still exists.)
Comment 7 Björn Jacke 2013-09-05 10:04:48 UTC
(In reply to comment #0)
> After upgrading from CENTOS4 to CENTOS5 (3.0.11 to 3.0.25b) 
> Samba can no longer associate the user with its secondary groups. 

the permission checks became more strict. You have to enter the exact group/user names including the domain name. The SID is also possible.