Bug 1073829
| Summary: | with ipa-adtrust-install, smb server valid users = @groupname fails due to ipa-sam failure to translate group SID into gid | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jason Woods <devel> | ||||||||
| Component: | ipa | Assignee: | Martin Kosek <mkosek> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> | ||||||||
| Severity: | urgent | Docs Contact: | |||||||||
| Priority: | urgent | ||||||||||
| Version: | 7.0 | CC: | devel, dpal, pviktori, rcritten, spoore | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | ipa-3.3.3-22.el7 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2014-06-13 09:59:39 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 1073810 | ||||||||||
| Attachments: |
|
||||||||||
Created attachment 871828 [details]
Proposed patch for freeipa master branch
Created attachment 871829 [details]
Proposed patch for 3.0.0-37 redhat package
See mailing list archive on https://www.redhat.com/archives/freeipa-users/2014-March/msg00045.html for detailed information. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4234 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d6a7923f71eb69bac53d6ff904086a9abd103dbc ipa-3-3: https://fedorahosted.org/freeipa/changeset/13cd4faf551d7781d27c36bef0e7cbf515e072d2 Verified. Version :: ipa-server-3.3.3-25.el7.x86_64 Results :: I was able to reproduce this one with 3.3.3-19: [root@master tmp]# rpm -q ipa-server ipa-server-3.3.3-19.el7.x86_64 [root@master ~]# mkdir /bz1073829 [root@master ~]# chcon -t samba_share_t /bz1073829 [root@master ~]# setfacl -m g:admins:rwx /bz1073829 [root@master ~]# net conf setparm 'share' 'comment' 'Trust test share' [root@master ~]# net conf setparm 'share' 'read only' 'no' [root@master ~]# net conf setparm 'share' 'path' '/bz1073829' [root@master ~]# touch before [root@master ~]# touch after [root@master ~]# klist klist: No credentials cache found (ticket cache KEYRING:persistent:0:0) [root@master ~]# echo Secret123|kinit admin Password for admin.TEST: [root@master ~]# echo "put before" | smbclient -k //master.ipa1.example.test/share lp_load_ex: changing to config backend registry Domain=[IPA1] OS=[Unix] Server=[Samba 4.1.1] putting file before as \before (0.0 kb/s) (average 0.0 kb/s) [root@master ~]# net conf setparm share 'valid users' '@admins' [root@master ~]# echo "put after" | smbclient -k //master.ipa1.example.test/share lp_load_ex: changing to config backend registry Domain=[IPA1] OS=[Unix] Server=[Samba 4.1.1] tree connect failed: NT_STATUS_ACCESS_DENIED --------------------------------- Fixed version after updating to 3.3.3-25 version: [root@master ~]# yum update ipa-server -y ... Updated: ipa-server.x86_64 0:3.3.3-25.el7 Dependency Updated: ipa-admintools.x86_64 0:3.3.3-25.el7 ipa-client.x86_64 0:3.3.3-25.el7 ipa-python.x86_64 0:3.3.3-25.el7 ipa-server-trust-ad.x86_64 0:3.3.3-25.el7 Complete! [root@master ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service ipa: INFO: The ipactl command was successful [root@master ~]# net conf delparm 'share' 'valid users' [root@master ~]# net conf showshare share [share] comment = Trust test share read only = no path = /bz1073829 [root@master ~]# echo "put before" | smbclient -k //master.ipa1.example.test/share lp_load_ex: changing to config backend registry Domain=[IPA1] OS=[Unix] Server=[Samba 4.1.1] putting file before as \before (0.0 kb/s) (average 0.0 kb/s) [root@master ~]# net conf setparm 'share' 'valid users' '@admins' [root@master ~]# echo "put after" | smbclient -k //master.ipa1.example.test/share lp_load_ex: changing to config backend registry Domain=[IPA1] OS=[Unix] Server=[Samba 4.1.1] putting file after as \after (0.0 kb/s) (average -nan kb/s) So, now valid users check for admins group works. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Created attachment 871827 [details] Log snippet for samba (I forget which log file it was from, I apologise) Description of problem: With ipa-server-trust-ad installed, ipa-adtrust-install --setsids run, and the sidgen task registered and run, users cannot connect a share in the local samba server if it is locked to specific groups via "valid users", even if the user is a member of one of those groups. Logs at level 10 show the following: (see attached for full snippet) [2014/03/06 15:32:55.659599, 10, pid=28139, effective(0, 0), real(0, 0)] ipa_sam.c:309(get_single_attribute) Attribute [uidNumber] not found. [2014/03/06 15:32:55.659667, 1, pid=28139, effective(0, 0), real(0, 0)] ipa_sam.c:717(ldapsam_sid_to_id) Could not find uidNumber in cn=groupname,cn=groups,cn=accounts,dc=example,dc=com Examining code I found that ldapsam_sid_to_id was determining between user and group by looking for ipaNTGroupAttr objectClass and comparing case sensitively. However, sidgen task adds it as ipantgroupattr in lower case. Thus the objectClass is not found and it assumes the object to be user and proceeds to look for uidNumber - thus the error. This results in the group missing from the user's security token list within samba, and thus access rejected to the share. A simple patch is required to ipa-sam to adjust the strncmp in ldapsam_sid_to_id to a strncasecmp. I've attached a patch for the master branch at git.fedorahosted.org (as of commit prefix 4048d41) and also a patch that I've applied to the ipa-3.0.0-37 package. I'm aware the file sharing is not currently supported according to documentation - but I had a strong need for this due a mixture of Windows and Mac machines needing a central file server (thus samba) with single sign on too. Existing was samba with local users. Thanks and be proud of FreeIPA! It's awesome! Hopefully we can get support for the samba file server soon and maybe a separate package for the ipa-sam.so! :) Version-Release number of selected component (if applicable): 3.0.0-37 Also current master has same issue How reproducible: Always Steps to Reproduce: 1. Install ipa-server-trust-ad and run ipa-adtrust-install --setsids, and then register to run the sidgen task. After that, create a share with "net conf setparm" with open access: [Share] path = /data read only = no 2. Users from the IPA domain can connect successfully. Now add the following extra share config with "net conf setparm", where @groupname is a group that "user" is a member of valid users = @groupname 3. Attempt to connect to the samba share as "user" Actual results: Cannot connect - error will be one that points to no access to the share Expected results: Connect successfully Additional info: Patches attached and log attached