Bug #2815

Can't access group shared folder (samba WS mode)

Added by Davide Principi over 5 years ago. Updated about 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-samba
Target version:v6.5
Security class: Resolution:
Affected version:v6.5-final NEEDINFO:No

Description

When Samba is operating in workstation mode, a shared folder is not accessible to the members of the owning group.

smbclient reports NT_STATUS_ACCESS_DENIED error. Log files don't report any useful information.

The culprit could be the idmap configuration:

  # wbinfo -G 5000
S-1-5-21-1395243596-1391465310-1452543066-1005
  # wbinfo - Y S-1-5-21-1395243596-1391465310-1452543066-1005
50005

The last command was expected to remap the given SID to GID 5000, but reports a newly allocated GID: 50005. In LDAP there is a new (unexpected) entry:

   # ldapsearch -LLL -Y EXTERNAL gidNumber=50005 2>/dev/null
dn: sambaSID=S-1-5-21-1395243596-1391465310-1452543066-1005,ou=Idmap,dc=direct
 ory,dc=nh
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 50005
sambaSID: S-1-5-21-1395243596-1391465310-1452543066-1005

BTW, the bug does not arise in PDC mode:
  • delete the LDAP entry
  • clean the cache (net cache flush)
  • change to PDC mode

Packages:

   # rpm -qa | grep -F .ns | sort
nethserver-base-2.2.1-1.ns6.noarch
nethserver-directory-2.0.3-1.ns6.noarch
nethserver-ibays-2.0.3-1.ns6.noarch
nethserver-release-6.5-5.ns6.noarch
nethserver-samba-1.4.5-1.ns6.noarch
...

0003-Hotfix-Release-1.4.5-2.ns6.patch Magnifier (1.08 KB) Davide Principi, 08/28/2014 11:01 AM

0002-nethserver-samba.spec-converted-to-plain-.spec-file..patch Magnifier (11.4 KB) Davide Principi, 08/28/2014 11:01 AM

0001-smb.conf-always-use-nss-idmap-backend-for-local-user.patch Magnifier (1.93 KB) Davide Principi, 08/28/2014 11:01 AM


Related issues

Related to NethServer 6 - Enhancement #2803: Edit workgroup name when role is Workstation CLOSED

Associated revisions

Revision 4c08a515
Added by Davide Principi about 5 years ago

smb.conf: always use nss idmap backend for local user database. Refs #2815

When acting as PDC use the workgroup name instead of machine name.

History

#1 Updated by Davide Principi over 5 years ago

In WS mode:

    # wbinfo -g
DAVIDEP3\locals
DAVIDEP3\unix group admin
DAVIDEP3\domain admins
DAVIDEP3\domain users
DAVIDEP3\domain computers
DAVIDEP3\domain guests
DAVIDEP3\bilanci
DAVIDEP3\amministrazione
DAVIDEP3\unix group primo.utente
   # wbinfo -D DAVIDEP3
Name              : DAVIDEP3
Alt_Name          : 
SID               : S-1-5-21-1395243596-1391465310-1452543066
Active Directory  : No
Native            : No
Primary           : Yes
   # wbinfo -D WORKGROUP
failed to call wbcDomainInfo: WBC_ERR_DOMAIN_NOT_FOUND
Could not get domain info

I think this is an idmap configuration problem: the idmap_nss backend is configured for WORKGROUP. I bet it could be DAVIDEP3...:

 # grep idmap /etc/samba/smb.conf 
ldap idmap suffix = ou=Idmap
idmap config * : backend = ldap
idmap config * : ldap_url = ldap://127.0.0.1
idmap config * : ldap_base_dn = ou=Idmap,dc=directory,dc=nh
idmap config * : ldap_user_dn = cn=samba,dc=directory,dc=nh
idmap config * : range = 50000-99999
idmap config WORKGROUP : range = 0 - 9999
idmap config WORKGROUP : backend = nss

BTW, in PDC mode the "foreign group prefix" has gone:

    # wbinfo -g
locals
unix group admin
domain admins
domain users
domain computers
domain guests
bilanci
amministrazione
unix group primo.utente

#2 Updated by Davide Principi over 5 years ago

#3 Updated by Davide Principi about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

On branch b2803 Refs #2803

#4 Updated by Davide Principi about 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case

Check the bug is not reproducible on the modified version

#5 Updated by Davide Principi about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-samba-1.4.5-1.14git5c2b63f.ns6.noarch.rpm

#6 Updated by Nicola Rauso about 5 years ago

  • Assignee set to Nicola Rauso

#7 Updated by Nicola Rauso about 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Nicola Rauso)
  • % Done changed from 70 to 90

Tested: ok

#8 Updated by Davide Principi about 5 years ago

Released in nethserver-updates as hotfix:
nethserver-samba-1.4.5-2.ns6.noarch.rpm

The QA tests were done on the master branch: close this issue when the master branch has been released.

#9 Updated by Davide Principi about 5 years ago

Attached patches were applied to nethserver-samba 1.4.5 from branch b2803.

#10 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Package in nethserver-updates:
  • nethserver-samba-1.4.6-1.ns6.noarch.rpm

Also available in: Atom PDF