Univention Bugzilla – Bug 43749
sharekonfig "force user" does not work on UCS memberserver
Last modified: 2020-07-21 11:03:53 CEST
using "force user" on a memberserver share does not work - no one can access the share in case this is set. If the share is created on a DC all is fine, however. Does this point in the right direction? "# samba-tool ntacl get --as-sddl" does not work on a memberserver because it tries to read the domainSID from the local sam.ldb instead of asking its DC. (Reference: https://lists.samba.org/archive/samba/2016-May/199938.html)
Jens, can you add samba log files of the memberserver (loglevel 10) from your test environment? Does it work if you add the sid as forced user?
Created attachment 8499 [details] log.smbd_forceuser
Testingenvironment: 10.200.42.175 (master) 10.200.42.176 (member) the share is called "test_forceuser". If you put the share on the master it works, if you switch it to the member it does not work anymore. Using the SID yields on the master "username could not be found" (does not matter wich username is used to connect to the share). Behaviour on the memberserver: the owner is "sruda", group "bmm". If you set "sruda" - "bmm" at "force user" - "force group" you cannot connect to the share, even if you try to connect as "sruda".
tl;dr: echo -e "[global]\n\twinbind use default domain = yes" >> /etc/samba/local.conf; ucr commit /etc/samba/smb.conf; service samba restart It always pays off to get the actual error code: root@ucs-1950:~# smbclient //$(hostname -f)/member_forceuser -U sruda%univention Domain=[MYDOM] OS=[Windows 6.1] Server=[Samba 4.5.1-Debian] tree connect failed: NT_STATUS_INVALID_SID winbind can resolve the user though: root@ucs-1950:~# wbinfo -n sruda S-1-5-21-1631624753-2720948390-2531171318-1114 SID_USER (1) root@ucs-1950:~# wbinfo -s S-1-5-21-1631624753-2720948390-2531171318-1114 MYDOM+sruda 1 root@ucs-1950:~# wbinfo -S S-1-5-21-1631624753-2720948390-2531171318-1114 2010 root@ucs-1950:~# id sruda uid=2010(sruda) gid=5001(Domain Users) Gruppen=5001(Domain Users),5052(Users),5073(bmm) root@ucs-1950:~# wbinfo -U 2010 S-1-5-21-1631624753-2720948390-2531171318-1114 But for some reason it doesn't do it for "force user" on a memberserver. So let's see what triggers this error code: root@ucs-1950:~# ucr set samba/debug/level='10'; service winbind restart; service samba restart; sleep 10; smbclient //$(hostname -f)/member_forceuser -U sruda%univention -c quit; ucr set samba/debug/level='0' service samba restart; grep -B75 NT_STATUS_INVALID_SID /var/log/samba/log.smbd shows these interesting lines: ============================================================================== [] ../source3/smbd/share_access.c:221(user_ok_token) user_ok_token: share member_forceuser is ok for unix user sruda [] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user sruda [] ../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is sruda [] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals did find user [sruda]! [] ../source3/passdb/lookup_sid.c:77(lookup_name) lookup_name: UCS-1950\sruda => domain=[UCS-1950], name=[sruda] [...] [] ../source3/passdb/pdb_tdb.c:600(tdbsam_getsampwnam) pdb_getsampwnam (TDB): error fetching database. Key: USER_sruda [...] [] ../source3/passdb/lookup_sid.c:77(lookup_name) lookup_name: Unix User\sruda => domain=[Unix User], name=[sruda] [...] [] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 5001 -> sid S-1-5-21-1631624753-2720948390-2531171318-513 [] ../source3/auth/server_info.c:378(SamInfo3_handle_sids) Unix User found. Rid marked as special and sid (S-1-22-1-2010) saved as extra sid [] ../source3/auth/server_info.c:414(SamInfo3_handle_sids) The primary group domain sid(S-1-5-21-1631624753-2720948390-2531171318-513) does not match the domain sid(S-1-5-21-232158225-1150262950-2424647211) for sruda(S-1-22-1-2010) [...] [] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/reply.c(1067) cmd=117 (SMBtconX) NT_STATUS_INVALID_SID ============================================================================== There are a few reports about this in the net (search for "force user" "NT_STATUS_INVALID_SID"), among them https://bugzilla.samba.org/show_bug.cgi?id=9780 , which claims to be fixed but apparently isn't properly. Anyway, the log messages and other mailinglist posts indicate that smbd/winbind consider the user local. Strange enough, adding the domain prefix to "force user" (like MYDOM+sruda) results in NT_STATUS_NO_SUCH_USER, no clue why.
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Just had to debug this again for Ticket #2020072021000177. The workaround from comment 4 worked.
(In reply to Arvid Requate from comment #6) > Just had to debug this again for Ticket #2020072021000177. > The workaround from comment 4 worked. The workaround is okay for the share access, BUT the listing of the share is not possible with this option. smbclient //$(hostname -f)/test -U cscheini Enter SCHEIN\cscheini's password: Try "help" to get a list of possible commands. smb: \> dir NT_STATUS_ACCESS_DENIED listing \* smb: \>