after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
Rowland Penny
repenny241155 at gmail.com
Wed Jan 28 08:45:21 MST 2015
On 28/01/15 14:40, Dr. Hansjoerg Maurer wrote:
> Hi
>
> am trying samba 4.2.0rc4 as an AD member (security =ADS)
>
> I upgraded form a working 4.1.16 configuration
>
> idmap config * : backend = tdb
> idmap config * : range = 1000001-1999999
>
> idmap config XXX : backend = ad
> idmap config XXX : schema_mode = rfc2307
>
> idmap config XXX : readonly = yes
> idmap config XXX : range = 1000-1000000
>
>
> I have a share with a force user line which did not work any more
>
> [tmpuser]
> path = /home_local/tmpuser
> comment = tmpuser-Share
> guest ok = no
> read only = no
> force group = +XXX\groupname
> force user = maurerh
>
> I got acces denied, neither with
> force user = maurerh
> nor with
> force user = XXX\maurerh
>
> Without force user I can access the share
> With force user samba logs
>
> Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED
> [2015/01/28 15:22:55.911105, 1] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
> The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
>
> If I create a Folder in the share without force user
> the folder belongs to the right user and group
> drwx------ 2 maurerh groupname 4096 Jan 28 15:24 Neuer Ordner/
> therefore the mapping seems to be ok
>
> The unix user maurerh ( uid=7740 ) is an AD user to, but the system get the
> nss information from the AD using VAS (Vintela/Quest/Dell) Authentication services
>
>
> Can someone reproduce this problem?
> Sould I open a bug?
>
> Regrads
>
>
> Hansjörg
>
>
> ----------------------------
> Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
>
> Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.
>
Try removing this: 'idmap config XXX : readonly = yes', never seen
anybody else use this and 'S-1-22-1' is the well known SID for the
'Local' group.
Rowland
More information about the samba-technical
mailing list