Bug 43749 - sharekonfig "force user" does not work on UCS memberserver
sharekonfig "force user" does not work on UCS memberserver
Status: REOPENED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-07 17:44 CET by Jens Thorp-Hansen
Modified: 2020-07-21 11:03 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.091
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017030621000529, 2020072021000177
Bug group (optional):
Max CVSS v3 score:


Attachments
log.smbd_forceuser (1.26 MB, text/plain)
2017-03-08 10:36 CET, Jens Thorp-Hansen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jens Thorp-Hansen univentionstaff 2017-03-07 17:44:32 CET
using "force user" on a memberserver share does not work - no one can access the share in case this is set. If the share is created on a DC all is fine, however.

Does this point in the right direction? "# samba-tool ntacl  get --as-sddl" does not work on a memberserver because it tries to read the domainSID from the local sam.ldb instead of asking its DC. (Reference: https://lists.samba.org/archive/samba/2016-May/199938.html)
Comment 1 Stefan Gohmann univentionstaff 2017-03-08 05:57:02 CET
Jens, can you add samba log files of the memberserver (loglevel 10) from your test environment?

Does it work if you add the sid as forced user?
Comment 2 Jens Thorp-Hansen univentionstaff 2017-03-08 10:36:23 CET
Created attachment 8499 [details]
log.smbd_forceuser
Comment 3 Jens Thorp-Hansen univentionstaff 2017-03-08 10:42:52 CET
Testingenvironment:

10.200.42.175 (master)
10.200.42.176 (member)

the share is called "test_forceuser". If you put the share on the master it works, if you switch it to the member it does not work anymore. Using the SID yields on the master "username could not be found" (does not matter wich username is used to connect to the share).  

Behaviour on the memberserver:
the owner is "sruda", group "bmm". If you set "sruda" - "bmm" at "force user" - "force group" you cannot connect to the share, even if you try to connect as "sruda".
Comment 4 Arvid Requate univentionstaff 2017-03-08 13:03:24 CET
tl;dr: echo -e "[global]\n\twinbind use default domain = yes" >> /etc/samba/local.conf; ucr commit /etc/samba/smb.conf; service samba restart


It always pays off to get the actual error code:

root@ucs-1950:~# smbclient //$(hostname -f)/member_forceuser -U sruda%univention
Domain=[MYDOM] OS=[Windows 6.1] Server=[Samba 4.5.1-Debian]
tree connect failed: NT_STATUS_INVALID_SID


winbind can resolve the user though:

root@ucs-1950:~# wbinfo -n sruda
S-1-5-21-1631624753-2720948390-2531171318-1114 SID_USER (1)
root@ucs-1950:~# wbinfo -s S-1-5-21-1631624753-2720948390-2531171318-1114
MYDOM+sruda 1
root@ucs-1950:~# wbinfo -S S-1-5-21-1631624753-2720948390-2531171318-1114
2010
root@ucs-1950:~# id sruda
uid=2010(sruda) gid=5001(Domain Users) Gruppen=5001(Domain Users),5052(Users),5073(bmm)
root@ucs-1950:~# wbinfo -U 2010
S-1-5-21-1631624753-2720948390-2531171318-1114

But for some reason it doesn't do it for "force user" on a memberserver. 


So let's see what triggers this error code:

root@ucs-1950:~# ucr set samba/debug/level='10'; service winbind restart; service samba restart; sleep 10; smbclient //$(hostname -f)/member_forceuser -U sruda%univention -c quit; ucr set samba/debug/level='0' service samba restart; grep -B75 NT_STATUS_INVALID_SID /var/log/samba/log.smbd

shows these interesting lines:
==============================================================================
[] ../source3/smbd/share_access.c:221(user_ok_token)
  user_ok_token: share member_forceuser is ok for unix user sruda
[] ../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user sruda
[] ../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is sruda
[] ../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [sruda]!
[] ../source3/passdb/lookup_sid.c:77(lookup_name)
  lookup_name: UCS-1950\sruda => domain=[UCS-1950], name=[sruda]
[...]
[] ../source3/passdb/pdb_tdb.c:600(tdbsam_getsampwnam)
  pdb_getsampwnam (TDB): error fetching database.
   Key: USER_sruda
[...]
[] ../source3/passdb/lookup_sid.c:77(lookup_name)
  lookup_name: Unix User\sruda => domain=[Unix User], name=[sruda]
[...]
[] ../source3/passdb/lookup_sid.c:1300(gid_to_sid)
  gid 5001 -> sid S-1-5-21-1631624753-2720948390-2531171318-513
[] ../source3/auth/server_info.c:378(SamInfo3_handle_sids)
  Unix User found. Rid marked as special and sid (S-1-22-1-2010) saved as extra sid
[] ../source3/auth/server_info.c:414(SamInfo3_handle_sids)
  The primary group domain sid(S-1-5-21-1631624753-2720948390-2531171318-513) does not match the domain sid(S-1-5-21-232158225-1150262950-2424647211) for sruda(S-1-22-1-2010)
[...]
[] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/reply.c(1067) cmd=117 (SMBtconX) NT_STATUS_INVALID_SID
==============================================================================

There are a few reports about this in the net (search for "force user" "NT_STATUS_INVALID_SID"), among them https://bugzilla.samba.org/show_bug.cgi?id=9780 , which claims to be fixed but apparently isn't properly. Anyway, the log messages and other mailinglist posts indicate that smbd/winbind consider the user local. Strange enough, adding the domain prefix to "force user" (like MYDOM+sruda) results in NT_STATUS_NO_SUCH_USER, no clue why.
Comment 5 Ingo Steuwer univentionstaff 2020-07-03 20:54:23 CEST
This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Comment 6 Arvid Requate univentionstaff 2020-07-20 15:59:55 CEST
Just had to debug this again for Ticket #2020072021000177.
The workaround from comment 4 worked.
Comment 7 Christina Scheinig univentionstaff 2020-07-21 11:03:53 CEST
(In reply to Arvid Requate from comment #6)
> Just had to debug this again for Ticket #2020072021000177.
> The workaround from comment 4 worked.

The workaround is okay for the share access, BUT the listing of the share is not possible with this option.

smbclient //$(hostname -f)/test -U cscheini
Enter SCHEIN\cscheini's password: 
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \>