Samba Insanity – LDAP, groups and valid users

Have you ever run into one of those “tiny” issues just before going live with a month long project and have it turn into a 3 day nightmare? Well, recently I had the privilege of experiencing a rather frustrating problem.


Working on quite an interesting project lately dealing with Samba and LDAP. I need to upgrade a Samba PDC, add a secondary Samba member server, migrate +/- 200 domain accounts from a smbpasswd backend to LDAP and of course this all needs to be completely transparent to the users. So I’m about to swap over to the new member server first and decide to do one last check in terms of making sure user access to specific shares is working correctly when I ran into a serious problem.


For some odd reason I was being denied access to shares where I should definitely have access to. This was all working perfectly a few days ago and I still cannot explain exactly what went wrong but when I find out I’ll update this post. This is what one of my typical Samba share configs looked like:

[testshare]
comment = Test Share
path = /data/testshare
admin users = @testadmins
valid users = +testusers
write list = +testusers
force group = +testusers
browseable = yes
writable = yes


I made 100% sure that testuser was definitely in the testusers group:


beer:~# getent group | grep testusers
testusers:*:1006:testuser


beer:~# smbldap-groupshow testusers
dn: cn=testusers,ou=group,dc=example,dc=com
objectClass: top,posixGroup
cn: testusers
gidNumber: 1006
memberUid: testuser


Next, check that testuser can access the testshare:


beer:~# smbclient -U testuser \\\\SERVER\\testshare
Enter testuser's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.4.9-SerNet-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED


What? Ok, set log level = 10 in smb.conf and noticed the following:


string_to_sid: Sid +testusers does not start with 'S-'.
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
user 'testuser' (from session setup) not permitted to access this share (testshare)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
error packet at smbd/reply.c(776) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED


Oh yes, before I continue I must mention that user authentication via LDAP was working 100%. The user is authenticated but then as soon as Samba seems to check the valid users option it bombs out with the message string_to_sid: Sid +testusers does not start with ‘S-’.


I spent a good few hours googling for the error and all I seemed to find was dead ends. People have run into this problem before but not many have updated their posts with solutions or any real reason as to why this error pops up. I managed to find a post which talked about the string_to_sid function in reply.c, which apparently converts a SID char string to binary (see http://lists.samba.org/archive/samba/2008-November/144990.html). Obviously this function is failing and Samba can’t run a proper check against the group and allow the user access to the share.


Some posts I came across mention the format of the valid users line in smb.conf. I tried every possible combination, no luck at all:


valid users = +testusers
valid users = @testusers
valid users = @'DOMAIN\testusers'
valid users = @DOMAIN\testusers


…etc


No difference at all. I eventually stumbled across a few more posts which passed this error off as a bug, and that users should just upgrade Samba. Initially I tried to avoid that route as I really wanted to know what the problem was here but eventually gave in and upgraded Samba.


I was running Sernet’s Samba-3.4.9 packages for Debian Lenny (see http://enterprisesamba.org/index.php?id=148) and upgraded to Samba-3.5.4 (see http://us.generation-nt.com/answer/samba-samba-3-5-2-packages-debian-lenny-help-197929381.html).


In a nutshell, upgrading Samba was the solution for me:


Add following to your sources.list:


deb http://www.backports.org/debian lenny-backports main contrib non-free
deb http://pkg-samba.alioth.debian.org/packages lenny-backports-latest/


Then


apt-get update
apt-get remove
apt-get install -t lenny-backports-latest samba smbclient


Now the final test:


beer:~# smbclient -U testuser \\\\SERVER\\testshare
Enter testuser's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.5.4]
smb: \>


Nice. Here’s a log extract showing what went down:


smbldap_search_ext: base => [dc=example,dc=com], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=testusers)(cn=testusers)))], scope => [2]
ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(|(displayName=testusers)(cn=testusers)))
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
lookup_name: Unix Group\testusers => Unix Group (domain), testusers (name)
lookup_name: flags = 0x077
user_ok_token: share testshare is ok for unix user testuser


Don’t worry about the error Did not find group error, it’s looking for some attributes that have not yet been added to the group in LDAP – running smbldap-groupmod -a testusers fixed this.


I ran another test by removing testuser from the testusers group and was denied access as required, here’s another log extract:


user 'testuser' (from session setup) not permitted to access this share (testshare)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
error packet at smbd/reply.c(776) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED


Obviously I need to do quite a bit more research around this problem and as soon as I have some more answers I’ll update this post.


Anyways, I hope this post helps someone out there who runs into a similar problem. I was seriously pulling my hair out with this one, and in the end I just needed to upgrade haha. For further reading, here are a few posts I found along the way which might help if you run into this problem:


More Here



Courtesy:http://writequit.co.za/2010/12/19/samba-ldap-groups-insanity/