Bug 8962 - smbd/vfs.c:881(check_reduced_name) returns NT_STATUS_ACCESS_DENIED
smbd/vfs.c:881(check_reduced_name) returns NT_STATUS_ACCESS_DENIED
Status: NEW
Product: Samba 3.5
Classification: Unclassified
Component: VFS Modules
3.5.10
All All
: P5 normal
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-30 08:48 UTC by Marc Rechté
Modified: 2012-05-30 08:48 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Rechté 2012-05-30 08:48:41 UTC
Hello. I am not sure if I report in the correct component.

I have a WORKGROUP domain with a STORAGE server member (security = domain). Winbind with NSS is running.
I have a share on /storage/hourly
ls -l /storage/hourly/
drwxr-xr-x 14 root root  4096 25 mai   07:34 h0
drwxr-xr-x 14 root root  4096 25 mai   07:34 h1
...
ls -l /storage/hourly/h1
...
drwxrws---  2 root       service_technique 4096 25 mai   08:28 technique
...

Winbind reports the following users and groups:

wbinfo -u
systech

wbinfo -g
service technique


Group service_technique has the following members:
getent group service_technique
service_technique:*:489685999:mrechte,systech

User systech is seen OK
getent passwd systech
systech:*:489686002:489685505:System Service Technique:/home/WORKGROUP/systech:/bin/bash

I can connect to /storage/hourly OK:
smbclient //storage/horaire -U systech
Enter systech's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.5.10-116.el6_2]
smb: \> cd h1
smb: \h1\> ls
  technique                           D        0  Wed May 30 07:47:33 2012
smb: \h1\> cd technique
smb: \h1\technique\> ls
  .                                   D        0  Wed May 30 07:47:33 2012
  ..                                  D        0  Fri May 25 07:34:32 2012
  Mozilla Firefox.lnk                        724  Fri Dec 23 17:30:02 2011
  Nouveau dossier                     D        0  Wed May 30 07:47:33 2012

If the logon server is down I cannot connect anymore:
smbclient //storage/horaire -U systech
Enter systech's password: 
session setup failed: NT_STATUS_NO_LOGON_SERVERS

The windbind has been configured with winbind offline logon = yes, so despite logon server is down I still have access to my user/group (getent passwd and group are still reporting the same lists)

Everything is OK so far.

I would like now to reconfigure the member server to a standalone server to allow access to the above share.
I just changed the security = user and add the systech user to tdbsam:
pdbedit -a  systech

I restart the standalone server and try to connect to the share:

smbclient //storage/horaire -U systech
Enter systech's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.5.10-116.el6_2]
smb: \> cd h1
smb: \h1\> ls
  technique                           D        0  Wed May 30 07:47:33 2012
smb: \h1\> cd technique
smb: \h1\technique\> ls
NT_STATUS_ACCESS_DENIED listing \h1\technique\*

This is THE problem.

I noticed that wbinfo -u now reports an extra user:
STORAGE\systech
systech

The samba log shows:
[2012/05/30 08:36:31.188601,  5] smbd/filename.c:169(unix_convert)
  unix_convert called on file "h1/technique/*"
[2012/05/30 08:36:31.188644,  5] smbd/filename.c:328(unix_convert)
  unix_convert begin: name = h1/technique/*, dirpath = h1/technique, start = *
[2012/05/30 08:36:31.188682,  5] smbd/filename.c:653(unix_convert)
  New file *
[2012/05/30 08:36:31.188713,  3] smbd/vfs.c:881(check_reduced_name)
  check_reduced_name [h1/technique/*] [/storage/hourly]
[2012/05/30 08:36:31.188765,  3] smbd/vfs.c:962(check_reduced_name)
  check_reduced_name: couldn't get realpath for h1/technique/*
[2012/05/30 08:36:31.188796,  5] smbd/filename.c:864(check_name)
  check_name: name h1/technique/* failed with NT_STATUS_ACCESS_DENIED
[2012/05/30 08:36:31.188833,  3] smbd/filename.c:1184(filename_convert)
  filename_convert: check_name failed for name h1/technique/* with NT_STATUS_ACCESS_DENIED
[2012/05/30 08:36:31.188866,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/trans2.c(2305) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED

Could this be a bug in the vfs.c (or engine backend) not getting the proper gid that enables access to "technique" sub-directory ?

Thanks for reading.