smb.conf contains valid users = %S in [global]

Bug #1292548 reported by Raoul Bhatia on 2014-03-14
38
This bug affects 8 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
High
Unassigned
Trusty
High
Unassigned

Bug Description

I have been using Samba as a standalone server since many years and have successfully gone through multiple Samba upgrades.

This week, I upgraded from Ubuntu 13.10 (saucy) to Ubuntu 14.04 (trusty).
This came with an upgrade from Samba 2:3.6.18-1ubuntu3.1 (saucy) to 2:4.1.3+dfsg-2ubuntu3 (trusty).
(NOTE: I did not use the samba4 package but was still sticking to Samba 3 in Ubuntu saucy)

After the update, I wasn't able to access the shares any more.

"smbclient -L localhost -U%" / "smbclient -L localhost -U user" resulted in various errors, including
* tree connect failed: NT_STATUS_ACCESS_DENIED
* (from session setup) not permitted to access this share (IPC$)
* NT_STATUS_LOGON_FAILURE
* string_to_sid: SID IPC_ is not in a valid format

I was neither able to properly browse the server/shares via smbclient nor via Windows 7 Ultimate nor Windows 8.1.

However, I was able to directly access a share from a Linux shell using "smbclient -U user //server/share-c ls".

Not even purging samba, all related configuration, all folders, including /etc/samba, /var/cache/samba, /var/spool/samba, /var/lib/samba, and re-installing samba (Version 2:4.1.3+dfsg-2ubuntu3 from trusty) did the trick.

Only after installing all related packages from Debian jessie (Version 2:4.1.5+dfsg-1), everything worked out of the box again.

Thus, I think that something in the most recent Ubuntu Samba package might be broken and kindly ask you to investigate, as there will be several users who will upgrade and stick to this LTS release.

Thanks,
Raoul

PS. I did not try Samba 4.0 (Package samba4*) on Ubuntu saucy and therefore cannot tell if these are working as expected.

Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

The upgrade from samba 3 to samba 4 is a major change, and I wouldn't expect automatic upgrades to be possible in all cases. Please can you check upstream release notes and confirm that this is even possible, and that it is expected that this upgrade can run smoothly and automatically in your case?

If this isn't possible and isn't expected to be possible, then please change the bug status to Invalid.

If it should be possible, then please reference appropriate documentation of this, provide exact steps to reproduce your problem, and then change the bug status back to New.

Changed in samba (Ubuntu):
status: New → Incomplete
Raoul Bhatia (raoul-bhatia) wrote :

Thank you for your fast reply.

Updating Samba 3 to Samba 4 *is* possible, please see https://wiki.samba.org/index.php/Updating_Samba .

There might be some configuration changes but all in all it is no big deal to manually merge them - at least not for a basic setup without any active directory (AD) integration.

As stated, when using Samba 2:4.1.3+dfsg-2ubuntu3 from Ubuntu trusty, things do not work even with the most basic/default config file.

Replacing the packages with a more recent Version 2:4.1.5+dfsg-1 from Debian Jessie helps to resolve this issue. No further configuration changes compared to 2:4.1.3+dfsg-2ubuntu3 from trusty are required.

I simply downloaded all packages and issued
# dpkg -i libsmbclient_4.1.5+dfsg-1_amd64.deb libwbclient0_4.1.5+dfsg-1_amd64.deb python-samba_4.1.5+dfsg-1_amd64.deb samba_4.1.5+dfsg-1_amd64.deb samba-common_4.1.5+dfsg-1_all.deb samba-common-bin_4.1.5+dfsg-1_amd64.deb samba-dsdb-modules_4.1.5+dfsg-1_amd64.deb samba-libs_4.1.5+dfsg-1_amd64.deb samba-vfs-modules_4.1.5+dfsg-1_amd64.deb smbclient_4.1.5+dfsg-1_amd64.deb

Please let me know what else you require to address this bug report.

Thanks,
Raoul

Robie Basak (racb) wrote :

Thanks. So 2:4.1.3+dfsg-2ubuntu3 from Trusty has this issue, but 2:4.1.5+dfsg-1 from Debian does not? Sounds like we need to either merge it, or figure out the fix and apply it.

Changed in samba (Ubuntu):
status: Incomplete → New
importance: Undecided → High
Robie Basak (racb) wrote :

I don't see exact reproduction steps though. Please can you supply this, so that developers can focus on the bug, rather than having to second guess what you did first? These should be steps to reproduce the problem including starting on a fresh Saucy instance, configuring samba as you had done, and then upgrading and the failure case (which you've already kindly presented). Thanks!

Raoul Bhatia (raoul-bhatia) wrote :

Dear Robie,

actually, it is quite easy to reproduce during an update from saucy to trusty and i suspect that this bug will even strike when you do a clean trusty install.

Nevertheless, i reproduced this issue with a fresh saucy install:

1. install saucy using http://at.mirror.archive.ubuntu.com/ubuntu/dists/saucy/main/installer-amd64/current/images/netboot/mini.iso
2. install openssh-server and samba-server during installation (via tasksel?)
3. reboot and verify samba status:
# root@ubuntu:~# smbstatus

Samba version 3.6.18
PID Username Group Machine
-------------------------------------------------------------------

Service pid machine Connected at
-------------------------------------------------------

No locked files

4. add a user and view list the available shares
# root@ubuntu:~# smbpasswd -a ubuntu
New SMB password:
Retype new SMB password:

# root@ubuntu:~# smbclient -L \\localhost -U ubuntu
Enter ubuntu's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.18]

        Sharename Type Comment
        --------- ---- -------
        IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu))
        print$ Disk Printer Drivers
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.18]

        Server Comment
        --------- -------
        UBUNTU ubuntu server (Samba, Ubuntu)

        Workgroup Master
        --------- -------
        WORKGROUP UBUNTU

5. do-release-upgrade -d (remove obsolete packages; reboot)

6. verify samba access (FAILS!)
--ubuntu@192.168.122.233's password:
Welcome to Ubuntu Trusty Tahr (development branch) (GNU/Linux 3.13.0-18-generic x86_64)

 * Documentation: https://help.ubuntu.com/

  System information as of Sat Mar 22 08:50:31 CET 2014

Last login: Sat Mar 22 08:41:59 2014 from rbi
ubuntu@ubuntu:~$ smbstatus

Samba version 4.1.3-Ubuntu
PID Username Group Machine
-------------------------------------------------------------------
Failed to initialize session_global: NT_STATUS_ACCESS_DENIED

Service pid machine Connected at
-------------------------------------------------------
Failed to initialize session_global: NT_STATUS_ACCESS_DENIED
Failed to traverse sessions: NT_STATUS_ACCESS_DENIED

No locked files

ubuntu@ubuntu:~$ smbclient -L \\localhost -U ubuntu
Enter ubuntu's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.3-Ubuntu]
tree connect failed: NT_STATUS_ACCESS_DENIED

Please let me know in case you require this system as a KVM/QEMU disk image.

Cheers,
Raoul

Raoul Bhatia (raoul-bhatia) wrote :

> #!/bin/sh
>
> VER=4.1.6+dfsg-1
> ARCH=amd64
>
> for p in samba samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 python-samba smbclient libsmbclient; do
> wget "http://ftp.at.debian.org/debian/pool/main/s/samba/${p}_${VER}_${ARCH}.deb"
> done
>
> wget "http://ftp.at.debian.org/debian/pool/main/s/samba/samba-common_${VER}_all.deb"

should fetch the packages in a more generic way.

Robie Basak (racb) wrote :

Please can you see if this is bug 1296289, and if the fix there (the "valid users" line) works?

tags: added: rls-s-incoming
Raoul Bhatia (raoul-bhatia) wrote :
Download full text (3.9 KiB)

Hi Robie,

Yes, there is a "valid users = %S" line present in the smb.conf file.
When I comment it out, smbclient -L works as expected.

What i did:
1) Comment out "valid users = %S", see the diff:
> root@ubuntu:/etc/samba# diff -u ~/smb.conf.old smb.conf
> --- /root/smb.conf.old 2014-04-01 18:19:16.880909594 +0200
> +++ smb.conf 2014-04-01 18:19:40.065312095 +0200
> @@ -211,7 +211,7 @@
> # The following parameter makes sure that only "username" can connect
> # to \\server\username
> # This might need tweaking when using external authentication schemes
> - valid users = %S
> +; valid users = %S
>
> # Un-comment the following and create the netlogon directory for Domain Logons
> # (you need to configure Samba to act as a domain controller too.)

2) Restart samba:
> root@ubuntu:/etc/samba# service samba restart

3) Test the connectivity:
> root@ubuntu:/etc/samba# smbclient -L \\localhost -U ubuntu
> Enter ubuntu's password:
> Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.3-Ubuntu]
>
> Sharename Type Comment
> --------- ---- -------
> IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu))
> print$ Disk Printer Drivers
> Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.3-Ubuntu]
>
> Server Comment
> --------- -------
> UBUNTU ubuntu server (Samba, Ubuntu)
>
> Workgroup Master
> --------- -------
> WORKGROUP UBUNTU

There are a number of other options which IMHO are placed under [homes] but are commented in:

Here the full, unchanged default smb.conf file (read only, create mask, directory mask, valid users):
---------------------------- c u t ----------------------------
#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
;[homes]
; comment = Home Directories
; browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes

# Un-comment the f...

Read more...

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Robie Basak (racb) wrote :

Thanks!

Robie Basak (racb) on 2014-04-01
summary: - Standalone Server: Update from Samba 2:3.6.18-1ubuntu3.1 (saucy) to
- 2:4.1.3+dfsg-2ubuntu3 (trusty) breaks access to the server
+ smb.conf contains valid users = %S in [global]
Changed in samba (Ubuntu Trusty):
status: Confirmed → Triaged
Robie Basak (racb) wrote :

I think this was fixed by the fix for the same root cause of bug 1261873, and so should also be fixed in 2:4.1.3+dfsg-2ubuntu5. Please could somebody verify?

Raoul Bhatia (raoul-bhatia) wrote :

Hi Robie,

samba 2:4.1.3+dfsg-2ubuntu5 seems to fix the issue - at least in my test environment using smbclient -L

I will also try to test this in the environment I use at home and report back if this issue is also fixed there.

Thanks,
Raoul

Raoul Bhatia (raoul-bhatia) wrote :

2:4.1.6+dfsg-1ubuntu1 works in my home environment.

Cheers,
Raoul

Robie Basak (racb) wrote :

Roaul,

Thank you very much! I really appreciate your help in with this bug. Since this seems to have the same root cause as bug 1261873 then, and was fixed with the same fix, I'll mark this as a duplicate now.

bulrush (bacca400) wrote :

I can confirm this bug on a new install of 14.04 LTS under a Virtual Machine (vSphere).

# Samba 4.1.6-Ubuntu (via samba -V)
# Server: Ubuntu 14.04 LTS is set up as a VM under vSphere
# Client: Windows 7 with Putty and an ssh connection.

===============================================================
chuck@ubuntucomp:/etc/samba$ smbstatus

Samba version 4.1.6-Ubuntu
PID Username Group Machine
-------------------------------------------------------------------
Failed to initialize session_global: NT_STATUS_ACCESS_DENIED

Service pid machine Connected at
-------------------------------------------------------
Failed to initialize session_global: NT_STATUS_ACCESS_DENIED
Failed to traverse sessions: NT_STATUS_ACCESS_DENIED

No locked files
===============================================================

bulrush (bacca400) wrote :

You also might want this.

===============================================================
chuck@ubuntucomp:~/share$ cat /etc/os-release
NAME="Ubuntu"
VERSION="14.04, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
===============================================================

Tanguy Herrmann (dolanor) wrote :

Still an issue in Ubuntu trusty, installed a few weeks ago. Get the NT_STATUS_ACCESS_DENIED.
I will try to install debian packages.

This is very annoying by the way.

ped5 (pedwards-umich) wrote :

Agreed. Issue still exists after 14.04 LTS upgrade with Samba 4.1.6. I even waited for this upgrade to ensure there would be none of these issues, but still seeing it.

I commented out the valid users doesn't seem to make a difference either.

I noticed that the script from Raoul no longer works given that the version is 4.1.11, but I hesitate to install it given nothing I've seen referencing .11 working to resolve this issue.

So is there a new ftp site for 4.1.6? Or does 4.1.11 work?

Saw another post regarding giving the home/user (user being generic of course) giving chmod 707 privleges, but don't see how that makes a difference.

Are their any other threads more recent that highlight these nuances?

Dolanor, did you have success reinstalling debian?

Thx

Denis Konstantinov (linvinus) wrote :

Jiri Vanek (bin-0) , thank you!

> Replace the parameter "valid users" for just "users" don't use any
> more valid users on your
> configuration it will either deny access to Samba server or deny access
> to shares.

i confirm this helps!

my error was:

  Forcing Primary Group to 'Domain Users' for smbuse
[2015/01/16 14:42:08.645699, 3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/reply.c(952) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2015/01/16 14:42:08.646976, 3] ../source3/smbd/server_exit.c:212(exit_server_common)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers