Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1073829
Created attachment 871827 Log snippet for samba (I forget which log file it was from, I apologise) Description of problem: With ipa-server-trust-ad installed, ipa-adtrust-install --setsids run, and the sidgen task registered and run, users cannot connect a share in the local samba server if it is locked to specific groups via "valid users", even if the user is a member of one of those groups. Logs at level 10 show the following: (see attached for full snippet) [2014/03/06 15:32:55.659599, 10, pid=28139, effective(0, 0), real(0, 0)] ipa_sam.c:309(get_single_attribute) Attribute [uidNumber] not found. [2014/03/06 15:32:55.659667, 1, pid=28139, effective(0, 0), real(0, 0)] ipa_sam.c:717(ldapsam_sid_to_id) Could not find uidNumber in cn=groupname,cn=groups,cn=accounts,dc=example,dc=com Examining code I found that ldapsam_sid_to_id was determining between user and group by looking for ipaNTGroupAttr objectClass and comparing case sensitively. However, sidgen task adds it as ipantgroupattr in lower case. Thus the objectClass is not found and it assumes the object to be user and proceeds to look for uidNumber - thus the error. This results in the group missing from the user's security token list within samba, and thus access rejected to the share. A simple patch is required to ipa-sam to adjust the strncmp in ldapsam_sid_to_id to a strncasecmp. I've attached a patch for the master branch at git.fedorahosted.org (as of commit prefix 4048d41) and also a patch that I've applied to the ipa-3.0.0-37 package. I'm aware the file sharing is not currently supported according to documentation - but I had a strong need for this due a mixture of Windows and Mac machines needing a central file server (thus samba) with single sign on too. Existing was samba with local users. Thanks and be proud of FreeIPA! It's awesome! Hopefully we can get support for the samba file server soon and maybe a separate package for the ipa-sam.so! :) Version-Release number of selected component (if applicable): 3.0.0-37 Also current master has same issue How reproducible: Always Steps to Reproduce: 1. Install ipa-server-trust-ad and run ipa-adtrust-install --setsids, and then register to run the sidgen task. After that, create a share with "net conf setparm" with open access: [Share] path = /data read only = no 2. Users from the IPA domain can connect successfully. Now add the following extra share config with "net conf setparm", where @groupname is a group that "user" is a member of valid users = @groupname 3. Attempt to connect to the samba share as "user" Actual results: Cannot connect - error will be one that points to no access to the share Expected results: Connect successfully Additional info: Patches attached and log attached
Patch submitted in Bugzilla: https://bugzilla.redhat.com/attachment.cgi?id=871828
Posted updated patch for review.
master:
ipa-3-3:
Metadata Update from @mkosek: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.3.5 (bug fixing)
Login to comment on this ticket.