after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

Dr. Hansjoerg Maurer hansjoerg.maurer at itsd.de
Wed Jan 28 07:40:51 MST 2015 

Hi

am trying samba 4.2.0rc4 as an AD member (security =ADS)

I upgraded form a working 4.1.16 configuration

        idmap config * : backend = tdb
        idmap config * : range = 1000001-1999999

        idmap config XXX : backend  = ad
        idmap config XXX : schema_mode = rfc2307

        idmap config XXX : readonly = yes
        idmap config XXX : range = 1000-1000000


I have a share with a force user line which did not work any more

[tmpuser]
        path = /home_local/tmpuser
        comment = tmpuser-Share
        guest ok = no
        read only = no
        force group = +XXX\groupname
        force user = maurerh

I got acces denied, neither with
        force user = maurerh
nor with
        force user = XXX\maurerh

Without force user I can access the share
With force user samba logs

 Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED                                               
[2015/01/28 15:22:55.911105,  1] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)                                                            
  The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)

If I create a Folder in the share without force user
the folder belongs to the right user and group
drwx------  2 maurerh groupname 4096 Jan 28 15:24 Neuer Ordner/
therefore the mapping seems to be ok

The unix user maurerh ( uid=7740 ) is an AD user to, but the system get the
nss information from the AD using  VAS (Vintela/Quest/Dell) Authentication services
  

Can someone reproduce this problem?
Sould I open a bug?

Regrads


Hansjörg


----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.

Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5906 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150128/79099922/attachment.bin>

More information about the samba-technical mailing list