Univention Bugzilla – Bug 53556
Setting "valid users = @Administrators" does not work on Samba/AD DCs
Last modified: 2021-07-16 09:04:15 CEST
A member of the "Administrators" group can't access are share like this (valid users !) on a samba DC (UCS primary). [Support] path = /home/support vfs objects = acl_xattr msdfs root = no writeable = yes browseable = yes public = no dos filemode = yes hide unreadable = no create mode = 0664 directory mode = 0775 force create mode = 00 force directory mode = 00 locking = 1 blocking locks = 1 strict locking = Auto oplocks = 1 level2 oplocks = 1 fake oplocks = 0 csc policy = manual valid users = @Administrators force group = "Domain Admins" nt acl support = 0 inherit acls = 0 inherit owner = no inherit permissions = no -> id Administrator uid=2002(Administrator) gid=5000(Domain Admins) Gruppen=5000(Domain Admins),5001(Domain Users),1005(Windows Hosts),5005(DC Backup Hosts),5006(DC Slave Hosts),5007(Computers),5010(Authenticated Users),5015(Enterprise Domain Controllers),5045(Schema Admins),5046(Enterprise Admins),5047(Group Policy Creator Owners),5051(Denied RODC Password Replication Group),5052(Administrators),5053(Users) -> dn: CN=Administrators,CN=Builtin,DC=schein,DC=ig objectSid: S-1-5-32-544 member: CN=Administrator,CN=Users,DC=schein,DC=ig -> wbinfo -G 5052 S-1-5-32-544 -> wbinfo -Y S-1-5-32-544 5052 -> smbclient //$(hostname -f)/Support -U Administrator%univention tree connect failed: NT_STATUS_ACCESS_DENIED The same on a memberserver works. log-master Finding user SCHEIN+Administrator [2021/07/08 12:53:13.644871, 5, pid=24855] ../../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is schein+administrator [2021/07/08 12:53:13.657365, 5, pid=24855] ../../source3/lib/username.c:128(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is SCHEIN+Administrator [2021/07/08 12:53:13.657938, 5, pid=24855] ../../source3/lib/username.c:141(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is SCHEIN+ADMINISTRATOR [2021/07/08 12:53:13.658494, 5, pid=24855] ../../source3/lib/username.c:153(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in schein+administrator [2021/07/08 12:53:13.658531, 5, pid=24855] ../../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [SCHEIN+Administrator]! [2021/07/08 12:53:13.658556, 3, pid=24855] ../../source3/smbd/password.c:127(register_homes_share) No home directory defined for user 'SCHEIN+Administrator' [2021/07/08 12:53:13.658597, 5, pid=24855] ../../lib/util/debug.c:800(debug_dump_status) INFO: Current debug levels: ... [2021/07/08 12:53:14.349704, 5, pid=24855] ../../source3/auth/user_util.c:165(user_in_netgroup) looking for user SCHEIN+Administrator of domain (ANY) in netgroup Administrators [2021/07/08 12:53:14.349862, 5, pid=24855] ../../source3/auth/user_util.c:190(user_in_netgroup) looking for user schein+administrator of domain (ANY) in netgroup Administrators [2021/07/08 12:53:14.349906, 4, pid=24855] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2021/07/08 12:53:14.349932, 4, pid=24855] ../../source3/smbd/uid.c:576(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2021/07/08 12:53:14.349955, 4, pid=24855] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2021/07/08 12:53:14.349977, 5, pid=24855] ../../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2021/07/08 12:53:14.349999, 5, pid=24855] ../../source3/auth/token_util.c:866(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2021/07/08 12:53:14.350474, 4, pid=24855] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2021/07/08 12:53:14.354565, 1, pid=24855] ../../source3/smbd/service.c:359(create_connection_session_info) create_connection_session_info: user 'SCHEIN+Administrator' (from session setup) not permitted to access this share (Support) [2021/07/08 12:53:14.354601, 1, pid=24855] ../../source3/smbd/service.c:531(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED log-member: Finding user Administrator [2021/07/08 12:53:55.267764, 5] ../../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is administrator [2021/07/08 12:53:55.267787, 5] ../../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals did find user [Administrator]! [2021/07/08 12:53:55.267821, 3] ../../source3/smbd/password.c:140(register_homes_share) Adding homes service for user 'Administrator' using home directory: '/home/Administrator' [2021/07/08 12:53:55.267876, 3] ../../source3/param/loadparm.c:1577(lp_add_home) adding home's share [Administrator] for user 'Administrator' at '/home/Administrator' [2021/07/08 12:53:55.267915, 5] ../../lib/util/debug.c:800(debug_dump_status) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 ... 2021/07/08 12:53:55.268267, 4] ../../source3/auth/pampass.c:483(smb_pam_start) smb_pam_start: PAM: Init user: Administrator [2021/07/08 12:53:55.284302, 4] ../../source3/auth/pampass.c:492(smb_pam_start) smb_pam_start: PAM: setting rhost to: 10.200.43.184 [2021/07/08 12:53:55.284336, 4] ../../source3/auth/pampass.c:501(smb_pam_start) smb_pam_start: PAM: setting tty [2021/07/08 12:53:55.284357, 4] ../../source3/auth/pampass.c:509(smb_pam_start) smb_pam_start: PAM: Init passed for user: Administrator [2021/07/08 12:53:55.284378, 4] ../../source3/auth/pampass.c:646(smb_internal_pam_session) smb_internal_pam_session: PAM: tty set to: smb/2046206194 [2021/07/08 12:53:55.998664, 4] ../../source3/auth/pampass.c:465(smb_pam_end) smb_pam_end: PAM: PAM_END OK.
I tried in my testenvironment to remove the force group, but this had no effect. Still access denied. It just works if the users are manually added in valid users. Using the ACLs is not an option for the customer.
Also in log.smbd (ucs 4.4 master): ================================== [2021/04/16 00:23:43.215128, 10, pid=26384, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/passdb.c:649(lookup_global_sam_name) Found group Administrators (S-1-5-32-544) not in our domain -- ignoring. [2021/04/16 00:23:43.215138, 10, pid=26384, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:113(lookup_name) lookup_name: Unix Group\Administrators => domain=[Unix Group], name=[Administrators] [2021/04/16 00:23:43.215147, 10, pid=26384, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name) lookup_name: flags = 0x077 [2021/04/16 00:23:43.324955, 10, pid=26384, effective(0, 0), real(0, 0)] ../../source3/smbd/share_access.c:213(user_ok_token) User UCS447PT1+Administrator not in 'valid users' [2021/04/16 00:23:43.324973, 1, pid=26384, effective(0, 0), real(0, 0)] ../../source3/smbd/service.c:359(create_connection_session_info) create_connection_session_info: user 'UCS447PT1+Administrator' (from session setup) not permitted to access this share (testshare1) ================================== Maybe samba somehow doesn't strip the "DOMAIN+" prefix from the username when looking for it in the Administrators group. In the samba pam stack we do this "manually": session requisite pam_univentionsambadomain.so On the other hand the "Unix Group+Administrators" looks strange, because it's a Builtin Group: root@master60:~# wbinfo --sid-to-name S-1-5-32-544 BUILTIN\Administrators 4
(In reply to Arvid Requate from comment #2) > On the other hand the "Unix Group+Administrators" looks strange, because > it's a Builtin Group: > > root@master60:~# wbinfo --sid-to-name S-1-5-32-544 > BUILTIN\Administrators 4 In Bug #49747 we added the mapping for SID name domain S-1-22-2 to "Unix Group" to prevent AD Server crashes for the group root (S-1-22-2-0). Might be related, but I cant think of a reason why S-1-5-32-544 would be mapped to "Unix Group/Administrators".