samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] AD Groups Failing to Authorize in Valid Use

[Samba] AD Groups Failing to Authorize in Valid Users (does not start with S-)

From: Wagner, Douglas <dwagner_at_nospam>
Date: Thu Aug 19 2010 - 23:38:27 GMT
To: <samba@lists.samba.org>

For the last 3 weeks I've been working on getting RHEL4 (and 5, but
that's a different story) to play well with Active Directory, OpenLDAP,
Kerberos, PAM and NSS.

It's been a long struggle but I now have a process to authenticate and
authorize a RHEL4 client to a windows Active Directory server to that my
AD Users can log into my Linux boxes (assuming their group permissions
are set right).

Now it's time for Samba. After walking through the Samba by Example
with AD stuff and applying it to my information I've got Samba MOSTLY
working.

Adding an AD Domain User (in the form DOMAIN+user in the Valid Users
list) into a share causes the share to reject all but the list of users.
GREAT!

Unfortunately adding a Domain Group (in the form @DOMAIN+group) to the
valid users list does NOT proper authorize the user, even when he or she
belongs to the proper group.

[test02@machine01 ~]$ smbclient //machine01/opt_share -k
WARNING: The "printer admin" option is deprecated
OS=[Unix] Server=[Samba 3.0.33-0.19.el4_8.1]
tree connect failed: NT_STATUS_ACCESS_DENIED

BTW both -U and -k work to authenticate a user, so Kerberos does in fact
work.

When I do this (on a debug 10) I get the following snippet:

[2010/08/19 18:07:31, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2010/08/19 18:07:31, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2010/08/19 18:07:31, 5] smbd/uid.c:change_to_root_user(288)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2010/08/19 18:07:31, 4] smbd/reply.c:reply_tcon_and_X(506)
  Client requested device type [?????] for share [OPT_SHARE]
[2010/08/19 18:07:31, 5] smbd/service.c:make_connection(1214)
  making a connection to 'normal' service opt_share
[2010/08/19 18:07:31, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid @DOMAIN+tstgrp02 does not start with 'S-'.
[2010/08/19 18:07:31, 5] smbd/password.c:user_in_netgroup(470)
  Unable to get default yp domain, let's try without specifying it
[2010/08/19 18:07:31, 5] smbd/password.c:user_in_netgroup(474)
  looking for user DOMAIN+test02 of domain (ANY) in netgroup
DOMAIN+tstgrp02
[2010/08/19 18:07:31, 5] smbd/password.c:user_in_netgroup(490)
  looking for user domain+test02 of domain (ANY) in netgroup
DOMAIN+tstgrp02
[2010/08/19 18:07:31, 10] passdb/lookup_sid.c:lookup_name(70)
  lookup_name: DOMAIN\tstgrp02 => DOMAIN (domain), tstgrp02 (name)
[2010/08/19 18:07:31, 10] passdb/lookup_sid.c:lookup_name(71)
  lookup_name: flags = 0x077
[2010/08/19 18:07:31, 10] smbd/share_access.c:user_ok_token(211)
  User DOMAIN+test02 not in 'valid users'
[2010/08/19 18:07:31, 2] smbd/service.c:make_connection_snum(616)
  user 'DOMAIN+test02' (from session setup) not permitted to access this
share (opt_share
)
[2010/08/19 18:07:31, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED

However wbinfo will properly return a good SID for the group:

root@machine01 samba]# wbinfo -n DOMAIN+tstgrp02
S-1-5-21-2295727956-4092415901-3019033540-XXXX Domain Group (2)

[last 4 removed for security purposes]

To save the trouble of asking for it, I'll post up my SMB.CONF file
here:

# Samba config file created using SWAT
# Date: 2006/02/15 14:00:00

# Global parameters
[global]
        workgroup = DOMAIN
        realm = DOMAIN.NET
        netbios name = machine01
        server string = CIFS Server on machine01
        security = ADS
        #encrypt passwords = true
        #password server = dc.domain.net
        #map to guest = Bad Password
        username map = /etc/samba/smbusers
        #wins server = dc.domain.net
        
        #Printing Options
        printcap name = cups
        printing = cups
        load printers = Yes
        cups options = raw
        printer admin = @ntadmin, root, administrator
        print command =
        lpq command = %p
        lprm command =

        #Winbind Options
        winbind separator = +
        
        #LDAP Options
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000

        #Debug Logging Information parameters
        log level = 10
        log file = /var/log/samba/%m.log
        max log size = 0

[opt_share]
        comment = Test Opt Share
        path = /opt/share
        valid users = @DOMAIN+tstgrp02
        force user = test02
        force group = tstgrp01
        read only = no
        browseable = yes
        guest ok = no
        printable = no

Note: if in the "valid users" list I put DOMAIN+test02 I still get the
issue with the group check, but I am authorized.

Last bit of information that I don't know whether it means anything or
not:

[root@machine01 samba]# wbinfo -g
<snip>
DOMAIN+tstgrp01
DOMAIN+tstgrp02

[root@stltrh4ldap01 samba]# getent group
root:x:0:root
<snip>
request 1 done
tstgrp01:*:10000:test04,test03,test02
tstgrp02:*:10001:test04,test03,test02
request 2 done

Getent is not applying the DOMAIN+ on the front of each group in the
password file. Not sure if it's supposed to or not. Note that
nsswitch.conf reads:

passwd: files ldap [TRYAGAIN=continue] winbind
shadow: files
group: files ldap [TRYAGAIN=continue] winbind

(I added winbind on the end hoping that that might help, obviously it
doesn't).

Architecturally, login to the box is done via Kerberos, pam_krb5, and
nss_ldap. OpenLDAP/nss_ldap is pulling group and user information out
of Active Directory (2003 with the Identity Management for Unix plugin
in place) but is NOT being used for authentication information. Winbind
is not used for anything but SAMBA in this case (and that's as I'd
prefer it).

HELP?!?!?!? This is LITERALLY the last piece of the puzzle (and one of
the most important to save our administrative costs).

I'm sure this is simple, I'm sure I'm doing something wrong. I'm also
fully willing to accept a workaround with mapping users and groups so
long as I do NOT have to manually modify an SMBUSERS file on the local
box. In other words, the smb.conf file and the smbusers file need to be
static regardless of how many users I add to the samba shares through
AD.

ANY help would be GREATLY appreciated.

--Doug
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba