username map not working after upgrade form 3.5.13 to 3.6.4 (security=ADS)

"Maurer, Hansjörg" Hansjoerg.Maurer at dlr.de
Wed Apr 18 03:44:45 MDT 2012 

Hi

after an upgrade form 3.5.13 to 3.6.4 of an AD Memeber Server
(security=ADS) username map

does not work any more.

We use

idmap config * : backend = tdb
idmap config * : range = 1000001-1999999

idmap config DLR : backend = nss
idmap config DLR : readonly = yes
idmap config DLR : range = 1000-100000

because the AD Users ara available to the linux system using vintela
authentification services (VAS)

With 3.5.13
root = DLR\maurerh
allows DLR\maurerh to modify printer setting or create files as root

With 3.6.4
samba still logs

[2012/04/18 11:29:23.206003, 3] auth/user_util.c:402(map_username)
Mapped user DLR\maurerh to root

but the printer settings are greyed out and files are created as maurerh
instead as root.


One more difference is, that with 3.5.13
ist was possible to use

root = DLR\maurerh-ad

where maurerh-ad is a windows only administrative account without unix
attributes
An sccess to the samba server was mapped to root

With 3.6.4

Samba logs

Kerberos ticket principal name is [username-adm at INTRA.DLR.DE]
[2012/04/12 13:33:35.920072, 3] auth/user_util.c:402(map_username)
Mapped user DLR\maurerh-ad to root

Failed to find authenticated user DLR\maurerh-ad via getpwnam(), denying
access.

Can anybody confirm these problems?
Sould I file a bug?

Regrads

Hansjörg


[2012/04/18 11:29:23.205474, 3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: maurerh [Maurer, Hansjörg]
[2012/04/18 11:29:23.205766, 3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [maurerh at INTRA.DLR.DE]
[2012/04/18 11:29:23.206003, 3] auth/user_util.c:402(map_username)
Mapped user DLR\maurerh to root
[2012/04/18 11:29:23.310976, 3]
passdb/lookup_sid.c:1737(get_primary_group_sid)
Forcing Primary Group to 'Domain Users' for maurerh

==> log.winbindd <==
[2012/04/18 11:29:23.311849, 3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
[ 6364]: request interface version
[2012/04/18 11:29:23.312147, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[ 6364]: request location of privileged pipe
[2012/04/18 11:29:23.312796, 3]
winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send)
lookupname Unix User\maurerh

==> log.wb-RM-SAMBA01-TEST <==
[2012/04/18 11:29:23.313137, 3]
winbindd/winbindd_samr.c:622(sam_name_to_sid)
sam_name_to_sid
[2012/04/18 11:29:23.313435, 3]
winbindd/winbindd_rpc.c:303(rpc_name_to_sid)
name_to_sid: UNIX USER\MAURERH for domain UNIX USER
[2012/04/18 11:29:23.319738, 3]
rpc_server/rpc_handles.c:281(close_policy_hnd)
Closed policy

==> log.129.247.189.133 <==
[2012/04/18 11:29:23.371065, 3] smbd/password.c:297(register_existing_vuid)
register_existing_vuid: User name: maurerh Real name: Maurer, Hansjörg
[2012/04/18 11:29:23.371289, 3] smbd/password.c:307(register_existing_vuid)
register_existing_vuid: UNIX uid 7740 is UNIX user maurerh, and will be
vuid 101
[2012/04/18 11:29:23.371704, 1] smbd/session.c:86(session_claim)

-- 

——————————————————————————

Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)

Robotik und Mechatronik Zentrum | Münchner Strasse 20 | 82234 Wessling

Dr. Hansjörg Maurer | Telefon 08153 28-2431 | Telefax 08153 28-1134 | Hansjoerg.Maurer at dlr.de

www.DLR.de

More information about the samba-technical mailing list