I found a new issue on samba-3.6.5 : "Trusted AD user who belongs to "valid users" can not access Samba Server on samba-3.6.5" Adomain and Bdomain are trusted eath other. samba server is joined to Adomain. user test1 is a normal AD user from Bdomain.test, but it is a member of group "Adomain\sag1" Edit smb.conf, then set "valid users" to be an AD group for samba share named valid-users-test --------------------------------- [valid-users-test] path = /valid-users-test public = no valid users = +Adomain\sag1 writable = yes Try to access samba server via test1. -------------------------------- root@ubdesk1004x64v2:/# smbclient -U 'Bdomain\test1'%'pas$word' //samba-server/valid-users-test Domain=[ASMB] OS=[Unix] Server=[Samba 3.6.5] tree connect failed: NT_STATUS_ACCESS_DENIED this issue dose not exist on samba-3.5.11 Any ideas, how to work around the issue?
Created attachment 7729 [details] smbd logs with log level = 10
I have posted log.smbd logs with log level = 10 from the log of log.smbd , the list of SIDs in the user test1's token as follows not include Adomain\sag1's SID : sid:S-1-5-21-1122027669-4162194335-1793782112-1619 log: [2012/07/25 15:19:28.972211, 2] auth/auth.c:309(check_ntlm_password) check_ntlm_password: authentication for user [test1] -> [test1] -> [Bdomain\test1] succeeded [2012/07/25 15:19:28.972836, 10] auth/token_util.c:223(create_local_nt_token_from_info3) Create local NT token for test1 [2012/07/25 15:19:28.972965, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/07/25 15:19:28.973058, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/07/25 15:19:28.973142, 4] smbd/sec_ctx.c:318(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/07/25 15:19:28.973225, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/07/25 15:19:28.973307, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/07/25 15:19:28.973532, 4] smbd/sec_ctx.c:426(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/07/25 15:19:28.973668, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-617921265-4113386574-2758986863-1107] [2012/07/25 15:19:28.973780, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-617921265-4113386574-2758986863-513] [2012/07/25 15:19:28.973900, 5] lib/privileges.c:175(get_privileges_for_sids) get_privileges_for_sids: sid = S-1-1-0 Privilege set: 0x0 [2012/07/25 15:19:28.974037, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2012/07/25 15:19:28.974136, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-11] [2012/07/25 15:19:28.974400, 10] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (10): SID[ 0]: S-1-5-21-617921265-4113386574-2758986863-1107 SID[ 1]: S-1-5-21-617921265-4113386574-2758986863-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-22-1-10012 SID[ 6]: S-1-22-2-1006 SID[ 7]: S-1-22-2-1002 SID[ 8]: S-1-22-2-1003 SID[ 9]: S-1-22-2-1004 Privileges (0x 0): Rights (0x 0): [2012/07/25 15:19:28.974968, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 10012 Primary group is 10012 and contains 4 supplementary groups Group[ 0]: 1006 Group[ 1]: 1002 Group[ 2]: 1003 Group[ 3]: 1004 if use a Adomain user which belongs to Adomain\sag1 to access samba server, his token includes Adomain\sag1's SID : sid:S-1-5-21-1122027669-4162194335-1793782112-1619 thanks
So I gdb samba-3.6.5 code, I find 1> after run wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err)(source3/auth/auth_winbind.c:98), info->sids struct have included Adomain\sag1's SID 2> but when run make_server_info_wbcAuthUserInfo(source3/auth/auth_winbind.c:126) call "info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info)"(source3/auth/auth_util.c:1297) which copy the content of info to info3, the Adomain\sag1's SID was dropped. 3> the cause of Adomain\sag1's SID dropped is Adomain\sag1 and Bdomain\test1 belong to different domains. the code is libcli/security/util_sid.c:sid_peek_check_rid() thanks
when I add following lines into sources/smbd/auth/server_info.c:660, the issue is fixed. if ( info->num_sids) { info3->sidcount = info->num_sids info3->sids = talloc_array(info3, struct netr_SidAttr, info->num_sids); RET_NOMEM(info3->sids); int i = 0; for (; i < info->num_sids; i++) { info3->sids[i].sid = dom_sid_dup(info3->sids, (struct dom_sid*) &(info->sids[i].sid)); RET_NOMEM(info3->sids[i].sid); info3->sids[i].attributes = info->sids[i].attributes; } }