Bug 6291 - force user stop working
Summary: force user stop working
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.2.11
Hardware: All All
: P3 critical
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
: 6354 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-04-24 02:39 UTC by Bartlomiej Solarz-Niesluchowski
Modified: 2009-05-14 05:56 UTC (History)
5 users (show)

See Also:


Attachments
Patch for all branches. (1.83 KB, patch)
2009-04-27 16:22 UTC, Jeremy Allison
no flags Details
Updated patch for all branches. (2.14 KB, patch)
2009-04-27 16:59 UTC, Jeremy Allison
no flags Details
Alternate patch for all branches. (2.03 KB, patch)
2009-04-27 17:00 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bartlomiej Solarz-Niesluchowski 2009-04-24 02:39:20 UTC
After upgrade from samba 3.2.8 to samba 3.2.11 shares with force user:

[reklama-root]
        comment = Udzial dla Transferu Reklam
        path = /home/specjalne/reklama
        valid users = solarz, majewska, krawczak, kulma, miler, jmlynarc
        force user = reklama
        force group = others
        read only = No

stop working.

oceanic:/home/specjalne/reklama# smbclient \\\\oceanic\\reklama-root -U solarz
Enter solarz's password:
Domain=[WSISIZ.EDU.PL] OS=[Unix] Server=[Samba 3.2.11-0.30.fc10]
smb: \> dir
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

                0 blocks of size 0. 511 blocks available
smb: \> quit

in logs there seems that:
[2009/04/24 09:35:40,  1, pid=31518, effective(1761, 103), real(0, 0)] smbd/service.c:make_connection_snum(1194)
  oceanic (::ffff:213.135.44.33) signed connect to service reklama-root initially as user reklama (uid=1761, gid=103) (pid 31518)
[2009/04/24 09:35:43,  0, pid=31518, effective(1761, 103), real(0, 0)] smbd/service.c:set_current_service(187)
  chdir (/home/specjalne/reklama) failed
[2009/04/24 09:35:43,  0, pid=31518, effective(1761, 103), real(0, 0)] smbd/service.c:set_current_service(187)
  chdir (/home/specjalne/reklama) failed
[2009/04/24 09:35:44,  1, pid=31518, effective(0, 0), real(0, 0)] smbd/service.c:close_cnum(1405)
  oceanic (::ffff:213.135.44.33) closed connection to service reklama-root

that samba does NOT change effective uid (but it changes gid) after connecting to share with force user (3.2.8 CHANGES effective uid)

user reklama has:
id -a reklama
uid=8878(reklama) gid=103(others) groups=103(others),100(users)

Best Regards
Comment 1 Jeremy Allison 2009-04-24 03:04:26 UTC
Your forced user isn't in your valid user list. Can you add reklama
 to that list to see if that makes a difference ?
Jeremy.
Comment 2 Bartlomiej Solarz-Niesluchowski 2009-04-24 03:40:54 UTC
(In reply to comment #1)
> Your forced user isn't in your valid user list. Can you add reklama
>  to that list to see if that makes a difference ?
> Jeremy.
Tested:

[reklama-root]
        comment = Udzial dla Transferu Reklam
        path = /home/specjalne/reklama
        valid users = reklama, solarz, majewska, krawczak, kulma, miler, jmlynarc
        force user = reklama
        force group = others
        read only = No

oceanic:/home/specjalne/reklama# smbclient \\\\oceanic\\reklama-root -U solarz
Enter solarz's password:
Domain=[WSISIZ.EDU.PL] OS=[Unix] Server=[Samba 3.2.11-0.30.fc10]
smb: \> dir
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

                0 blocks of size 0. 511 blocks available
smb: \> quit

It does not help
Comment 3 Jeremy Allison 2009-04-24 04:45:37 UTC
Ok, I'll check here and try and reproduce. Just for comparison, can you reproduce this problem with 3.3.3 ?
Jeremy
Comment 4 Bartlomiej Solarz-Niesluchowski 2009-04-24 06:28:17 UTC
(In reply to comment #3)
> Ok, I'll check here and try and reproduce. Just for comparison, can you
> reproduce this problem with 3.3.3 ?
> Jeremy

On 3.3.3 it works as desired - tested on different server
Comment 5 Jeremy Allison 2009-04-24 07:19:55 UTC
I've tried to reproduce this with current 3.2 git tree and cannot with a simple attempt. Can you post your full smb.conf, and also a tree listing (including user and group permissions) of the share directory you're trying to access. Also a list of what groups the user is in would help.
Jeremy.
Comment 6 Bartlomiej Solarz-Niesluchowski 2009-04-24 07:24:30 UTC
(In reply to comment #5)
> I've tried to reproduce this with current 3.2 git tree and cannot with a simple
> attempt. Can you post your full smb.conf, and also a tree listing (including
> user and group permissions) of the share directory you're trying to access.
> Also a list of what groups the user is in would help.
> Jeremy.

[global]
        #dos charset = CP852
        unix charset = UTF8
        display charset = UTF8
        workgroup = WSISIZ.EDU.PL
        allow trusted domains = No
        passdb backend = ldapsam:"ldap://mythodea.wsisiz.edu.pl/ ldap://portraits.wsisiz.edu.pl/"
        pam password change = Yes
        check password script = /usr/local/sbin/crackcheck -s -d /usr/lib64/cracklib_dict
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 1
        max log size = 10240000000
        debug pid = Yes
        debug uid = Yes
        time server = Yes
        server signing = auto
        deadtime = 60
        hostname lookups = Yes
        printcap cache time = 600
        printcap name = cups
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -t 5 -w "%u"
        logon script = login.bat
        logon drive = z:
        logon home = \\%N\%U\profile
        domain logons = Yes
        os level = 128
        preferred master = Yes
        domain master = Yes
        wins proxy = Yes
        wins support = Yes
        ldap admin dn = cn=Manager,dc=wsisiz,dc=edu,dc=pl
        ldap delete dn = Yes
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap passwd sync = Yes
        ldap suffix = dc=wsisiz,dc=edu,dc=pl
        ldap ssl = no
        ldap user suffix = ou=Users
        remote browse sync = oxygene.ibspan.waw.pl antarctica china spiral direct odyssey
        winbind use default domain = Yes
        create mask = 0644
        inherit acls = Yes
        hosts allow = 127., 213.135.34.0/255.255.255.0, 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0, 2001:1a68:a::/48
        ea support = Yes
        map acl inherit = Yes
        printing = cups
        cups options = raw
        print command =
        lpq command = %p
        lprm command =
        hide dot files = No
        store dos attributes = Yes

[reklama-root]
        comment = Udzial dla Transferu Reklam
        path = /home/specjalne/reklama
        valid users = reklama, solarz, majewska, krawczak, kulma, miler, jmlynarc
        force user = reklama
        force group = others
        read only = No


oceanic:~# ls -ld /home
lrwxrwxrwx 1 root root 5 Nov 24 20:09 /home -> home1
oceanic:~# ls -ld /home1
drwxr-xr-x 14 root root 1024 Apr 10 00:45 /home1
oceanic:~# ls -ld /home1/specjalne/
drwxr-xr-x 42 root root 1024 Mar 30 13:06 /home1/specjalne/
oceanic:~# ls -ld /home1/specjalne/reklama/
drwx------ 11 reklama others 1024 Nov  6 19:12 /home1/specjalne/reklama/
oceanic:~# id -a reklama
uid=8878(reklama) gid=103(others) groups=103(others),100(users)
oceanic:~# id -a solarz
uid=1761(solarz) gid=101(staff) groups=101(staff),0(root),87(www),100(users),205(cron),69(ping),39(music),215(adminswin),303(biblioteka),512(Domain Admins),1005(terminal-max),1006(terminal),1007(sas),1008(spss),1010(vnc-users),1011(studencien),1013(dziekanatwitz),1014(sourcesafe),1019(pob-rw),1020(windykacja),1021(projektbr)

Comment 7 Rolf Fokkens 2009-04-26 06:39:03 UTC
Same problem here. The following may be interresting: creation of items fails (so force user doesn't work) but deletion just works - which suggests that force user is in effect.
Comment 8 Rolf Fokkens 2009-04-26 07:05:01 UTC
I reported the bug to the fedora folks as well, as both mine and the initially reported bug are related to 3.2.11-0.30.fc1, which is Fedora.

https://bugzilla.redhat.com/show_bug.cgi?id=497708
Comment 9 Guenther Deschner 2009-04-27 09:10:46 UTC
Ok, reproduced this with 3-2-test as well as 3.2.9 and 3.2.11.

(It is fine in master,3-4-test,3-3-test,3.3.3 and 3.2.8)
Comment 10 Jeremy Allison 2009-04-27 11:05:11 UTC
Ok Guenther, how did you reproduce this ? I tried locally but couldn't (reproduce it) in the 3.2.x git tree.
Jeremy.
Comment 11 Guenther Deschner 2009-04-27 11:08:59 UTC
[share]
        path = /tmp/share
        force user = gd
        force group = users
        write list = simo

is my example config, just a standalone box.

git bisect from 3.2.8 and 3.2.9 (where it is broken) reveals
f816072e3f8b92886b891a3101f4e50ffb727c6f as the first commit that breaks it. (the function modified in that commit is called from the find_forced_user() call.

In 3.3 we moved away from find_forced_user() with this: ddcea20947fb3ca5ccd9e2a1e024ac8296dc4055
Comment 12 Guenther Deschner 2009-04-27 11:10:00 UTC
(In reply to comment #11)
> [share]
>         path = /tmp/share
>         force user = gd
>         force group = users
>         write list = simo

then I just smbclient as simo into the box and create a folder, the folder is owned by simo then (instead of gd).
Comment 13 Jeremy Allison 2009-04-27 12:01:13 UTC
Yeah, that's pretty much what I did but couldn't reproduce it. Although my forced user wasn't a user with a Samba passdb entry... Hmm. Anyway, I'll look at this now you've found a commit that breaks things.
Jeremy.
Comment 14 Jeremy Allison 2009-04-27 12:26:15 UTC
Can't find f816072e3f8b92886b891a3101f4e50ffb727c6f doing a git-log on 3-2-test. Any ideas as to what might be wrong ?
Jeremy.
Comment 15 Jeremy Allison 2009-04-27 16:22:53 UTC
Created attachment 4085 [details]
Patch for all branches.

This works here for me. Please review and test.
Jeremy.
Comment 16 Jeremy Allison 2009-04-27 16:59:01 UTC
Created attachment 4086 [details]
Updated patch for all branches.

Added comment, correct error exits for the previous patch.
Jeremy.
Comment 17 Jeremy Allison 2009-04-27 17:00:03 UTC
Created attachment 4087 [details]
Alternate patch for all branches.

Alternate way of fixing this. Depends on internal knowledge of what passdb does for guest user. Both of these patches fix the problem, now we need to decide which way to chose.
Jeremy.
Comment 18 Michael Adam 2009-04-28 04:16:51 UTC
As already discussed last night with Jeremy,
I like the first patch (from Comment #16) better.
Comment 19 Guenther Deschner 2009-04-28 06:13:18 UTC
(In reply to comment #18)
> As already discussed last night with Jeremy,
> I like the first patch (from Comment #16) better.

Yes, me too. I've built test packages for fedora10 and tested them. force user worked as expected.
Comment 20 Bartlomiej Solarz-Niesluchowski 2009-04-28 07:15:38 UTC
(In reply to comment #19)
> (In reply to comment #18)
> > As already discussed last night with Jeremy,
> > I like the first patch (from Comment #16) better.
> Yes, me too. I've built test packages for fedora10 and tested them. force user
> worked as expected.

Confirmed
Comment 21 Karolin Seeger 2009-05-03 01:59:55 UTC
Closing out bug report.
Patch is included in Samba 3.3.4.

Thanks for reporting!
Comment 22 Karolin Seeger 2009-05-11 06:10:11 UTC
Patch will be included in 3.2.12.
Comment 23 Mark Orenstein 2009-05-14 05:56:29 UTC
*** Bug 6354 has been marked as a duplicate of this bug. ***