after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

Dr. Hansjoerg Maurer hansjoerg.maurer at
Wed Jan 28 07:40:51 MST 2015


am trying samba 4.2.0rc4 as an AD member (security =ADS)

I upgraded form a working 4.1.16 configuration

        idmap config * : backend = tdb
        idmap config * : range = 1000001-1999999

        idmap config XXX : backend  = ad
        idmap config XXX : schema_mode = rfc2307

        idmap config XXX : readonly = yes
        idmap config XXX : range = 1000-1000000

I have a share with a force user line which did not work any more

        path = /home_local/tmpuser
        comment = tmpuser-Share
        guest ok = no
        read only = no
        force group = +XXX\groupname
        force user = maurerh

I got acces denied, neither with
        force user = maurerh
nor with
        force user = XXX\maurerh

Without force user I can access the share
With force user samba logs

 Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED                                               
[2015/01/28 15:22:55.911105,  1] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)                                                            
  The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)

If I create a Folder in the share without force user
the folder belongs to the right user and group
drwx------  2 maurerh groupname 4096 Jan 28 15:24 Neuer Ordner/
therefore the mapping seems to be ok

The unix user maurerh ( uid=7740 ) is an AD user to, but the system get the
nss information from the AD using  VAS (Vintela/Quest/Dell) Authentication services

Can someone reproduce this problem?
Sould I open a bug?



Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at

Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5906 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list