1073829 – with ipa-adtrust-install, smb server valid users = @groupname fails due to ipa-sam failure to translate group SID into gid

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1073829 - with ipa-adtrust-install, smb server valid users = @groupname fails due to ipa-sam failure to translate group SID into gid

Summary: with ipa-adtrust-install, smb server valid users = @groupname fails due to ip...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1073810
TreeView+	depends on / blocked

Reported:	2014-03-07 10:07 UTC by Jason Woods
Modified:	2014-06-18 00:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-3.3.3-22.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 09:59:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Log snippet for samba (I forget which log file it was from, I apologise) (1.73 KB, text/plain) 2014-03-07 10:07 UTC, Jason Woods	no flags	Details
Proposed patch for freeipa master branch (466 bytes, patch) 2014-03-07 10:08 UTC, Jason Woods	no flags	Details \| Diff
Proposed patch for 3.0.0-37 redhat package (381 bytes, patch) 2014-03-07 10:08 UTC, Jason Woods	no flags	Details \| Diff
View All

Description Jason Woods 2014-03-07 10:07:05 UTC

Created attachment 871827 [details]
Log snippet for samba (I forget which log file it was from, I apologise)

Description of problem:
With ipa-server-trust-ad installed, ipa-adtrust-install --setsids run, and the sidgen task registered and run, users cannot connect a share in the local samba server if it is locked to specific groups via "valid users", even if the user is a member of one of those groups.

Logs at level 10 show the following: (see attached for full snippet)
[2014/03/06 15:32:55.659599, 10, pid=28139, effective(0, 0), real(0, 0)] ipa_sam.c:309(get_single_attribute)
Attribute [uidNumber] not found.
[2014/03/06 15:32:55.659667,  1, pid=28139, effective(0, 0), real(0, 0)] ipa_sam.c:717(ldapsam_sid_to_id)
Could not find uidNumber in cn=groupname,cn=groups,cn=accounts,dc=example,dc=com

Examining code I found that ldapsam_sid_to_id was determining between user and group by looking for ipaNTGroupAttr objectClass and comparing case sensitively. However, sidgen task adds it as ipantgroupattr in lower case. Thus the objectClass is not found and it assumes the object to be user and proceeds to look for uidNumber - thus the error. This results in the group missing from the user's security token list within samba, and thus access rejected to the share.

A simple patch is required to ipa-sam to adjust the strncmp in ldapsam_sid_to_id to a strncasecmp. I've attached a patch for the master branch at git.fedorahosted.org (as of commit prefix 4048d41) and also a patch that I've applied to the ipa-3.0.0-37 package.

I'm aware the file sharing is not currently supported according to documentation - but I had a strong need for this due a mixture of Windows and Mac machines needing a central file server (thus samba) with single sign on too. Existing was samba with local users.

Thanks and be proud of FreeIPA! It's awesome! Hopefully we can get support for the samba file server soon and maybe a separate package for the ipa-sam.so! :)

Version-Release number of selected component (if applicable):
3.0.0-37
Also current master has same issue

How reproducible:
Always

Steps to Reproduce:
1. Install ipa-server-trust-ad and run ipa-adtrust-install --setsids, and then register to run the sidgen task.
After that, create a share with "net conf setparm" with open access:

[Share]
path = /data
read only = no

2. Users from the IPA domain can connect successfully. Now add the following extra share config with "net conf setparm", where @groupname is a group that "user" is a member of

valid users = @groupname

3. Attempt to connect to the samba share as "user"

Actual results:
Cannot connect - error will be one that points to no access to the share

Expected results:
Connect successfully

Additional info:
Patches attached and log attached

Comment 1 Jason Woods 2014-03-07 10:08:27 UTC

Created attachment 871828 [details]
Proposed patch for freeipa master branch

Comment 2 Jason Woods 2014-03-07 10:08:56 UTC

Created attachment 871829 [details]
Proposed patch for 3.0.0-37 redhat package

Comment 4 Petr Spacek 2014-03-07 10:54:33 UTC

See mailing list archive on https://www.redhat.com/archives/freeipa-users/2014-March/msg00045.html for detailed information.

Comment 5 Martin Kosek 2014-03-10 09:14:57 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4234

Comment 7 Petr Viktorin (pviktori) 2014-03-12 11:22:06 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d6a7923f71eb69bac53d6ff904086a9abd103dbc
ipa-3-3:
https://fedorahosted.org/freeipa/changeset/13cd4faf551d7781d27c36bef0e7cbf515e072d2

Comment 9 Scott Poore 2014-03-14 18:38:34 UTC

Verified.

Version ::

ipa-server-3.3.3-25.el7.x86_64

Results ::

I was able to reproduce this one with 3.3.3-19:

[root@master tmp]# rpm -q ipa-server
ipa-server-3.3.3-19.el7.x86_64

[root@master ~]# mkdir /bz1073829

[root@master ~]# chcon -t samba_share_t /bz1073829

[root@master ~]# setfacl -m g:admins:rwx /bz1073829

[root@master ~]# net conf setparm 'share' 'comment' 'Trust test share'

[root@master ~]# net conf setparm 'share' 'read only' 'no'

[root@master ~]# net conf setparm 'share' 'path' '/bz1073829'

[root@master ~]# touch before

[root@master ~]# touch after

[root@master ~]# klist
klist: No credentials cache found (ticket cache KEYRING:persistent:0:0)

[root@master ~]# echo Secret123|kinit admin
Password for admin.TEST:

[root@master ~]# echo "put before" | smbclient -k //master.ipa1.example.test/share
lp_load_ex: changing to config backend registry
Domain=[IPA1] OS=[Unix] Server=[Samba 4.1.1]
putting file before as \before (0.0 kb/s) (average 0.0 kb/s)

[root@master ~]# net conf setparm share 'valid users' '@admins'

[root@master ~]# echo "put after" | smbclient -k //master.ipa1.example.test/share
lp_load_ex: changing to config backend registry
Domain=[IPA1] OS=[Unix] Server=[Samba 4.1.1]
tree connect failed: NT_STATUS_ACCESS_DENIED

---------------------------------
Fixed version after updating to 3.3.3-25 version:

[root@master ~]# yum update ipa-server -y
...
Updated:
  ipa-server.x86_64 0:3.3.3-25.el7

Dependency Updated:
  ipa-admintools.x86_64 0:3.3.3-25.el7            ipa-client.x86_64 0:3.3.3-25.el7
  ipa-python.x86_64 0:3.3.3-25.el7                ipa-server-trust-ad.x86_64 0:3.3.3-25.el7

Complete!

[root@master ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful

[root@master ~]# net conf delparm 'share' 'valid users'

[root@master ~]# net conf showshare share
[share]
    comment = Trust test share
    read only = no
    path = /bz1073829

[root@master ~]# echo "put before" | smbclient -k //master.ipa1.example.test/share
lp_load_ex: changing to config backend registry
Domain=[IPA1] OS=[Unix] Server=[Samba 4.1.1]
putting file before as \before (0.0 kb/s) (average 0.0 kb/s)

[root@master ~]# net conf setparm 'share' 'valid users' '@admins'

[root@master ~]# echo "put after" | smbclient -k //master.ipa1.example.test/share
lp_load_ex: changing to config backend registry
Domain=[IPA1] OS=[Unix] Server=[Samba 4.1.1]
putting file after as \after (0.0 kb/s) (average -nan kb/s)


So, now valid users check for admins group works.

Comment 10 Ludek Smid 2014-06-13 09:59:39 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.