Red Hat Bugzilla – Bug 199148
Valid users not permitted access to share
Last modified: 2009-12-14 08:31:08 EST
Description of problem:
When user attempts to map a drive to a Samba file share from a Windows
workstation, the dialog box hangs with the message "Connecting to X...." When
a user attempts to connect with smbclient, an error is returned: "tree connect
failed: NT_STATUS_ACCESS_DENIED." The Samba log file reports "user X (from
session setup) not permitted to access this share (audit)."
Share is configured with
valid users = @group user
force group = group
UNIX user/group resolution performed via LDAP to Active Directory.
Running 'getent passwd user' or 'getent group group' returns correct
This worked with Samba 5.0.22 RPMs. Broke after updates installed this
weekend. When I reinstalled the 5.0.22 RPMs, everything worked again.
Version-Release number of selected component (if applicable):
Set up Samba server with security = ads. Enable LDAP resolution of UNIX
users and groups to Active Directory. Turn off Winbind. Start smbd, nmbd.
Attempt to connect to share as user or group listed in valid users list.
Steps to Reproduce:
Successful user connection.
Created attachment 132553 [details]
Created attachment 132554 [details]
Increased debug level and found this suspicious entry in the log:
[2006/07/17 14:07:15, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid bmonfre does not start with 'S-'.
This link appears to be the same bug, with fix scheduled for release in next
day or so:
Same issue on FC4. yum update updated my server to uselessness.
Downgraded Samba, got it working. Forgot to exclude samba in yum so the next
night yum ran from cron and updated my system to uselessness again.
Seems it's an upstream bug.
But please, can it be removed from the repositories ?, what is there at the
moment breaks perfectly working systems if you try to update!.
FYI, the source for Samba 3.0.23a has been released.
samba-3.0.23a-1.fc5.1 has been pushed for fc5, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
valid users is *still* broken for samba-3.0.23a-1.fc5.1! I have been
experiencing the same problem, except with
security = user
I can use the default share
and everything works, but setting up a share for an individual user using
valid users = [user]
path = /home/[user]
still causes the NT_STATUS_ACCESS_DENIED error.
I would think that this would be one of the first things tested when evaluating
a new rpm for samba...
I tested samba-3.0.23a-1.fc5.1 with the configuration I used when opening
the ticket, and everything worked. The SID problem identified in comment #3
I also tested similar configuration on a FC4 box with the FC4 version of
the updated RPM, and in that case the package is still broken. Got the same
error as mentioned in comment #3, although in this case it occurs in relation
to the users and groups mentioned in the 'valid users' configuration
directive, not in relation to the connecting user.
Appoligies -- this looks like a different error that is occuring.
From a debug level 10 using smbclient,
lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory
tree connect failed: NT_STATUS_ACCESS_DENIED
But the effect still occurs when a valid users line is present.
Should we open up a separate bug report?
Yes please open a new bug if this is about a different error, I am closing this
as fixed for now.