Hello to all,
I have recently upgraded to SAMBA 3.4.2 on Solaris 10, and reconfigured it to
use domain authentication (security = domain). We slapped guest authentication
on most shares, with an explicit "valid users = ...." on a small number of
sensitive shares. Due to the number of users we were looking at, we set up two
UNIX groups "payroll" and "payoff" and then set "valid users = +payoff
+payroll" or some combination of the two.
The problem I am having is that when a user that is a member of these UNIX
groups connects they are rejected. I also tried using @payoff or @payroll,
with the same results. Authentication works if the user's login is explicitly
placed in the valid users line, but not if the same user is just a member of
one of the +/@<group>'s entered.
I have included a level 3 log from log.smbd up to the first rejection, along
with the relevant smb.conf info that I am aware of. The log is for a
connection to a share with "valid users = @payoff", where bbancroft is a member
of the payoff group.
Any assistance that you could provide would be extremely appreciated.
####################
# log.smbd extract #
####################
[2010/07/12 13:17:28, 3] libsmb/ntlmssp_sign.c:342(ntlmssp_sign_init)
NTLMSSP Sign/Seal - Initialising with flags:
[2010/07/12 13:17:28, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xa2088205
[2010/07/12 13:17:28, 3] smbd/password.c:269(register_existing_vuid)
register_existing_vuid: User name: bbancroft Real name:
[2010/07/12 13:17:28, 3] smbd/password.c:279(register_existing_vuid)
register_existing_vuid: UNIX uid 60194 is UNIX user bbancroft, and will be
vuid 100
[2010/07/12 13:17:28, 3] smbd/password.c:211(register_homes_share)
Adding homes service for user 'bbancroft' using home directory: '/dev/null'
[2010/07/12 13:17:28, 3] smbd/process.c:1459(process_smb)
Transaction 3 of length 102 (0 toread)
[2010/07/12 13:17:28, 3] smbd/process.c:1273(switch_message)
switch message SMBtconX (pid 8648) conn 0x0
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid root does not start with 'S-'.
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid @payoff does not start with 'S-'.
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/07/12 13:17:28, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/12 13:17:28, 2] smbd/service.c:595(create_connection_server_info)
user 'bbancroft' (from session setup) not permitted to access this share
(rl6pd_payoff)
[2010/07/12 13:17:28, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/07/12 13:17:28, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/reply.c(684) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
####################
# smb.conf extract #
####################
[global]
workgroup = rail
update encrypted = Yes
ldap ssl = no
invalid users = root
encrypt passwords = yes
security = domain
password server = <--deleted-->
guest account = <--deleted-->
map to guest = bad user
create mask = 0664
log level = 3
[rl6pd_payoff]
comment = ellrl6pd payoffice
path = /samba/ellrl6pd/payoffice
read only = No
valid users = @payoff
browseable = no
###############
# /etc/passwd #
###############
bbancroft:x:60194:5003:SAMBA User:/dev/null:/bin/false
##############
# /etc/group #
##############
payoff::5003:bbancroft
Many thanks in advance!
This e-mail and any attachments may contain confidential information that is
intended solely for the use of the intended recipient and may be subject to
copyright. If you receive this e-mail in error, please notify the sender
immediately and delete the email and its attachments from your system. You must
not disclose, copy or use any part of this e-mail if you are not the intended
recipient. Any opinion expressed in this e-mail and any attachments is not an
opinion of RailCorp unless stated or apparent from its content. RailCorp is not
responsible for any unauthorised alterations to this e-mail or any attachments.
RailCorp will not incur any liability resulting directly or indirectly as a
result of the recipient accessing any of the attached files that may contain a
virus.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
