after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

Rowland Penny repenny241155 at gmail.com
Wed Jan 28 08:45:21 MST 2015 

On 28/01/15 14:40, Dr. Hansjoerg Maurer wrote:
> Hi
>
> am trying samba 4.2.0rc4 as an AD member (security =ADS)
>
> I upgraded form a working 4.1.16 configuration
>
>          idmap config * : backend = tdb
>          idmap config * : range = 1000001-1999999
>
>          idmap config XXX : backend  = ad
>          idmap config XXX : schema_mode = rfc2307
>
>          idmap config XXX : readonly = yes
>          idmap config XXX : range = 1000-1000000
>
>
> I have a share with a force user line which did not work any more
>
> [tmpuser]
>          path = /home_local/tmpuser
>          comment = tmpuser-Share
>          guest ok = no
>          read only = no
>          force group = +XXX\groupname
>          force user = maurerh
>
> I got acces denied, neither with
>          force user = maurerh
> nor with
>          force user = XXX\maurerh
>
> Without force user I can access the share
> With force user samba logs
>
>   Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED
> [2015/01/28 15:22:55.911105,  1] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>    The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
>
> If I create a Folder in the share without force user
> the folder belongs to the right user and group
> drwx------  2 maurerh groupname 4096 Jan 28 15:24 Neuer Ordner/
> therefore the mapping seems to be ok
>
> The unix user maurerh ( uid=7740 ) is an AD user to, but the system get the
> nss information from the AD using  VAS (Vintela/Quest/Dell) Authentication services
>    
>
> Can someone reproduce this problem?
> Sould I open a bug?
>
> Regrads
>
>
> Hansjörg
>
>
> ----------------------------
> Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
>
> Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.
>

Try removing this: 'idmap config XXX : readonly = yes', never seen 
anybody else use this and 'S-1-22-1' is the well known SID  for the 
'Local' group.

Rowland

More information about the samba-technical mailing list