Bug 9072 - Trusted AD user who belongs to "valid users" can not access Samba Server on samba-3.6.5
Trusted AD user who belongs to "valid users" can not access Samba Server on s...
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: SMB2
3.6.5
All All
: P5 major
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-31 05:36 UTC by jinyunshuai
Modified: 2012-07-31 10:38 UTC (History)
0 users

See Also:


Attachments
smbd logs with log level = 10 (65.35 KB, application/octet-stream)
2012-07-31 05:39 UTC, jinyunshuai
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description jinyunshuai 2012-07-31 05:36:54 UTC
I found a new issue on samba-3.6.5 : "Trusted AD user who belongs to "valid users" can not access Samba Server on samba-3.6.5"
 
Adomain and Bdomain are trusted eath other.
samba server is joined to Adomain.
user test1 is a normal AD user from Bdomain.test, but it is a member of group "Adomain\sag1"
 
Edit smb.conf, then set "valid users" to be an AD group for samba share named
valid-users-test
---------------------------------
[valid-users-test]
    path = /valid-users-test
    public = no
    valid users = +Adomain\sag1  
    writable = yes
 
Try to access samba server via test1.
--------------------------------
root@ubdesk1004x64v2:/# smbclient -U 'Bdomain\test1'%'pas$word'  //samba-server/valid-users-test

Domain=[ASMB] OS=[Unix] Server=[Samba 3.6.5]
tree connect failed: NT_STATUS_ACCESS_DENIED
 
this issue dose not exist on samba-3.5.11
 
Any ideas,  how to work around the issue?
Comment 1 jinyunshuai 2012-07-31 05:39:24 UTC
Created attachment 7729 [details]
smbd logs with log level = 10
Comment 2 jinyunshuai 2012-07-31 05:41:53 UTC
I have posted log.smbd logs with log level = 10

from the log of log.smbd , the list of SIDs in the user test1's token as follows not include
Adomain\sag1's SID : sid:S-1-5-21-1122027669-4162194335-1793782112-1619
 
log: 
[2012/07/25 15:19:28.972211,  2] auth/auth.c:309(check_ntlm_password)
  check_ntlm_password:  authentication for user [test1] -> [test1] -> [Bdomain\test1] succeeded
[2012/07/25 15:19:28.972836, 10] auth/token_util.c:223(create_local_nt_token_from_info3)
  Create local NT token for test1
[2012/07/25 15:19:28.972965,  4] smbd/sec_ctx.c:214(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/07/25 15:19:28.973058,  4] smbd/uid.c:460(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/07/25 15:19:28.973142,  4] smbd/sec_ctx.c:318(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/07/25 15:19:28.973225,  5] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2012/07/25 15:19:28.973307,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/07/25 15:19:28.973532,  4] smbd/sec_ctx.c:426(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/07/25 15:19:28.973668,  4] lib/privileges.c:97(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-5-21-617921265-4113386574-2758986863-1107]
[2012/07/25 15:19:28.973780,  4] lib/privileges.c:97(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-5-21-617921265-4113386574-2758986863-513]
[2012/07/25 15:19:28.973900,  5] lib/privileges.c:175(get_privileges_for_sids)
  get_privileges_for_sids: sid = S-1-1-0
  Privilege set: 0x0
[2012/07/25 15:19:28.974037,  4] lib/privileges.c:97(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2012/07/25 15:19:28.974136,  4] lib/privileges.c:97(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2012/07/25 15:19:28.974400, 10] ../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (10):
    SID[  0]: S-1-5-21-617921265-4113386574-2758986863-1107
    SID[  1]: S-1-5-21-617921265-4113386574-2758986863-513
    SID[  2]: S-1-1-0
    SID[  3]: S-1-5-2
    SID[  4]: S-1-5-11
    SID[  5]: S-1-22-1-10012
    SID[  6]: S-1-22-2-1006
    SID[  7]: S-1-22-2-1002
    SID[  8]: S-1-22-2-1003
    SID[  9]: S-1-22-2-1004
   Privileges (0x               0):
   Rights (0x               0):
[2012/07/25 15:19:28.974968, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 10012
  Primary group is 10012 and contains 4 supplementary groups
  Group[  0]: 1006
  Group[  1]: 1002
  Group[  2]: 1003
  Group[  3]: 1004

if use a Adomain user which belongs to  Adomain\sag1 to access samba server,  his token includes Adomain\sag1's SID : sid:S-1-5-21-1122027669-4162194335-1793782112-1619
thanks
Comment 3 jinyunshuai 2012-07-31 06:06:45 UTC
So I gdb samba-3.6.5 code, I find 

1> after run wbc_status = wbcAuthenticateUserEx(&params, &info, &err)(source3/auth/auth_winbind.c:98), 
  info->sids struct have included Adomain\sag1's SID 

2> but when run make_server_info_wbcAuthUserInfo(source3/auth/auth_winbind.c:126) call "info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info)"(source3/auth/auth_util.c:1297) which copy the content of info to info3, the Adomain\sag1's SID  was dropped.

3> the cause of Adomain\sag1's SID dropped is 
 Adomain\sag1 and Bdomain\test1 belong to different domains.
 the code is libcli/security/util_sid.c:sid_peek_check_rid()




thanks
Comment 4 jinyunshuai 2012-07-31 10:38:11 UTC
when I add following lines into sources/smbd/auth/server_info.c:660,
the issue is fixed.

if ( info->num_sids) {
                info3->sidcount = info->num_sids
                info3->sids = talloc_array(info3, struct netr_SidAttr,
                                           info->num_sids);
                RET_NOMEM(info3->sids);
                int i = 0;
                for (; i <  info->num_sids; i++) {
                        info3->sids[i].sid = dom_sid_dup(info3->sids,
                                                           (struct dom_sid*)
&(info->sids[i].sid));
                        RET_NOMEM(info3->sids[i].sid);
                        info3->sids[i].attributes =
                                info->sids[i].attributes;
                }
        }