Univention Bugzilla – Bug 36948
No access to shares: "Die Struktur der Sicherheitskennung ist unzulässig."
Last modified: 2015-05-28 17:53:54 CEST
After upgrading from UCS-3.2 to UCS-4.0 no access to shares anymore. Error message: I:\>net use * \\<server>\<share> Systemfehler 1337 aufgetreten. Die Struktur der Sicherheitskennung ist unzulässig. Same with username/password: I:\>net use * \\<server>\<password> /user:<user> * Geben Sie das Kennwort für \\<server>\<password> ein Systemfehler 5 aufgetreten. Zugriff verweigert Packages installed: rc libsamba-credentials0 2:4.1.0-1.694.201410141852 amd64 Samba Credentials management library rc libsamba-hostconfig0 2:4.1.0-1.694.201410141852 amd64 Samba host configuration library rc libsamba-policy0 2:4.1.0-1.694.201410141852 amd64 Samba policy management rc libsamba-util0 2:4.1.0-1.694.201410141852 amd64 Samba utility function library ii python-samba 2:4.2.0~rc2-1.708.201411171637 amd64 Python bindings for Samba ii samba 2:4.2.0~rc2-1.708.201411171637 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.2.0~rc2-1.708.201411171637 all common files used by both the Samba server and client ii samba-common-bin 2:4.2.0~rc2-1.708.201411171637 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.2.0~rc2-1.708.201411171637 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.2.0~rc2-1.708.201411171637 amd64 Samba core libraries ii samba-vfs-modules 2:4.2.0~rc2-1.708.201411171637 amd64 Samba Virtual FileSystem plugins ii univention-samba 9.0.5-1.491.201411172154 all UCS - Samba domain controller ii univention-samba-local-config 9.0.5-1.491.201411172154 all UCS - UCR Extensions for configuration of local shares
Thanks for your report. We won't be able to solve your issue quickly here in Bugzilla. It would be better to use our forum: http://forum.univention.de/index.php
See: http://forum.univention.de/viewtopic.php?f=48&t=3600
@Univention team: also see at [Ticket#2015041321000348]
(In reply to Stephan Hendl from comment #3) > @Univention team: also see at [Ticket#2015041321000348] In this case the problem is caused by samba trying to look up a local users/groups SID defined in force user/force group: [www] path = /var/www force user = www-data force group = www-data read only = No create mask = 0644 force create mode = 0644 strict locking = No include = /etc/samba/local.conf dos filemode = Yes vfs objects = acl_xattr --- [2015/01/18 02:02:07.566351, 5, pid=5636] ../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is www-data [2015/01/18 02:02:07.566369, 5, pid=5636] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals did find user [www-data]! [2015/01/18 02:02:07.566816, 1, pid=5636] ../source3/auth/server_info.c:628(passwd_to_SamInfo3) The primary group domain sid(S-1-5-21-2621817644-3705164039-2104105990-513) does not match the domain sid(S-1-22-1) for www-data(S-1-22-1-33) [2015/01/18 02:02:07.566877, 5, pid=5636] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb [2015/01/18 02:02:07.566905, 5, pid=5636] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb [2015/01/18 02:02:07.566926, 3, pid=5636] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/reply.c(955) cmd=117 (SMBtconX) NT_STATUS_INVALID_SID --- # smbclient //master/www -UAdministrator%univention -c dir Domain=[LISH] OS=[Windows 6.1] Server=[Samba 4.2.0rc2-Debian] tree connect failed: NT_STATUS_INVALID_SID Workaround is to remove force user and force group.
This is a regression to prior UCS versions. https://lists.samba.org/archive/samba-technical/2015-January/105229.html https://bugzilla.samba.org/show_bug.cgi?id=11044
Should be fixed with Bug #37939.
Yes, fixed with 4.2.1: Before (with "force user = www-data"): root@master50:~# smbclient //localhost/share1 -Uuser1%univention Domain=[AR40I1] OS=[Windows 6.1] Server=[Samba 4.2.0rc2-Debian] tree connect failed: NT_STATUS_INVALID_SID After: root@master50:~# smbclient //localhost/share1 -Uuser1%univention \ -c showconnect Domain=[AR40I1] OS=[Windows 6.1] Server=[Samba 4.2.1-Debian] //localhost/share1 *** This bug has been marked as a duplicate of bug 37939 ***
I've added a test case for this issue: /usr/share/ucs-test/53_samba-common/48share_force_local_group