Samba on Debian
all this stuff!!!
I recently migrated from the 2.4.24 version to the 3.2.5
aptitude install tdb-tools samba-tools
using wbinfo:
root@siro:/var/lib/samba# wbinfo -s S-1-5-21-1433958684-4186887621-3113429515-501 IRO\nobody 1 root@siro:/opt/netlogon# wbinfo -a sbolay%myPassword plaintext password authentication succeeded challenge/response password authentication succeeded root@siro:/opt/netlogon# wbinfo --all-domains BUILTIN IRO root@siro:/opt/netlogon# wbinfo -D iro Name : IRO Alt_Name : SID : S-1-5-21-1433958684-4186887621-3113429515 Active Directory : No Native : No Primary : Yes root@siro:/var/lib/samba# wbinfo -t checking the trust secret via RPC calls succeeded
using net:
root@siro:/var/lib/samba# net groupmap list Domain Users (S-1-5-21-1433958684-4186887621-3113429515-513) -> users Network (S-1-5-21-1433958684-4186887621-3113429515-2005) -> network scan (S-1-5-21-1433958684-4186887621-3113429515-121003) -> scan Administrators (S-1-5-32-544) -> 10022 Genetic (S-1-5-21-1433958684-4186887621-3113429515-2001) -> genetic Informatic (S-1-5-21-1433958684-4186887621-3113429515-2003) -> informatic nogroup (S-1-5-21-1433958684-4186887621-3113429515-514) -> nogroup Database (S-1-5-21-1433958684-4186887621-3113429515-2009) -> database Public (S-1-5-21-1433958684-4186887621-3113429515-1065) -> public Users (S-1-5-32-545) -> users Guests (S-1-5-32-546) -> nogroup Domain Guests (S-1-5-21-1433958684-4186887621-3113429515-1089) -> nogroup Secret (S-1-5-21-1433958684-4186887621-3113429515-2007) -> secret root@siro:/var/lib/samba# net rpc testjoin Join to 'IRO' is OK
Using tdbdump:
root@siro:/var/lib/samba# locate share_info.tdb /var/lib/samba/share_info.tdb root@siro:/var/lib/samba# tdbdump share_info.tdb { key(13) = "INFO/version\00" data(4) = "\02\00\00\00" }
Using testparm:
root@siro:/var/lib/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[trash]" Processing section "[public]" Processing section "[genetic]" Processing section "[informatic]" Processing section "[xerox]" Processing section "[admin]" Processing section "[network]" Processing section "[print$]" Processing section "[printers]" Processing section "[netlogon]" Processing section "[profiles]" Processing section "[database]" Processing section "[web]" Processing section "[picture]" Processing section "[pxe]" Processing section "[knoppix_share-5.1.1]" Loaded services file OK. WARNING: You have some share names that are longer than 12 characters. These may not be accessible to some older clients. (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.) Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions
[2009/10/21 14:16:03, 3, pid=21047, effective(0, 0), real(0, 0)] smbd/service.c:make_connection_snum(944) Connect path is '/srv/work/network/' for service [network] [2009/10/21 14:16:03, 3, pid=21047, effective(0, 0), real(0, 0)] lib/util_seaccess.c:se_access_check(249) [2009/10/21 14:16:03, 3, pid=21047, effective(0, 0), real(0, 0)] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-1433958684-4186887621-3113429515-501 se_access_check: also S-1-5-21-1433958684-4186887621-3113429515-2005 se_access_check: also S-1-5-2 se_access_check: also S-1-5-32-546 [2009/10/21 14:16:03, 3, pid=21047, effective(0, 0), real(0, 0)] lib/util_seaccess.c:se_access_check(249) [2009/10/21 14:16:03, 3, pid=21047, effective(0, 0), real(0, 0)] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-1433958684-4186887621-3113429515-501 se_access_check: also S-1-5-21-1433958684-4186887621-3113429515-2005 se_access_check: also S-1-5-2 se_access_check: also S-1-5-32-546 [2009/10/21 14:16:03, 0, pid=21047, effective(0, 0), real(0, 0)] smbd/service.c:make_connection_snum(989) make_connection: connection to network denied due to security descriptor. [2009/10/21 14:16:03, 3, pid=21047, effective(0, 0), real(0, 0)] smbd/error.c:error_packet_set(61) error packet at smbd/reply.c(662) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
smbd/service.c:make_connection_snum
973 if (!can_write) { 974 if (!share_access_check(token, 975 lp_servicename(snum), 976 FILE_READ_DATA)) { 977 /* No access, read or write. */ 978 DEBUG(0,("make_connection: connection to %s " 979 "denied due to security " 980 "descriptor.\n", 981 lp_servicename(snum))); 982 conn_free(conn); 983 *status = NT_STATUS_ACCESS_DENIED; 984 return NULL; 985 } else { 986 conn->read_only = True; 987 } 988 }
lib/util_seaccess.c:se_access_check
204 /***************************************************************************** 205 Check access rights of a user against a security descriptor. Look at 206 each ACE in the security descriptor until an access denied ACE denies 207 any of the desired rights to the user or any of the users groups, or one 208 or more ACEs explicitly grant all requested access rights. See 209 "Access-Checking" document in MSDN. 210 *****************************************************************************/ 211 212 bool se_access_check(const SEC_DESC *sd, const NT_USER_TOKEN *token, 213 uint32 acc_desired, uint32 *acc_granted, 214 NTSTATUS *status) 248 /* The user sid is the first in the token */ 249 if (DEBUGLVL(3)) { 250 DEBUG(3, ("se_access_check: user sid is %s\n", 251 sid_string_dbg( 252 &token->user_sids[PRIMARY_USER_SID_INDEX]))); 253 254 for (i = 1; i < token->num_sids; i++) { 255 DEBUGADD(3, ("se_access_check: also %s\n", 256 sid_string_dbg(&token->user_sids[i]))); 257 } 258 }
root@siro:/etc/samba# wbinfo -s S-1-5-21-1433958684-4186887621-3113429515-501 IRO\nobody 1 root@siro:/etc/samba# wbinfo -s S-1-5-21-1433958684-4186887621-3113429515-2005 IRO\Network 2 root@siro:/etc/samba# wbinfo -s S-1-5-2 Could not lookup sid S-1-5-2 root@siro:/etc/samba# wbinfo -s S-1-5-32-546 BUILTIN\Guests 4
So I have to remove in smb.conf in the network share section:
[network]
#force group = network
And YOOUHHYOUUUHHHYOUHHHOUU!!!!! It works!!!
