AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
Dr. Hansjoerg Maurer
hansjoerg.maurer at itsd.de
Thu Jan 29 01:29:17 MST 2015
Hi
-----Ursprüngliche Nachricht-----
> Von:Rowland Penny <repenny241155 at gmail.com>
> Gesendet: Mit 28 Januar 2015 16:45
> An: samba-technical at lists.samba.org
> Betreff: Re: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
>
> On 28/01/15 14:40, Dr. Hansjoerg Maurer wrote:
> > Hi
> >
> > am trying samba 4.2.0rc4 as an AD member (security =ADS)
> >
> > I upgraded form a working 4.1.16 configuration
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000001-1999999
> >
> > idmap config XXX : backend = ad
> > idmap config XXX : schema_mode = rfc2307
> >
> > idmap config XXX : readonly = yes
> > idmap config XXX : range = 1000-1000000
> >
> >
> > I have a share with a force user line which did not work any more
> >
> > [tmpuser]
> > path = /home_local/tmpuser
> > comment = tmpuser-Share
> > guest ok = no
> > read only = no
> > force group = +XXX\groupname
> > force user = maurerh
> >
> > I got acces denied, neither with
> > force user = maurerh
> > nor with
> > force user = XXX\maurerh
> >
> > Without force user I can access the share
> > With force user samba logs
> >
> > Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED
> > [2015/01/28 15:22:55.911105, 1] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
> > The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
> >
> > If I create a Folder in the share without force user
> > the folder belongs to the right user and group
> > drwx------ 2 maurerh groupname 4096 Jan 28 15:24 Neuer Ordner/
> > therefore the mapping seems to be ok
> >
> > The unix user maurerh ( uid=7740 ) is an AD user to, but the system get the
> > nss information from the AD using VAS (Vintela/Quest/Dell) Authentication services
> >
> >
> > Can someone reproduce this problem?
> > Sould I open a bug?
> >
> > Regrads
> >
> >
> > Hansjörg
> >
> >
> >
>
> Try removing this: 'idmap config XXX : readonly = yes', never seen
> anybody else use this and 'S-1-22-1' is the well known SID for the
> 'Local' group.
>
> Rowland
>
>
thanks, I removed the 'idmap config XXX: readonly = yes
parameter, but with no sucess
The SID it claims in
> > The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
is the SID of the primary group id of the user maurerh in AD , which could be resolved to a groupid
[root at rmc-donau samba]# wbinfo --sids-to-unix-ids S-1-5-21-1156737867-681972312-1097073633-131379
S-1-5-21-1156737867-681972312-1097073633-131379 -> gid 43466
[root at rmc-donau samba]# id -a maurerh
uid=7740(maurerh) gid=43466(xxx_maurerh_p) groups=43466(xxx_maurerh_p)
Why does it compare the SID of the domainuser with a "Local" SID
I raised the debug level (below)
Regards
Hansjörg
[2015/01/29 09:12:49.304474, 3] ../source3/smbd/oplock.c:1306(init_oplocks)
init_oplocks: initializing messages.
[2015/01/29 09:12:49.304653, 3] ../source3/smbd/process.c:1879(process_smb)
Transaction 0 of length 137 (0 toread)
[2015/01/29 09:12:49.304700, 3] ../source3/smbd/process.c:1489(switch_message)
switch message SMBnegprot (pid 16610) conn 0x0
[2015/01/29 09:12:49.305220, 3] ../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2015/01/29 09:12:49.305264, 3] ../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [LANMAN1.0]
[2015/01/29 09:12:49.305283, 3] ../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [Windows for Workgroups 3.1a]
[2015/01/29 09:12:49.305302, 3] ../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [LM1.2X002]
[2015/01/29 09:12:49.305320, 3] ../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [LANMAN2.1]
[2015/01/29 09:12:49.305338, 3] ../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [NT LM 0.12]
[2015/01/29 09:12:49.306485, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2015/01/29 09:12:49.306513, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2015/01/29 09:12:49.306523, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2015/01/29 09:12:49.313118, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'sasl-DIGEST-MD5' registered
[2015/01/29 09:12:49.313139, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'spnego' registered
[2015/01/29 09:12:49.313150, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'schannel' registered
[2015/01/29 09:12:49.313159, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2015/01/29 09:12:49.313168, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2015/01/29 09:12:49.313177, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'ntlmssp' registered
[2015/01/29 09:12:49.313186, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'http_basic' registered
[2015/01/29 09:12:49.313194, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'http_ntlm' registered
[2015/01/29 09:12:49.313204, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'krb5' registered
[2015/01/29 09:12:49.313213, 3] ../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'fake_gssapi_krb5' registered
[2015/01/29 09:12:49.313873, 3] ../source3/smbd/negprot.c:395(reply_nt1)
using SPNEGO
[2015/01/29 09:12:49.313892, 3] ../source3/smbd/negprot.c:683(reply_negprot)
Selected protocol NT LM 0.12
[2015/01/29 09:12:49.315578, 3] ../source3/smbd/process.c:1879(process_smb)
Transaction 1 of length 9872 (0 toread)
[2015/01/29 09:12:49.315627, 3] ../source3/smbd/process.c:1489(switch_message)
switch message SMBsesssetupX (pid 16610) conn 0x0
[2015/01/29 09:12:49.315658, 3] ../source3/smbd/sesssetup.c:609(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2015/01/29 09:12:49.315687, 3] ../source3/smbd/sesssetup.c:142(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2015/01/29 09:12:49.315717, 3] ../source3/smbd/sesssetup.c:183(reply_sesssetup_and_X_spnego)
NativeOS=[Windows Server 2003 3790 Service Pack 2] NativeLanMan=[] PrimaryDomain=[Windows Server 2003 5.2]
[2015/01/29 09:12:49.317901, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
Found account name from PAC: maurerh [Maurer, Hansjörg]
[2015/01/29 09:12:49.317950, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [maurerh at INTRA.DLR.DE]
[2015/01/29 09:12:49.320774, 3] ../source3/param/loadparm.c:3647(lp_load_ex)
lp_load_ex: refreshing parameters
[2015/01/29 09:12:49.320881, 3] ../source3/param/loadparm.c:564(init_globals)
Initialising global parameters
[2015/01/29 09:12:49.321007, 3] ../source3/param/loadparm.c:2597(lp_do_section)
Processing section "[global]"
[2015/01/29 09:12:49.333541, 1] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
[2015/01/29 09:12:49.336021, 3] ../source3/smbd/process.c:1879(process_smb)
Transaction 2 of length 1706 (0 toread)
[2015/01/29 09:12:49.336070, 3] ../source3/smbd/process.c:1489(switch_message)
switch message SMBsesssetupX (pid 16609) conn 0x0
[2015/01/29 09:12:49.336097, 3] ../source3/smbd/sesssetup.c:609(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2015/01/29 09:12:49.336115, 3] ../source3/smbd/sesssetup.c:142(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2015/01/29 09:12:49.336137, 3] ../source3/smbd/sesssetup.c:183(reply_sesssetup_and_X_spnego)
NativeOS=[Windows Server 2003 3790 Service Pack 2] NativeLanMan=[] PrimaryDomain=[Windows Server 2003 5.2]
[2015/01/29 09:12:49.336886, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
Found account name from PAC: RMTS-TEST01$ []
[2015/01/29 09:12:49.336928, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [RMTS-TEST01$@INTRA.XXX.DE]
[2015/01/29 09:12:49.340090, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
Username DLR\RMTS-TEST01$ is invalid on this system
[2015/01/29 09:12:49.340124, 1] ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2015/01/29 09:12:49.340151, 1] ../source3/smbd/sesssetup.c:280(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED
[2015/01/29 09:12:49.340214, 3] ../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/sesssetup.c(283) cmd=115 (SMBsesssetupX) NT_STATUS_ACCESS_DENIED
[2015/01/29 09:12:49.341293, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (failed to receive smb request)
[2015/01/29 09:12:49.357702, 1] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5906 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150129/084dde62/attachment.bin>
More information about the samba-technical
mailing list