Bug 199148 - Valid users not permitted access to share
Valid users not permitted access to share
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
5
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Simo Sorce
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-17 11:56 EDT by James J. Moore
Modified: 2009-12-14 08:31 EST (History)
2 users (show)

See Also:
Fixed In Version: 3.0.24-1.fc6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-26 11:09:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
smb.conf (11.19 KB, text/plain)
2006-07-17 11:56 EDT, James J. Moore
no flags Details
log entries (1.65 KB, text/plain)
2006-07-17 12:03 EDT, James J. Moore
no flags Details

  None (edit)
Description James J. Moore 2006-07-17 11:56:05 EDT
Description of problem:

   When user attempts to map a drive to a Samba file share from a Windows 
workstation, the dialog box hangs with the message "Connecting to X...."  When 
a user attempts to connect with smbclient, an error is returned: "tree connect 
failed: NT_STATUS_ACCESS_DENIED."  The Samba log file reports "user X (from 
session setup) not permitted to access this share (audit)."
   Share is configured with 
valid users = @group user
force group = group
   UNIX user/group resolution performed via LDAP to Active Directory.  
Running 'getent passwd user' or 'getent group group' returns correct 
information.
   This worked with Samba 5.0.22 RPMs.  Broke after updates installed this 
weekend.   When I reinstalled the 5.0.22 RPMs, everything worked again.

Version-Release number of selected component (if applicable):
samba.i386     3.0.23-1.fc5

How reproducible:

   Set up Samba server with security = ads.  Enable LDAP resolution of UNIX 
users and groups to Active Directory.  Turn off Winbind.  Start smbd, nmbd.  
Attempt to connect to share as user or group listed in valid users list.

Steps to Reproduce:
1.
2.
3.
  
Actual results:

   Access denied.

Expected results:

   Successful user connection.

Additional info:
Comment 1 James J. Moore 2006-07-17 11:56:05 EDT
Created attachment 132553 [details]
smb.conf
Comment 2 James J. Moore 2006-07-17 12:03:23 EDT
Created attachment 132554 [details]
log entries
Comment 3 James J. Moore 2006-07-17 14:13:46 EDT
Increased debug level and found this suspicious entry in the log:
[2006/07/17 14:07:15, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid bmonfre does not start with 'S-'.
Comment 4 James J. Moore 2006-07-17 16:44:43 EDT
This link appears to be the same bug, with fix scheduled for release in next 
day or so:
http://lists.samba.org/archive/samba/2006-July/123047.html
Comment 5 Matthew Geier 2006-07-20 20:02:43 EDT
Same issue on FC4. yum update updated my server to uselessness.

 Downgraded Samba, got it working. Forgot to exclude samba in yum so the next
night yum ran from cron and updated my system to uselessness again.

 Seems it's an upstream bug.

 But please, can it be removed from the repositories ?, what is there at the
moment breaks perfectly working systems if you try to update!.
Comment 6 Chuck Parks 2006-07-22 12:20:35 EDT
FYI, the source for Samba 3.0.23a has been released.

http://us3.samba.org/samba/history/samba-3.0.23a.html
Comment 7 Fedora Update System 2006-07-26 15:38:58 EDT
samba-3.0.23a-1.fc5.1 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 8 Greg 2006-07-27 13:31:38 EDT
valid users is *still* broken for samba-3.0.23a-1.fc5.1!  I have been
experiencing the same problem, except with

security = user

I can use the default share

[homes]

and everything works, but setting up a share for an individual user using

valid users = [user]
path = /home/[user]

still causes the NT_STATUS_ACCESS_DENIED error.

I would think that this would be one of the first things tested when evaluating
a new rpm for samba...

Thanks,
Greg
Comment 9 James J. Moore 2006-07-28 09:31:17 EDT
   I tested samba-3.0.23a-1.fc5.1 with the configuration I used when opening 
the ticket, and everything worked.  The SID problem identified in comment #3 
is fixed.  
   I also tested similar configuration on a FC4 box with the FC4 version of 
the updated RPM, and in that case the package is still broken.  Got the same 
error as mentioned in comment #3, although in this case it occurs in relation 
to the users and groups mentioned in the 'valid users' configuration 
directive, not in relation to the connecting user.
Comment 10 Greg 2006-07-28 14:35:45 EDT
Appoligies -- this looks like a different error that is occuring.

From a debug level 10 using smbclient,

lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory
tree connect failed: NT_STATUS_ACCESS_DENIED

But the effect still occurs when a valid users line is present.

Should we open up a separate bug report?

Thanks,
Greg
Comment 11 Simo Sorce 2007-03-26 11:09:34 EDT
Yes please open a new bug if this is about a different error, I am closing this
as fixed for now.

Note You need to log in before you can comment on or make changes to this bug.