username map not working after upgrade form 3.5.13 to 3.6.4 (security=ADS)
"Maurer, Hansjörg"
Hansjoerg.Maurer at dlr.de
Wed Apr 18 03:44:45 MDT 2012
Hi
after an upgrade form 3.5.13 to 3.6.4 of an AD Memeber Server
(security=ADS) username map
does not work any more.
We use
idmap config * : backend = tdb
idmap config * : range = 1000001-1999999
idmap config DLR : backend = nss
idmap config DLR : readonly = yes
idmap config DLR : range = 1000-100000
because the AD Users ara available to the linux system using vintela
authentification services (VAS)
With 3.5.13
root = DLR\maurerh
allows DLR\maurerh to modify printer setting or create files as root
With 3.6.4
samba still logs
[2012/04/18 11:29:23.206003, 3] auth/user_util.c:402(map_username)
Mapped user DLR\maurerh to root
but the printer settings are greyed out and files are created as maurerh
instead as root.
One more difference is, that with 3.5.13
ist was possible to use
root = DLR\maurerh-ad
where maurerh-ad is a windows only administrative account without unix
attributes
An sccess to the samba server was mapped to root
With 3.6.4
Samba logs
Kerberos ticket principal name is [username-adm at INTRA.DLR.DE]
[2012/04/12 13:33:35.920072, 3] auth/user_util.c:402(map_username)
Mapped user DLR\maurerh-ad to root
Failed to find authenticated user DLR\maurerh-ad via getpwnam(), denying
access.
Can anybody confirm these problems?
Sould I file a bug?
Regrads
Hansjörg
[2012/04/18 11:29:23.205474, 3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: maurerh [Maurer, Hansjörg]
[2012/04/18 11:29:23.205766, 3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [maurerh at INTRA.DLR.DE]
[2012/04/18 11:29:23.206003, 3] auth/user_util.c:402(map_username)
Mapped user DLR\maurerh to root
[2012/04/18 11:29:23.310976, 3]
passdb/lookup_sid.c:1737(get_primary_group_sid)
Forcing Primary Group to 'Domain Users' for maurerh
==> log.winbindd <==
[2012/04/18 11:29:23.311849, 3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
[ 6364]: request interface version
[2012/04/18 11:29:23.312147, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[ 6364]: request location of privileged pipe
[2012/04/18 11:29:23.312796, 3]
winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send)
lookupname Unix User\maurerh
==> log.wb-RM-SAMBA01-TEST <==
[2012/04/18 11:29:23.313137, 3]
winbindd/winbindd_samr.c:622(sam_name_to_sid)
sam_name_to_sid
[2012/04/18 11:29:23.313435, 3]
winbindd/winbindd_rpc.c:303(rpc_name_to_sid)
name_to_sid: UNIX USER\MAURERH for domain UNIX USER
[2012/04/18 11:29:23.319738, 3]
rpc_server/rpc_handles.c:281(close_policy_hnd)
Closed policy
==> log.129.247.189.133 <==
[2012/04/18 11:29:23.371065, 3] smbd/password.c:297(register_existing_vuid)
register_existing_vuid: User name: maurerh Real name: Maurer, Hansjörg
[2012/04/18 11:29:23.371289, 3] smbd/password.c:307(register_existing_vuid)
register_existing_vuid: UNIX uid 7740 is UNIX user maurerh, and will be
vuid 101
[2012/04/18 11:29:23.371704, 1] smbd/session.c:86(session_claim)
--
——————————————————————————
Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)
Robotik und Mechatronik Zentrum | Münchner Strasse 20 | 82234 Wessling
Dr. Hansjörg Maurer | Telefon 08153 28-2431 | Telefax 08153 28-1134 | Hansjoerg.Maurer at dlr.de
www.DLR.de
More information about the samba-technical
mailing list