Project

General

Profile

Bug #75883

Fix "valid users" parameter for [homes] in Samba 4.9

Added by Conny Molin 5 months ago. Updated 4 months ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
Middleware
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Updated to 11.2 U2 this morning and after that users can't access their homefolders anymore. It feels very much like Bug #70950 and it feels like it's something related to the update of Samba.

The weird thing is that other SMB shares on the same freenas box is working perfectly.
I thought of maybe removing the freenas from the domain would help but as other shares are working and the fact that I can list domain users/groups with getent I doubt it would help.

Looking at /var/log/samba4/log.smbd I found this (update was performed just a few minutes earlier):

[2019/02/18 16:17:29.863724, 0] ../source3/lib/util_sock.c:876(matchname)
matchname: host name/name mismatch: 172.16.11.181 != (NULL)
[2019/02/18 16:17:29.863823, 0] ../source3/lib/util_sock.c:1055(get_remote_hostname)
matchname failed on 172.16.11.181
[2019/02/19 07:48:57.952003, 0] ../source3/lib/util_sock.c:876(matchname)
matchname: host name/name mismatch: 172.16.11.181 != (NULL)
[2019/02/19 07:48:57.967726, 0] ../source3/lib/util_sock.c:1055(get_remote_hostname)
matchname failed on 172.16.11.181
[2019/02/19 07:59:43.760531, 1] ../source3/profile/profile_dummy.c:30(set_profile_level)
INFO: Profiling support unavailable in this build.

[2019/02/19 07:59:44.131365, 1] ../source3/smbd/files.c:218(file_init_global)
file_init_global: Information only: requested 233750 open files, 59392 are available.
[2019/02/19 07:59:44.144054, 0] ../lib/util/become_daemon.c:138(daemon_ready)
daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
[2019/02/19 07:59:44.836994, 0] ../source3/lib/util_sock.c:875(matchname)
matchname: host name/name mismatch: 172.16.11.181 != (NULL)
[2019/02/19 07:59:44.837044, 0] ../source3/lib/util_sock.c:1054(get_remote_hostname)
matchname failed on 172.16.11.181
[2019/02/19 07:59:53.840154, 1] ../source3/smbd/service.c:357(create_connection_session_info)
create_connection_session_info: user 'HOME\como' (from session setup) not permitted to access this share (como)
[2019/02/19 07:59:53.840241, 1] ../source3/smbd/service.c:529(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2019/02/19 07:59:53.853180, 1] ../source3/smbd/service.c:357(create_connection_session_info)
create_connection_session_info: user 'HOME\como' (from session setup) not permitted to access this share (como)
[2019/02/19 07:59:53.853211, 1] ../source3/smbd/service.c:529(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2019/02/19 07:59:53.983516, 1] ../source3/smbd/service.c:357(create_connection_session_info)
create_connection_session_info: user 'HOME\como' (from session setup) not permitted to access this share (como)
[2019/02/19 07:59:53.983557, 1] ../source3/smbd/service.c:529(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

I attached a debug as well.


Related issues

Has duplicate FreeNAS - Bug #83035: Samba Home share in AD environmentClosed
Copied to FreeNAS - Bug #76045: Home folders for Active Directory users are unavailable for users after updating from 11.2-Stable to 11.2 U2-StableDone

History

#1 Updated by Dru Lavigne 5 months ago

  • Assignee changed from Release Council to William Grzybowski

#3 Updated by William Grzybowski 5 months ago

  • Assignee changed from William Grzybowski to Andrew Walker
  • Target version changed from Backlog to 11.2-U3

#4 Updated by Andrew Walker 5 months ago

Can you provide output for the following commands:

getfacl /mnt/HDD_Pool/HomeFolders/HOME
getfacl /mnt/HDD_Pool/HomeFolders/HOME/como

It looks like we're probably getting hung up here:
bool user_ok_token(const char *username, const char *domain,
                   const struct security_token *token, int snum)
{
        if (lp_invalid_users(snum) != NULL) {
                if (token_contains_name_in_list(username, domain,
                                                lp_servicename(talloc_tos(), snum),
                                                token,
                                                lp_invalid_users(snum))) {
                        DEBUG(10, ("User %s in 'invalid users'\n", username));
                        return False;
                }
        }

        if (lp_valid_users(snum) != NULL) {
                if (!token_contains_name_in_list(username, domain,
                                                 lp_servicename(talloc_tos(), snum),
                                                 token,
                                                 lp_valid_users(snum))) {
                        DEBUG(10, ("User %s not in 'valid users'\n",
                                   username));
                        return False;
                }
        }

        DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
                   lp_servicename(talloc_tos(), snum), username));

        return True;
}

Please add the auxiliary parameter under Services->SMB "debug pid = yes", increase log level to "DEBUG", and reproduce the problem. Once you've done that attach a copy of /var/log/samba4/log.smbd or a fresh debug.

One other diagnostic step if you feel comfortable with it:
1) Using a text editor, alter /usr/local/etc/smb4.conf in the following places:

--- smb4.conf.orig    2019-02-20 05:48:55.000000000 -0500
+++ smb4.conf    2019-02-20 05:50:36.000000000 -0500
@@ -46,7 +46,7 @@
     winbind enum users = yes
     winbind enum groups = yes
     winbind nested groups = yes
-    winbind use default domain = no
+    winbind use default domain = yes 
     winbind refresh tickets = yes
     winbind nss info = rfc2307
     idmap config HOME: backend = rid
@@ -103,8 +103,8 @@

 [homes]
-    valid users = %D\%U
-    path = "/mnt/HDD_Pool/HomeFolders/%D/%U" 
+    valid users = %U
+    path = "/mnt/HDD_Pool/HomeFolders/HOME/%U" 
     comment = Home Directories
     printable = no
     veto files = /.snapshot/.windows/.mac/.zfs/

2) Then issue the command:

 service samba_server restart

and attempt to access the home share again. The goal is to see if we can work around this by removing the domain component (I don't have great expectations that this will resolve the issue).

3) Once this succeeds or fails, you can return to the previous state by doing the following:

 service ix-pre-samba start
service samba_server restart

#5 Updated by Andrew Walker 5 months ago

  • File generate_smb4_conf.py added

Okay. I think I tracked down the issue. It appears to be behavior change in Samba 4.9.4. I have attached a modified python script. Clone your boot environment (for backup purposes), then replace /usr/local/libexec/nas/generate_smb4_conf.py with the one attached to this ticket. Once you have done this, run the following commands:

chmod +x /usr/local/libexec/nas/generate_smb4_conf.py
service ix-pre-samba start
service samba_server restart

and verify that you have access to the home shares.

#6 Updated by Conny Molin 5 months ago

Hi Andrew!
Never had a chance to try your first solution as I'm at work with limited time to spare (was going to try later tonight) but you nailed it with the new generate_smb4_conf.py script.
I can confirm that everything now works as intended again and that it's a valid solution/fix for this issue.

I did do a quick acl check as well on the home folders and the output is as follows should it be needed for some reason:

root@freenas01[/usr/local/libexec/nas]# getfacl /mnt/HDD_Pool/HomeFolders/HOME
  1. file: /mnt/HDD_Pool/HomeFolders/HOME
  2. owner: root
  3. group: HOME\share - homefolder
    owner@:rwxpDdaARWcCos:fd----I:allow
    group@:rwxpDdaARWcCos:fd----I:allow
    everyone@:r-x---a-R-c---:fd----I:allow
    root@freenas01[/usr/local/libexec/nas]# getfacl /mnt/HDD_Pool/HomeFolders/HOME/como
  4. file: /mnt/HDD_Pool/HomeFolders/HOME/como
  5. owner: HOME\como
  6. group: HOME\share - homefolder
    owner@:rwxpDdaARWcCos:fd----I:allow
    group@:rwxpDdaARWcCos:fd----I:allow
    everyone@:r-x---a-R-c---:fd----I:allow
    root@freenas01[/usr/local/libexec/nas]#

Thank you so much for the help in mitigating the issue and finding a fix so quickly!

#7 Updated by Bug Clerk 5 months ago

  • Status changed from Unscreened to In Progress

#8 Updated by Bug Clerk 5 months ago

  • Status changed from In Progress to Ready for Testing

#9 Updated by Bug Clerk 5 months ago

  • Copied to Bug #76045: Home folders for Active Directory users are unavailable for users after updating from 11.2-Stable to 11.2 U2-Stable added

#10 Updated by Dru Lavigne 5 months ago

  • File deleted (debug-freenas01-20190219195104.tgz)

#11 Updated by Dru Lavigne 5 months ago

  • File deleted (generate_smb4_conf.py)

#12 Updated by Dru Lavigne 5 months ago

  • Subject changed from Home folders for Active Directory users are unavailable for users after updating from 11.2-Stable to 11.2 U2-Stable to Fix "valid users" parameter for [homes] in Samba 4.9
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#17 Avatar?id=55038&size=24x24 Updated by Zackary Welch 4 months ago

  • Status changed from Ready for Testing to Passed Testing
  • Needs QA changed from Yes to No

Confirmed fixed in 11.2-U3.

Testing steps:
1. Enabled AD with domain name, domain account name, and domain account password. idmap backend as ad.
2. Create a dataset named 'homes' as a windows share. Name of the dataset and permissions doesn't matter.
3. Create a share with that path named 'Homes' and enable 'Use as home share'.
4. Run 'smbclient //[IP]/homes -U '[domain name]\[domain account name]' and verify success.

#19 Updated by Dru Lavigne 4 months ago

  • Status changed from Passed Testing to Done

#20 Updated by Dru Lavigne 4 months ago

  • Has duplicate Bug #83035: Samba Home share in AD environment added

Also available in: Atom PDF