Created attachment 8692 [details] smb.conf security=share version As explained in this thread https://bbs.archlinux.org/viewtopic.php?id=160161 since the new version 3.6.13, the smb.conf directives force user force group no longer works. i.e. it is not possible anymore to have a share point, open it (logging) as a guest (ex. nobody) without password and then make some file operations inside it as a specific user/group. This happens in both share and user security mode and, in both cases, the same smb.conf file works fine with the previous version (3.6.12). Attached is the smb.conf (security=share version)
The only change that I see that might affect this bug is the fix that went in with https://bugzilla.samba.org/show_bug.cgi?id=9039. Can you try reverting the patch in there and see if it helps?
(In reply to comment #1) > The only change that I see that might affect this bug is the fix that went in > with https://bugzilla.samba.org/show_bug.cgi?id=9039. Can you try reverting the > patch in there and see if it helps? I'm just a user, not a developer. I don't know how to compile the software, I just installed the package provided by arch package system. If you give me instruction on how to revert the patch and compile again, I can give it a try. Anyway if you need some log informations, I can provide you the log files (doing the same things from windows) of both versions 3.6.12 and 3.6.13. Please let me know.
Hi! Ive got the same problem with 3.6.13 at my freebsd-8.2R-amd64. I did downgrade at 3.6.12 and samba works just fine again.
Jeremy, can you have a look at this one (or re-assign), please? Thanks!
Can't reproduce this on my v3-6-test setup. I'm using an smb.conf of: [global] workgroup = WORKGROUP security = share log file = /usr/local/samba3.6/var/log.%m max log size = 0 panic action = /bin/sleep 999999 map hidden = no map system = no map archive = no map readonly = no store dos attributes = yes ea support = yes [tmp] path = /tmp read only = no force user = gdm force group = gdm guest ok = yes I connected from a Windows 2012 client as a normal user, and files get created correctly with owner gdm, group gdm. I need a debug level 10 log from the users machine showing the problem.
Created attachment 8720 [details] Zipped log files and smb.conf
Arch linux server Windows 7 client Same smb.conf (attached) Windows 7 user: Francesco with no password Brief test explanation: Using Samba 3.6.13 Accessing test_home...access denied Log file: smb3613_test_home-accessdenied.log Accessing test_tmp...ok Creating new file...file created as nobody (not as francesco) Log file: smb3613_test_tmp-accessok-fileasnobody.log Using Samba 3.6.12 Accessing test_home...access ok Log file: smb3612_test_home-ok.log Accessing test_tmp...ok Creating new file...file created as francesco (ok) Log file: smb3612_test_tmp-accessok-fileasfrancesco.log
There is no user francesco in the Samba password database. From your access denied log: check_ntlm_password: sam authentication for user [francesco] FAILED with error NT_STATUS_NO_SUCH_USER [2013/04/03 19:58:29.169240, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [francesco] -> [francesco] FAILED with error NT_STATUS_NO_SUCH_USER
Try adding a user francesco using smbpasswd -a francesco
Why I have to add francesco to samba user while I'm in security=share mode accessing through guest mode (guest ok)? Why it worked fine until 3.6.12 version? The issue still remains about the force user which is not applied. Please, check the other logs (from 3.6.12) for comparison.
Created attachment 8721 [details] git-am fix for 3.6.next Ok, now I understand what you're actually trying to do I've reproduced it and this patch fixes it. The issue is that if you login as "guest", the guest boolean flag gets attached to your user token. When you're connecting to a share with 'force user' this flag overrides the creation of the token for the specific share with force user set, ensuring you only ever have guest access. We should only set the guest flag under a 'force user' share if the username being mapped to is the same as the guest user. I'll attach a similar patch for master/4.0.x shortly. Jeremy.
Created attachment 8722 [details] git-am fix for master and 4.0.next
Comment on attachment 8722 [details] git-am fix for master and 4.0.next Fix not needed on 4.0.x/master. 'guest' bit isn't used to create the token inside make_session_info_from_username() call.
Created attachment 8723 [details] proposed, but unsted patch to fix this in a different way This is how I would like to see this fixed, assuming it works.
Just to capture the IRC discussion Andrew and I have been having - the issue is that changing the 'is_guest' flag changes what SID is added to the users token in finalize_local_nt_token(). If is_guest is true then global_sid_Builtin_Guests is added, if is_guest is false then global_sid_Authenticated_Users is added. So separating out the use_guest_token from is_guest allows the correct SID to be used. Jeremy.
(In reply to comment #14) > Created attachment 8723 [details] > proposed, but unsted patch to fix this in a different way > > This is how I would like to see this fixed, assuming it works. I just tested Andrew's fix and it also fixes the problem.
Comment on attachment 8721 [details] git-am fix for 3.6.next Marking as obsolete - Andrews fix is preferred here. Jeremy.
Comment on attachment 8723 [details] proposed, but unsted patch to fix this in a different way Jeremy is testing this patch.
Comment on attachment 8723 [details] proposed, but unsted patch to fix this in a different way Tested this fix on both the reported problem, and on the reproducer for bug #9637 - Renaming directories as guest user in security share mode doesn't work. Jeremy.
Re-assigning to Karolin for inclusion in 3.6.next. Cheers, Jeremy.
for the record: I had the same problem (work with 3.6.12 but not with 3.6.13) using [global] security = user map to guest = Bad User username map = /etc/samba/smbusers instead of security=share (with no users configured in smbusers) maybe the patch covers also this case...?
Yes, the patch will cover all cases where a user is logged in as guest accessing a 'force user' share. Jeremy.
Pushed to v3-6-test. Will be included in 3.6.15. Closing out bug report. Thanks!
*** Bug 9859 has been marked as a duplicate of this bug. ***