Bug 1657665

Summary: Error accessing files on samba share randomly
Product: Red Hat Enterprise Linux 8 Reporter: Niranjan Mallapadi Raghavender <mniranja>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: medium Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 8.0CC: asn, gdeschner, grajaiya, igkioka, jarrpa, jhrozek, jstephen, lmanasko, lslebodn, mniranja, mzidek, pasik, pbrezina, sbose, sgoveas, tscherf
Target Milestone: rc   
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-2.2.0-1.el8 Doc Type: Bug Fix
Doc Text:
.Samba no longer denies access when using the `sss` ID mapping plug-in Previously, when you ran Samba on the domain member with this configuration and added a configuration that used the `sss` ID mapping back end to the `/etc/samba/smb.conf` file to share directories, changes in the ID mapping back end caused errors. Consequently, Samba denied access to files in certain cases, even if the user or group existed and it was known by SSSD. The problem has been fixed. As a result, Samba no longer denies access when using the `sss` plug-in.
 Story Points: ---
Clone Of:
: 1707759 (view as bug list) Environment:
Last Closed: 2019-11-05 22:33:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1707759    
Attachments:
Description Flags
samba logs when pgroup1 is accessed by foobar1 user
none
samba logs when pgroup2 is accessed by foobar2 user
none
samba logs when foobar2 access pgroup2 directory using smbclient none

Description Niranjan Mallapadi Raghavender 2018-12-10 09:03:37 UTC 
Description of problem:

On RHEL8 accessing files on samba share using cifs fails randomly. 

Version-Release number of selected component (if applicable):
samba-4.9.1-5.el8.x86_64
sssd-ldap-2.0.0-23.el8.x86_64
sssd-ipa-2.0.0-23.el8.x86_64
libsss_idmap-2.0.0-23.el8.x86_64
libsss_sudo-2.0.0-23.el8.x86_64
sssd-client-2.0.0-23.el8.x86_64
sssd-nfs-idmap-2.0.0-23.el8.x86_64
sssd-kcm-2.0.0-23.el8.x86_64
libsss_nss_idmap-2.0.0-23.el8.x86_64
libsss_certmap-2.0.0-23.el8.x86_64
sssd-winbind-idmap-2.0.0-23.el8.x86_64
sssd-common-pac-2.0.0-23.el8.x86_64
sssd-krb5-2.0.0-23.el8.x86_64
sssd-proxy-2.0.0-23.el8.x86_64
sssd-2.0.0-23.el8.x86_64
libsss_simpleifp-2.0.0-23.el8.x86_64
sssd-krb5-common-2.0.0-23.el8.x86_64
python3-sssdconfig-2.0.0-23.el8.noarch
sssd-ad-2.0.0-23.el8.x86_64
python3-libsss_nss_idmap-2.0.0-23.el8.x86_64
sssd-dbus-2.0.0-23.el8.x86_64
sssd-common-2.0.0-23.el8.x86_64
libsss_autofs-2.0.0-23.el8.x86_64
kernel-4.18.0-49.el8.x86_64
cifs-utils-6.8-2.el8.x86_64

uname -a:

Linux ibm-x3650m4-01.juno.test 4.18.0-49.el8.x86_64 #1 SMP Tue Dec 4 10:53:54 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux




Steps to Reproduce:

[Samba Server] 

[Note in this reproducer samba server and client are same]

1. Join RHEL8 system to AD Domain (2012r2 for example)

$ realm join -v JUNO.TEST --membership-software=samba

2. Configure smb.conf as below:

[global]
security = ads
workgroup = JUNO
realm = JUNO.TEST
kerberos method = system keytab
password server = winsrv1.juno.test
client use spnego = yes
netbios name = ibm-x3650m4-01
log file = /var/log/samba/log.%m
max log size = 500
log level = 10
idmap config JUNO : backend        = sss
idmap config JUNO : range          = 200000-2147483647
idmap config * : backend = tdb
idmap config * : range = 100000-199999

[share1]
path = /mnt/samba/share1
comment = test share1
writable = yes
printable = no

3. restart smb and winbind service 

systemctl start smb
systemctl start winbind

4. Create a 2 users foobar1, foobar2 and 2 groups foobargroup1 and foobargroup2. 

5. Add foobar1 user member of foobargroup1 group

6. Add foobar2 user member of foobargroup2 group

7. Create directory /mnt/samba/share1 with below permissions
[root@ibm-x3650m4-01 ~]# ls -ld /mnt/samba/share1/
drwxrws---. 5 root domain users 51 Dec  6 06:07 /mnt/samba/share1/

8. Set 2770 permission on share1 Directory with selinux context samba_share_t
[root@ibm-x3650m4-01 ~]# ls -ldZ /mnt/samba/share1/
drwxrws---. 5 root domain users unconfined_u:object_r:samba_share_t:s0 51 Dec  6 06:07 /mnt/samba/share1

[root@ibm-x3650m4-01 ~]# ls -lZ /mnt/samba/share1/
total 0
drwxrws---. 2 root foobargroup1 unconfined_u:object_r:samba_share_t:s0 6 Dec  7 07:23 pgroup1
drwxrws---. 2 root foobargroup2 unconfined_u:object_r:samba_share_t:s0 6 Dec  6 06:07 pgroup2
drwxrws---. 2 root foobargroup3 unconfined_u:object_r:samba_share_t:s0 6 Dec  6 06:07 pgroup3

9. Create 2 Directory pgroup1 and pgroup2 under /mnt/samba/share1 such that foobargroup1 group should have write permission on pgroup1 directory and foobargroup2 group should have write permissions on pgroup2 directory.


[samba-client]

10. Login as foobar1 user 
echo "Secret123" | kinit foobar1

11. Mount the share in /abc directory

mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //IBM-X3650M4-01/share1 /abc

12. Access the share

ls -l /abc/pgroup1

13. Unmount the share
umount /abc

14. Clear kerberos credentislas
kdestroy -A

15. Login as foobar2 user
echo "Secret123" | kinit foobar2

16. Mount the share share1 
mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //IBM-X3650M4-01/share1 /abc

17. Access the pgroup2 directory
ls: reading directory '/abc/pgroup2': Permission denied

18. Unmount the share. 
umount /abc

kdestroy -A

Actual results:

Accessing /abc/pgroup2 directory as user foobar2 fails randomly. 



Expected results:


Additional info:
Comment 1 Niranjan Mallapadi Raghavender 2018-12-10 09:07:26 UTC 
Below is the output where the user foobar2 is successfull in accessing pgroup2 share but doing the same operation
fails.

echo "Secret123" | kinit foobar1
mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //IBM-X3650M4-01/share1 /abc
ls -l /abc/pgroup1
umount /abc
kdestroy -A
echo "Secret123" | kinit foobar2
mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //IBM-X3650M4-01/share1 /abc
ls -l /abc/pgroup2
umount /abc
kdestroy -A

[root@ibm-x3650m4-01 ~]# sh -x a.sh
+ echo Secret123
+ kinit foobar1
Password for foobar1:
+ mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //IBM-X3650M4-01/share1 /abc
+ ls -l /abc/pgroup1
total 0
+ umount /abc
+ kdestroy -A
+ kinit foobar2
+ echo Secret123
Password for foobar2:
+ mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //IBM-X3650M4-01/share1 /abc
+ ls -l /abc/pgroup2
ls: reading directory '/abc/pgroup2': Permission denied
total 0
+ umount /abc
+ kdestroy -A
Comment 2 Niranjan Mallapadi Raghavender 2018-12-10 09:11:10 UTC 
Created attachment 1512967 [details]
samba logs when pgroup1 is accessed by foobar1 user
Comment 3 Niranjan Mallapadi Raghavender 2018-12-10 09:13:57 UTC 
Created attachment 1512970 [details]
samba logs when pgroup2 is accessed by foobar2 user
Comment 4 Niranjan Mallapadi Raghavender 2018-12-10 09:17:54 UTC 
Going through the samba logs i see that when it's trying to access pgroup2 share and it fails, it adds * to the directory 

<snip>
  change_to_user_internal: Skipping user change - already user
[2018/12/10 02:42:34.466021,  3, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/trans2.c:2667(call_trans2findfirst)
  call_trans2findfirst: dirtype = 17, maxentries = 150, close_after_first=0, close_if_end = 1 requires_resume_key = 1 backup_priv = 0 level = 0x202, max_data_bytes = 16384
[2018/12/10 02:42:34.466077,  5, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/filename.c:461(unix_convert)
  unix_convert called on file "pgroup2/*"
[2018/12/10 02:42:34.466105,  5, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/filename.c:662(unix_convert)
  unix_convert begin: name = pgroup2/*, dirpath = , start = pgroup2/*
[2018/12/10 02:42:34.466141,  5, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/statcache.c:144(stat_cache_add)
  stat_cache_add: Added entry (56049a678630:size 7) pgroup2 -> pgroup2
[2018/12/10 02:42:34.466179,  4, pid=7131, effective(842004661, 842000513), real(842004661, 0), class=vfs] ../source3/smbd/vfs.c:805(vfs_ChDir)
  vfs_ChDir to pgroup2
[2018/12/10 02:42:34.466204,  3, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/filename.c:1382(get_real_filename_full_scan)
  scan dir didn't open dir [pgroup2]
[2018/12/10 02:42:34.466225, 10, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/filename.c:1209(unix_convert)
  dirpath = [pgroup2] start = [*]
[2018/12/10 02:42:34.466254, 10, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/filename.c:1629(filename_convert_internal)
  filename_convert_internal: unix_convert failed for name pgroup2/* with NT_STATUS_ACCESS_DENIED
[2018/12/10 02:42:34.466278,  3, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/trans2.c(2750) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED
[2018/12/10 02:42:34.466300,  5, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/lib/util.c:184(show_msg)
[2018/12/10 02:42:34.466315,  5, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/lib/util.c:194(show_msg)
</snip>

Whereas when the user foobar1 tries to access pgroup directory, samba doesn't add * the path.

<snip>
  conversion of base_name finished pgroup1 -> pgroup1
[2018/12/10 02:36:14.858905, 10, pid=6583, effective(842004482, 842000513), real(842004482, 0), class=vfs] ../source3/smbd/vfs.c:1196(check_reduced_name)
  check_reduced_name: check_reduced_name [pgroup1] [/mnt/samba/share1]
[2018/12/10 02:36:14.858947, 10, pid=6583, effective(842004482, 842000513), real(842004482, 0), class=vfs] ../source3/smbd/vfs.c:1260(check_reduced_name)
  check_reduced_name realpath [pgroup1] -> [/mnt/samba/share1/pgroup1]
[2018/12/10 02:36:14.858972,  5, pid=6583, effective(842004482, 842000513), real(842004482, 0), class=vfs] ../source3/smbd/vfs.c:1371(check_reduced_name)
  check_reduced_name: pgroup1 reduced to /mnt/samba/share1/pgroup1
[2018/12/10 02:36:14.859002, 10, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/files.c:754(file_name_hash)
  file_name_hash: /mnt/samba/share1/pgroup1 hash 0x3c280b28
[2018/12/10 02:36:14.859031,  3, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/trans2.c:5972(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo pgroup1 (fnum [fsp is NULL]) level=516 call=5 total_data=0
[2018/12/10 02:36:14.859109,  5, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/trans2.c:4877(smbd_do_qfilepathinfo)
  smbd_do_qfilepathinfo: pgroup1 (fnum [fsp is NULL]) level=516 max_data=4000
[2018/12/10 02:36:14.859139,  8, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/dosmode.c:667(dos_mode)
  dos_mode: pgroup1
[2018/12/10 02:36:14.859169,  5, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/dosmode.c:323(get_ea_dos_attribute)
  get_ea_dos_attribute: Cannot get attribute from EA on file pgroup1: Error = No data available
[2018/12/10 02:36:14.859200,  5, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/dosmode.c:70(dos_mode_debug_print)
  dos_mode_debug_print: dos_mode returning (0x10): "d"
[2018/12/10 02:36:14.859265,  9, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/trans2.c:1148(send_trans2_replies)
  t2_rep: params_sent_thistime = 2, data_sent_thistime = 36, useable_space = 16406
[2018/12/10 02:36:14.859292,  9, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/trans2.c:1150(send_trans2_replies)
  t2_rep: params_to_send = 2, data_to_send = 36, paramsize = 2, datasize = 36
[2018/12/10 02:36:14.859317,  5, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/lib/util.c:184(show_msg)
[2018/12/10 02:36:14.859334,  5, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/lib/util.c:194(show_msg)
</snip>
Comment 5 Niranjan Mallapadi Raghavender 2018-12-10 09:20:21 UTC 
I have tried the order of starting the services with not much difference , with sssd as the first service to start (due to realm join) and interchanging the order between smb and winbind doesn't change the outcome.
Comment 7 Niranjan Mallapadi Raghavender 2018-12-10 17:44:18 UTC 
Forgot to add the version of Samba used in the initial Comment. Below is the samba version. 

samba-common-tools-4.9.1-5.el8.x86_64
samba-winbind-clients-4.9.1-5.el8.x86_64
samba-client-libs-4.9.1-5.el8.x86_64
samba-common-libs-4.9.1-5.el8.x86_64
samba-winbind-modules-4.9.1-5.el8.x86_64
samba-client-4.9.1-5.el8.x86_64
samba-4.9.1-5.el8.x86_64
samba-common-4.9.1-5.el8.noarch
samba-libs-4.9.1-5.el8.x86_64
samba-winbind-4.9.1-5.el8.x86_64
Comment 9 Niranjan Mallapadi Raghavender 2018-12-11 07:37:10 UTC 
The issue is reproducible (Randomly) even with smbclient 

[root@ibm-x3650m4-01 ~]# sh -x a.sh 

### Login as foobar1 User and access /abc/pgroup1 to which foobar1 user has permissions 
+ echo Secret123
+ kinit foobar1
Password for foobar1: 
+ mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //IBM-X3650M4-01/share1 /abc
+ ls -l /abc/pgroup1
total 0 <===============================Success
+ umount /abc
+ kdestroy -A

# Login as foobar2 user and access /abc/pgroup2 to which foobar2 has permissions to write
+ kinit foobar2
+ echo Secret123
Password for foobar2: 
+ mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //IBM-X3650M4-01/share1 /abc
+ ls -l /abc/pgroup2
ls: reading directory '/abc/pgroup2': Permission denied <===============Failure
total 0
+ umount /abc
+ kdestroy -A

# Login as foobar2 user and access pgroup2 directory using smbclient

[root@ibm-x3650m4-01 ~]# kinit foobar2
Password for foobar2: 
(reverse-i-search)`': ^C
[root@ibm-x3650m4-01 ~]# smbclient -k //IBM-X3650M4-01/share1
Try "help" to get a list of possible commands.
smb: \> cd pgroup2
smb: \pgroup2\> ls
NT_STATUS_ACCESS_DENIED listing \pgroup2\*
smb: \pgroup2\> ls
NT_STATUS_ACCESS_DENIED listing \pgroup2\*
smb: \pgroup2\> ls
NT_STATUS_ACCESS_DENIED listing \pgroup2\*
smb: \pgroup2\>
Comment 10 Niranjan Mallapadi Raghavender 2018-12-11 07:45:02 UTC 
Created attachment 1513277 [details]
samba logs when foobar2 access pgroup2 directory using smbclient
Comment 15 Niranjan Mallapadi Raghavender 2018-12-12 13:34:27 UTC 
Cannot reproduce the issue with winbind setup . Below are the steps:

1. Join the system using winbind 

[root@vm-idm-033 ~]# realm join --client-software=winbind JUNO.TEST -v
 * Resolving: _ldap._tcp.juno.test
 * Performing LDAP DSE lookup on: 10.65.223.136
 * Successfully discovered: juno.test
 * Required files: /usr/libexec/oddjob/mkhomedir, /usr/sbin/oddjobd, /usr/bin/wbinfo, /usr/sbin/winbindd, /usr/bin/net
 * LANG=C LOGNAME=root KRB5CCNAME=/var/cache/realmd/realm-ad-kerberos-U9AEUZ /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.WYAEUZ -k ads join juno.test
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED)

 ! Insufficient permissions to join the domain juno.test
Password for Administrator: 
 * Required files: /usr/libexec/oddjob/mkhomedir, /usr/sbin/oddjobd, /usr/bin/wbinfo, /usr/sbin/winbindd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.BOQ9TZ -U Administrator ads join juno.test
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- JUNO
Joined 'VM-IDM-033' to dns domain 'juno.test'
DNS Update for vm-idm-033.lab.eng.pnq.redhat.com failed: ERROR_DNS_GSS_ERROR
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.BOQ9TZ -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable winbind.service
Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service → /usr/lib/systemd/system/winbind.service.
 * /usr/bin/systemctl restart winbind.service
 * /usr/bin/sh -c /usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Backup stored at /var/lib/authselect/backups/2018-12-12-13-02-53.5m7IaQ
Profile "winbind" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group

Make sure that winbind service is configured and enabled. See winbind documentation for more information.
 
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service
 * Successfully enrolled machine in realm


2. Verify winbind is used in user and group lookup

[root@vm-idm-033 ~]# cat /etc/nsswitch.conf | grep winbind
passwd:     files winbind systemd
group:      files winbind systemd


[root@vm-idm-033 samba]# getent passwd JUNO\\Administrator
JUNO\administrator:*:2000500:2000513::/home/administrator@JUNO:/bin/bash
[root@vm-idm-033 samba]# getent passwd JUNO\\foobar1
JUNO\foobar1:*:2004482:2000513::/home/foobar1@JUNO:/bin/bash
[root@vm-idm-033 samba]# getent passwd JUNO\\foobar2
JUNO\foobar2:*:2004661:2000513::/home/foobar2@JUNO:/bin/bash
[root@vm-idm-033 samba]# getent group JUNO\\"Domain Users"
JUNO\domain users:x:2000513:
[root@vm-idm-033 samba]# getent group JUNO\\"foobargroup1"
JUNO\foobargroup1:x:2013563:
[root@vm-idm-033 samba]# getent group JUNO\\"foobargroup2"
JUNO\foobargroup2:x:2013564:

3. List all Domains

[root@vm-idm-033 ~]# wbinfo --all-domains
BUILTIN
VM-IDM-033
JUNO
JUPITER

4. Create a samba share1 

[root@vm-idm-033 ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[share1]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        kerberos method = system keytab
        realm = JUNO.TEST
        security = ADS
        template homedir = /home/%U@%D
        template shell = /bin/bash
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        workgroup = JUNO
        idmap config * : range = 10000-999999
        idmap config juno : schema_mode = rfc2307
        idmap config juno : backend = ad
        idmap config juno : range = 2000000-2999999
        idmap config * : backend = tdb


[share1]
        comment = test share1
        path = /mnt/samba/share1
        read only = No

5.  Do kinit as foobar1 user and verify can access share1 using smbclient

[root@vm-idm-033 ~]# smbclient -k -L //VM-IDM-033 

        Sharename       Type      Comment
        ---------       ----      -------
        share1          Disk      test share1
        IPC$            IPC       IPC Service (Samba 4.9.1)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

[root@vm-idm-033 ~]# klist
Ticket cache: KCM:0
Default principal: foobar1

Valid starting       Expires              Service principal
12/12/2018 18:46:37  12/13/2018 04:46:37  krbtgt/JUNO.TEST
        renew until 12/19/2018 18:46:37
12/12/2018 18:51:29  12/13/2018 04:46:37  cifs/VM-IDM-033
        renew until 12/19/2018 18:46:37
[root@vm-idm-033 ~]# 

[root@vm-idm-033 ~]# smbclient -k  //VM-IDM-033/share1
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Dec 12 18:00:47 2018
  ..                                  D        0  Wed Dec 12 18:00:08 2018
  pgroup1                             D        0  Wed Dec 12 18:00:44 2018
  pgroup2                             D        0  Wed Dec 12 18:00:47 2018

                38700584 blocks of size 1024. 36448588 blocks available
smb: \> cd pgroup1
smb: \pgroup1\> ls
  .                                   D        0  Wed Dec 12 18:00:44 2018
  ..                                  D        0  Wed Dec 12 18:00:47 2018

                38700584 blocks of size 1024. 36448588 blocks available


6.  Do kinit as foobar2 user and verify can access share1 using smbclient

[root@vm-idm-033 ~]# echo "Secret123" | kinit foobar2
Password for foobar2: 
[root@vm-idm-033 ~]# klist
Ticket cache: KCM:0
Default principal: foobar2

Valid starting       Expires              Service principal
12/12/2018 18:53:08  12/13/2018 04:53:08  krbtgt/JUNO.TEST
        renew until 12/19/2018 18:53:08

[root@vm-idm-033 ~]# smbclient -k  //VM-IDM-033/share1
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Dec 12 18:00:47 2018
  ..                                  D        0  Wed Dec 12 18:00:08 2018
  pgroup1                             D        0  Wed Dec 12 18:00:44 2018
  pgroup2                             D        0  Wed Dec 12 18:00:47 2018

                38700584 blocks of size 1024. 36448580 blocks available
smb: \> cd pgroup2
smb: \pgroup2\> ls
  .                                   D        0  Wed Dec 12 18:00:47 2018
  ..                                  D        0  Wed Dec 12 18:00:47 2018

                38700584 blocks of size 1024. 36448580 blocks available

Access pgroup1 and pgroup2 folder using cifs from share1 using foobar1 and foobar2 

[root@vm-idm-033 ~]# sh -x a.sh 
+ echo Secret123
+ kinit foobar1
Password for foobar1: 
+ mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //VM-IDM-033/share1 /abc
+ ls -l /abc/pgroup1
total 0
+ umount /abc
+ kdestroy -A
+ kinit foobar2
+ echo Secret123
Password for foobar2: 
+ mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //VM-IDM-033/share1 /abc
+ ls -l /abc/pgroup2
total 0
+ umount /abc
+ kdestroy -A
[root@vm-idm-033 ~]# sh -x a.sh 
+ kinit foobar1
+ echo Secret123
Password for foobar1: 
+ mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //VM-IDM-033/share1 /abc
+ ls -l /abc/pgroup1
total 0
+ umount /abc
+ kdestroy -A
+ echo Secret123
+ kinit foobar2
Password for foobar2: 
+ mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //VM-IDM-033/share1 /abc
+ ls -l /abc/pgroup2
total 0
+ umount /abc
+ kdestroy -A
Comment 16 Niranjan Mallapadi Raghavender 2019-01-10 17:56:32 UTC 
Any update on this bz. Any timeline on when the bug will be fixed.
Comment 26 Sumit Bose 2019-05-08 14:37:36 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4005
Comment 27 Jakub Hrozek 2019-05-15 19:59:51 UTC 
    master: 30734e5
    sssd-1-16: e673478
Comment 37 Niranjan Mallapadi Raghavender 2019-08-05 11:19:26 UTC 
Version:
=========
samba-client-libs-4.10.4-1.el8.x86_64
samba-common-tools-4.10.4-1.el8.x86_64
samba-winbind-4.10.4-1.el8.x86_64
samba-common-4.10.4-1.el8.noarch
samba-common-libs-4.10.4-1.el8.x86_64
samba-libs-4.10.4-1.el8.x86_64
samba-client-4.10.4-1.el8.x86_64
samba-winbind-modules-4.10.4-1.el8.x86_64
samba-4.10.4-1.el8.x86_64
samba-winbind-clients-4.10.4-1.el8.x86_64
sssd-libwbclient-2.2.0-5.el8.x86_64
sssd-common-2.2.0-5.el8.x86_64
sssd-ad-2.2.0-5.el8.x86_64
sssd-client-2.2.0-5.el8.x86_64
sssd-winbind-idmap-2.2.0-5.el8.x86_64
sssd-krb5-common-2.2.0-5.el8.x86_64
sssd-dbus-2.2.0-5.el8.x86_64
sssd-ipa-2.2.0-5.el8.x86_64
sssd-ldap-2.2.0-5.el8.x86_64
sssd-proxy-2.2.0-5.el8.x86_64
sssd-tools-2.2.0-5.el8.x86_64
sssd-kcm-2.2.0-5.el8.x86_64
sssd-nfs-idmap-2.2.0-5.el8.x86_64
sssd-common-pac-2.2.0-5.el8.x86_64
sssd-krb5-2.2.0-5.el8.x86_64
sssd-2.2.0-5.el8.x86_64
python3-sssdconfig-2.2.0-5.el8.noarch


1. Join Host to Windows AD using realm using samba as membership software
echo "Secret123" | realm join -v CYGNUS.TEST --membership-software=samba

2. Configure smb.conf as shown below:
[global]
security = ads
workgroup = CYGNUS
realm = CYGNUS.TEST
kerberos method = system keytab
client use spnego = yes
netbios name = ci-vm-10-0-145-
log file = /var/log/samba/log.%m
max log size = 500
log level = 10
idmap config CYGNUS : backend        = sss
idmap config CYGNUS : range          = 200000-2147483647
idmap config * : backend = tdb
idmap config * : range = 100000-199999

[share1]
path = /mnt/samba/share1
comment = test share1
writable = yes
printable = no


3. Create 2 directories under /mnt/samba/share1 , pgroup1 and pgroup2 

4. create 2 groups foobargroup1 and foobargroup2 in Windows AD

5. Create 2 users foobar1 and foobar2 and make them member of foobargroup1 and foobargroup2 respectively

6. Set permissions of pgroup1(/mnt/samba/share1/pgroup1)so that only members of foobargroup1 can access 
7. Set permissions of pgroup2 (/mnt/samba/share1/pgroup2) so that only members of foobargroup2 can access

[root@ci-vm-10-0-145-198 ~]# ls -ldZ /mnt/samba/share1
drwxrws---. 4 root domain users unconfined_u:object_r:samba_share_t:s0 36 Aug  5 02:43 /mnt/samba/share1

[root@ci-vm-10-0-145-198 ~]# ls -lZ /mnt/samba/share1
total 0
drwxrwx---. 2 root foobargroup1 unconfined_u:object_r:samba_share_t:s0 6 Aug  5 02:43 pgroup1
drwxrwx---. 2 root foobargroup2 unconfined_u:object_r:samba_share_t:s0 6 Aug  5 02:43 pgroup2


8. create a script as shown below which login as user foobar1 and foobar2 and accesses the share , 

[root@ci-vm-10-0-145-198 ~]# cat smbtest.sh 
echo "Secret123" | kinit foobar1
mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //ci-vm-10-0-145-/share1 /abc
ls -l /abc/pgroup1
umount /abc
kdestroy -A
echo "Secret123" | kinit foobar2
mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //ci-vm-10-0-145-/share1 /abc
ls -l /abc/pgroup2
umount /abc
kdestroy -A


9. Run the above script  and should notice no permission denied when trying to access the shares 
[root@ci-vm-10-0-145-198 ~]# sh -x ./smbtest.sh 
+ echo Secret123
+ kinit foobar1
Password for foobar1: 
+ mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //ci-vm-10-0-145-/share1 /abc
+ ls -l /abc/pgroup1
total 0
+ umount /abc
+ kdestroy -A
+ kinit foobar2
+ echo Secret123
Password for foobar2: 
+ mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //ci-vm-10-0-145-/share1 /abc
+ ls -l /abc/pgroup2
total 0
+ umount /abc
+ kdestroy -A


10. Run the script multiple times and no permission denied errors were noticed.
Comment 39 errata-xmlrpc 2019-11-05 22:33:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3651