[Pkg-samba-maint] Bug#972223: Bug#972223: Acknowledgement (samba: NT4-style domain member doesn't work without winbind, but even with it, doesn't work)
Josip Rodin
joy at debbugs.entuzijast.net
Mon Oct 19 12:27:30 BST 2020
On Sun, Oct 18, 2020 at 11:12:15AM +0200, Josip Rodin wrote:
> On Sat, Oct 17, 2020 at 01:09:08PM +0200, Josip Rodin wrote:
> > [2020/10/17 10:26:37.521971, 3, pid=16890, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:151(token_contains_name)
> > token_contains_name: returning false for users
> > [2020/10/17 10:26:37.522069, 10, pid=16890, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:222(user_ok_token)
> > User joy not in 'valid users'
> >
> > I'm afraid I haven't had the time yet to figure out why the netgroup code
> > can't resolve the users group (I'll keep at it).
>
> I added a bit more debugging and found the following pattern:
>
> [2020/10/18 09:04:55.557863, 3, pid=20645, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:432(lookup_name)
> lookup_name: lookup for Unix Group\users succeeded: name (null), domain (null), sid ^A^B, type ^B
> [2020/10/18 09:04:55.557938, 3, pid=20645, effective(0, 0), real(0, 0)] ../libcli/security/dom_sid.c:85(dom_sid_equal)
> dom_sid_equal: Comparing SID S-1-5-21-145766654-2861277506-3272706772-1001000 and S-1-22-2-100
> [2020/10/18 09:04:55.558008, 3, pid=20645, effective(0, 0), real(0, 0)] ../libcli/security/dom_sid.c:85(dom_sid_equal)
> dom_sid_equal: Comparing SID S-1-5-21-145766654-2861277506-3272706772-513 and S-1-22-2-100
> [2020/10/18 09:04:55.558052, 3, pid=20645, effective(0, 0), real(0, 0)] ../libcli/security/dom_sid.c:85(dom_sid_equal)
> dom_sid_equal: Comparing SID S-1-1-0 and S-1-22-2-100
> [2020/10/18 09:04:55.558094, 3, pid=20645, effective(0, 0), real(0, 0)] ../libcli/security/dom_sid.c:85(dom_sid_equal)
> dom_sid_equal: Comparing SID S-1-5-2 and S-1-22-2-100
> [2020/10/18 09:04:55.558134, 3, pid=20645, effective(0, 0), real(0, 0)] ../libcli/security/dom_sid.c:85(dom_sid_equal)
> dom_sid_equal: Comparing SID S-1-5-11 and S-1-22-2-100
> [2020/10/18 09:04:55.558173, 3, pid=20645, effective(0, 0), real(0, 0)] ../libcli/security/dom_sid.c:85(dom_sid_equal)
> dom_sid_equal: Comparing SID S-1-22-1-1000 and S-1-22-2-100
> [2020/10/18 09:04:55.558213, 3, pid=20645, effective(0, 0), real(0, 0)] ../libcli/security/dom_sid.c:85(dom_sid_equal)
> dom_sid_equal: Comparing SID S-1-22-2-1000 and S-1-22-2-100
> [2020/10/18 09:04:55.558253, 3, pid=20645, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:139(token_contains_name)
> token_contains_name: nt_token_check_sid failed for users, (null)
> [2020/10/18 09:04:55.558321, 3, pid=20645, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:155(token_contains_name)
> token_contains_name: returning false for users
> [2020/10/18 09:04:55.558364, 10, pid=20645, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:226(user_ok_token)
> User joy not in 'valid users'
>
> This S-1-22-2- base SID seemed indicative, so I googled that, but the best
> explanation I could find was in a question at
> https://stackoverflow.com/questions/31109871/mapping-sambas-s-1-22-12-sid-into-names
> where it says this is something that "Samba uses" for groups.
>
> Is this the idmap setup that I don't seem to have in my old config?
OK so after some more discussion with the folks in #samba on IRC, I decided
to try the method of not having a domain member server on the file server,
but a classic (NT4-style) backup domain controller instead, with the ldapsam
setup directly on it.
This generally works much better, but I observed users having their SID
lists expanded partially, i.e. the LDAP clearly had them in e.g. 5 groups,
but Samba only saw 3 groups - based on the output of security_token_debug().
This was even after I destroyed all obvious traces of winbind and whatever.
Then I completely uninstalled Samba from the machine, which eliminated the
entire /var/lib/samba directory, and reinstalled the software and re-did the
net(8) and smbpasswd(8) commands needed, and now it miraculously all works
just fine.
So it looks like something is definitely wrong with how Winbind/idmap
stuff functions with this particular LDAP directory, yet it's completely
obfuscated why.
This also makes me even more afraid to move from NT4-style to AD-style,
because who know what else might fail there, too...
--
Josip Rodin
More information about the Pkg-samba-maint
mailing list