Author Topic: Limit problem with mod_winbind and AllowGroup  (Read 7636 times)

Offline fscomm

  • New user
  • *
  • Posts: 5
    • View Profile
Limit problem with mod_winbind and AllowGroup
« on: March 21, 2013, 11:27:27 am »
Hello to all.

First of all, we was need to authenticate users of our AD Windows domain and separate read-only and full access users by group membership. So we have groups DOMAIN\ro_users and DOMAIN\rw_users.

I installed proftpd v.1.3.4a (maint), proftpd-devel, samba-winbind-devel packages on CetOS 6.4 x86_64 from rpmforge repository. After that I checked lastest mod_winbind from https://github.com/jwm/mod_winbind.git and compiled it using prxs -i -c -d mod_winbind.c Below is an important part of the configuration:


Code: [Select]
User root
Group root
DefaultRoot /var/www/ftp !adm
AuthOrder mod_winbind.c mod_auth_pam.c mod_auth_unix.c
RequireValidShell off
LoadModule mod_winbind.c
WinbindEngine On

<Directory /var/www/ftp>
  <Limit ALL>
    DenyAll
  </Limit>

  <Limit WRITE>
    AllowGroup DOMAIN\rw_group
    DenyAll
  </Limit>

  <Limit LOGIN>
    AllowGroup OR DOMAIN\ro_group,DOMAIN\rw_group
    DenyAll
  </Limit>

  <Limit DIRS>
    AllowGroup OR DOMAIN\ro_group,DOMAIN\rw_group
    DenyAll
  </Limit>

  <Limit READ>
    AllowGroup OR DOMAIN\ro_group,DOMAIN\rw_group
    DenyAll
  </Limit>

</Directory>

But write operations are complitely not working when i connects to share under member of DOMAIN\rw_group. Browsing directories is worked like a charm, but when I try to create directory or file the server returns 550 Permission denied (STOR/MKD).

What i tried to solve this problem:
1. Rewrite directive "Limit WRITE" to "Limit APPE DELE MKD RMD RNTO STOR STOU XMKD XRMD". Not working.
2. Place separate directive AllowGroup for each group per line. Not working.
3. Group limits like <Limit READ DIRS LOGIN>.. </Limit>. Not working.
4. Launch proftpd -nd10 and read debug output. But it contains nothing about limit check and group privileges applied. The debug output begins with fetching all complementary groups associated with authenticated user and the group DOMAIN\rw_group is present! (proftpd understand that user is member of this group)
5. Also I read parts of an official documentation (faqs etc.) and nothing found.

How I can resolve this problem ? Is AD group-based authorization is broken in proftpd ? Thanks.

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5335
    • View Profile
    • http://www.castaglia.org/
Re: Limit problem with mod_winbind and AllowGroup
« Reply #1 on: March 21, 2013, 10:44:48 pm »
To get more information, you might try adding the following to the top of your proftpd.conf:

  TraceLog /path/to/some/trace.log
  Trace DEFAULT:20 fileperms:20

and then try your login/write test.  Note that the TraceLog will be very verbose.

In particular, I am wondering whether the writes might be failing due to underlying filesystem permissions.  The full TraceLog should hopefully shed more light on what's going on.

Offline John Morrissey

  • Regular User
  • **
  • Posts: 68
    • View Profile
    • http://horde.net/
Re: Limit problem with mod_winbind and AllowGroup
« Reply #2 on: March 22, 2013, 03:25:08 am »
Code: [Select]
  <Limit WRITE>
    AllowGroup DOMAIN\rw_group
    DenyAll
  </Limit>

The backslashes may need to be escaped. Try:

    AllowGroup DOMAIN\\rw_group

or maybe:

    AllowGroup "DOMAIN\\rw_group"

Also, are you sure your winbind configuration is adding the DOMAIN\ prefix to your groups? You might also try the bare group name, without the domain prefix.

Offline fscomm

  • New user
  • *
  • Posts: 5
    • View Profile
Re: Limit problem with mod_winbind and AllowGroup
« Reply #3 on: March 22, 2013, 06:42:12 am »
Thanks to replies.

When I specify group as DOMAIN\rw_users I see target directory when connects to ftp but cannot write to it.
I tested syntactic options in few next steps, "DOMAIN\rw_group", DOMAIN\\rw_group (two slashes without quotes), "DOMAIN\\rw_group" (two slashes with quotes) and also tests without specifying domain, rw_group, RW_Group (some of characters are originally uppercased on the domain controller). All options have the same effect: I do not see target directory when connects to proftpd. Only DOMAIN\rw_group (without quotes, lowercase, added domain with one slash) works, i see target directory, can navigate through it but cannot write as i said already.

I choose initially DOMAIN\rw_group because debug output of proftpd -nd10 show this syntax when fetch list of supplementary groups.

Now I shall test server TraceLog option and write results here later.

Offline fscomm

  • New user
  • *
  • Posts: 5
    • View Profile
Re: Limit problem with mod_winbind and AllowGroup
« Reply #4 on: March 22, 2013, 11:57:20 am »
Debugging proftpd with proftpd -nd 10 and with added TraceLog option show strange results.

Debug output of "proftpd -nd10" showed that all supplementary groups are fetched by mod_winbind
Important part of log below

Code: [Select]
retrieved UID 10000 for user 'DOMAIN\user'
hostname proftpd[2025] 172.16.x.x (172.16.x.x[172.16.x.x]): local user name 'DOMAIN\user' differs from client-sent user name 'DOMAIN\User', clearing cached group data
hostname proftpd[2025] 172.16.x.x (172.16.x.x[172.16.x.x]): mod_winbind/1.0: adding user DOMAIN\user primary group DOMAIN\primary group/10004
hostname proftpd[2025] 172.16.x.x (172.16.x.x[172.16.x.x]): mod_winbind/1.0: user DOMAIN\user has 14 secondary groups
hostname proftpd[2025] 172.16.x.x (172.16.x.x[172.16.x.x]): mod_winbind/1.0: added user DOMAIN\user secondary group DOMAIN\secondary group 1/10004
hostname proftpd[2025] 172.16.x.x (172.16.x.x[172.16.x.x]): mod_winbind/1.0: added user DOMAIN\user secondary group DOMAIN\secoundary group 2/10006
...etc
hostname proftpd[2025] 172.16.x.x (172.16.x.x[172.16.x.x]): retrieved group IDs: 10004, 10004, 10006, 10007, 10099, 10008, 10009, 10010, 10011, 10039, 10012, 10013, 10040, 10014, 10001
hostname proftpd[2025] 172.16.x.x (172.16.x.x[172.16.x.x]): retrieved group names: DOMAIN\primary group, DOMAIN\secondary group 1, DOMAIN\secondary group 2, ... etc
Groups that configured in proftpd.conf are also listed above, proftpd sees them.

But, looks like server has no check this configured secondary group membership
Parts of TraceLog output when user logins and attempt to upload file in directory, that had configured read-write access to group of which the user is member.    {my ENglish is right? :)}

grep username /var/log/proftpd/debug.log
Code: [Select]
Mar 22 14:43:25 [2025] <command:7>: dispatching PRE_CMD command 'USER DOMAIN\user' to mod_tls.c
Mar 22 14:43:25 [2025] <command:7>: dispatching PRE_CMD command 'USER DOMAIN\user' to mod_core.c
Mar 22 14:43:25 [2025] <command:7>: dispatching PRE_CMD command 'USER DOMAIN\user' to mod_core.c
Mar 22 14:43:25 [2025] <command:7>: dispatching PRE_CMD command 'USER DOMAIN\user' to mod_delay.c
Mar 22 14:43:25 [2025] <command:7>: dispatching PRE_CMD command 'USER DOMAIN\user' to mod_auth.c
Mar 22 14:43:25 [2025] <command:7>: dispatching CMD command 'USER DOMAIN\user' to mod_auth.c
Mar 22 14:43:25 [2025] <response:7>: response added to pending list: 331 Password required for DOMAIN\user
Mar 22 14:43:25 [2025] <command:7>: dispatching POST_CMD command 'USER DOMAIN\user' to mod_delay.c
Mar 22 14:43:25 [2025] <command:7>: dispatching LOG_CMD command 'USER DOMAIN\user' to mod_log.c
Mar 22 14:43:25 [2025] <response:1>: 331 Password required for DOMAIN\user
Mar 22 14:43:26 [2025] <auth:5>: stashed module 'mod_winbind.c' for user 'DOMAIN\user' in the authcache
Mar 22 14:43:26 [2025] <auth:5>: stashed name 'DOMAIN\user' for UID 10000 in the uidcache
Mar 22 14:43:26 [2025] <auth:4>: using module 'mod_winbind.c' from authcache to authenticate user 'DOMAIN\user'
Mar 22 14:43:26 [2025] <auth:4>: using module 'mod_winbind.c' from authcache to authenticate user 'DOMAIN\user'
Mar 22 10:43:26 [2025] <scoreboard:15>: updated scoreboard entry user to 'DOMAIN\user'
Mar 22 10:43:26 [2025] <response:7>: response added to pending list: 230 User DOMAIN\user logged in.
Mar 22 10:43:26 [2025] <response:1>: 230 User DOMAIN\user logged in.
Mar 22 10:43:38 [2025] <fileperms:1>: STOR, user 'DOMAIN\user' (UID 10000, GID 10004): error opening '/Archive_Events/disks.eng.temp': Permission denied      <=== Does he takes only primary group?? (UID 10004)

grep GID /var/log/proftpd/debug.log
Code: [Select]
Mar 22 14:43:26 [2025] <auth:9>: no value found in gidcache for GID 10004: No such file or directory
Mar 22 14:43:26 [2025] <auth:5>: stashed name 'DOMAIN\primary group' for GID 10004 in the gidcache {10004 is the UID of the user primary AD group}
Mar 22 10:43:26 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:26 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:26 [2025] <auth:9>: no value found in gidcache for GID 0: No such file or directory
Mar 22 10:43:26 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:26 [2025] <auth:9>: no value found in gidcache for GID 0: No such file or directory
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 10008: No such file or directory
Mar 22 10:43:30 [2025] <auth:5>: stashed name 'DOMAIN\secondary group 5' for GID 10008 in the gidcache {this line contains only one secondary group, not configured in proftpd.conf}
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:38 [2025] <fileperms:1>: STOR, user 'DOMAIN\user' (UID 10000, GID 10004): error opening '/Archive_Events/disks.eng.temp': Permission denied
Mar 22 10:43:41 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:41 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:41 [2025] <auth:8>: using name 'DOMAIN\secondary group 5' from gidcache for GID 10008
Mar 22 10:43:41 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:41 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:41 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory

The above listing shows that not all 14 groups are checked. Really checked only 2 groups ??
Also server always try to check gid 48 that is really gid of the local apache (48) group and gid 0 (root). This happens because
root ftp directory contains folder owned by apache and file owned by root. But why he is doing so?

grep gid /var/log/proftpd/debug.log
Code: [Select]
Mar 22 14:43:26 [2025] <auth:9>: no value found in gidcache for GID 10004: No such file or directory
Mar 22 14:43:26 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 14:43:26 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 14:43:26 [2025] <auth:5>: stashed name 'DOMAIN\primary group' for GID 10004 in the gidcache
Mar 22 10:43:26 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:26 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:26 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:26 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:26 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:26 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:26 [2025] <auth:9>: no value found in gidcache for GID 0: No such file or directory
Mar 22 10:43:26 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:26 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:26 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:26 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:26 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:26 [2025] <auth:9>: no value found in gidcache for GID 0: No such file or directory
Mar 22 10:43:26 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:26 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:30 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:30 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:30 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:30 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 10008: No such file or directory
Mar 22 10:43:30 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:30 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:30 [2025] <auth:5>: stashed name 'DOMAIN\secondary group 5' for GID 10008 in the gidcache
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:30 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:30 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:30 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:30 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:30 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:30 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:30 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:41 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:41 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:41 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:41 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:41 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:41 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:41 [2025] <auth:8>: using name 'DOMAIN\secondary group 5' from gidcache for GID 10008
Mar 22 10:43:41 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:41 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:41 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:41 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:41 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:41 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative
Mar 22 10:43:41 [2025] <auth:9>: no value found in gidcache for GID 48: No such file or directory
Mar 22 10:43:41 [2025] <auth:6>: dispatching auth request "gid2name" to module mod_winbind
Mar 22 10:43:41 [2025] <auth:6>: "gid2name" response from module mod_winbind is authoritative

Same things as above. And TraceLog output contains nothings about configured AD groups to authorize users.

Any idea?

Offline John Morrissey

  • Regular User
  • **
  • Posts: 68
    • View Profile
    • http://horde.net/
Re: Limit problem with mod_winbind and AllowGroup
« Reply #5 on: March 25, 2013, 08:52:18 pm »
Keep in mind that ProFTPD Limit configuration applies *in addition to* filesystem permissions. If the directory you're trying to upload to doesn't have filesystem permissions that would allow the upload, the Limit configuration won't change that. What do the permissions and owner/group of the directory you're trying to upload look like?

Offline fscomm

  • New user
  • *
  • Posts: 5
    • View Profile
Re: Limit problem with mod_winbind and AllowGroup
« Reply #6 on: March 28, 2013, 08:14:20 am »
Thanks, awesome help. I complitely forgotten about filesystem permissions. But I had one more question with currect configuration.

Code: [Select]
<Directory /var/www/html/share>
    <Limit DIRS READ>
      AllowGroup OR DOMAIN\group1_read,DOMAIN\group1_write,DOMAIN\group2_read,DOMAIN\group2_write
    </Limit>
    <Limit ALL>
      DenyAll
    </Limit>
</Directory>

<Directory /var/www/html/share/share1>
    <Limit DIRS READ>
      AllowGroup OR DOMAIN\group1_read,DOMAIN\group1_write
    </Limit>

    <Limit ALL>
      AllowGroup DOMAIN\group1_write
      DenyAll
    </Limit>
</Directory>

<Directory /var/www/html/share/share2>
    <Limit DIRS READ>
      AllowGroup OR DOMAIN\group2_read,DOMAIN\group2_write
    </Limit>

    <Limit ALL>
      AllowGroup DOMAIN\group2_write
      DenyAll
    </Limit>
</Directory>

With this configuration we had one issue - when user stay in both share read and write groups, he actually can only read this share. For example, if user stays in group1_read and group1_write he cannot write to share1. But deleting him from read group (staying on write group only) solves this problem.

Does this configuration incorrect?

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5335
    • View Profile
    • http://www.castaglia.org/
Re: Limit problem with mod_winbind and AllowGroup
« Reply #7 on: March 29, 2013, 08:39:05 pm »
What does `ls -aldn /var/www/html/share /var/www/html/share/share1' show?

Offline fscomm

  • New user
  • *
  • Posts: 5
    • View Profile
Re: Limit problem with mod_winbind and AllowGroup
« Reply #8 on: April 01, 2013, 04:42:36 am »
Looks like this

Code: [Select]
drwxrwxrwx  4 48 48 81 Мар 28 14:11 /var/www/html/share
drwxrwxr-x+ 6 48 48 72 Мар 27 17:48 /var/www/html/share/share1

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5335
    • View Profile
    • http://www.castaglia.org/
Re: Limit problem with mod_winbind and AllowGroup
« Reply #9 on: April 03, 2013, 03:28:17 pm »
Strange, though, that your /share1 permissions allow group ID 48 to be able to add/delete files (via write permissions), but your logging-in user does not belong to group ID 48.  This confuses me -- because it means that your logged-in user should never be able to upload files to that directory, regardless of any <Limit> configuration.

Offline John Morrissey

  • Regular User
  • **
  • Posts: 68
    • View Profile
    • http://horde.net/
Re: Limit problem with mod_winbind and AllowGroup
« Reply #10 on: April 06, 2013, 09:19:46 pm »
Looks like there's an ACL on share1 (the plus at the end of the permissions bits)?