AW: AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
Dr. Hansjoerg Maurer
hansjoerg.maurer at itsd.de
Thu Jan 29 05:47:22 MST 2015
-----Ursprüngliche Nachricht-----
> Von:Rowland Penny <repenny241155 at gmail.com>
> Gesendet: Don 29 Januar 2015 11:45
> An: samba-technical at lists.samba.org
> Betreff: Re: AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
>
> On 29/01/15 08:29, Dr. Hansjoerg Maurer wrote:
> > Hi
> >
> >
> > -----Ursprüngliche Nachricht-----
> >> Von:Rowland Penny <repenny241155 at gmail.com>
> >> Gesendet: Mit 28 Januar 2015 16:45
> >> An: samba-technical at lists.samba.org
> >> Betreff: Re: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
> >>
> >> On 28/01/15 14:40, Dr. Hansjoerg Maurer wrote:
> >>> Hi
> >>>
> >>> am trying samba 4.2.0rc4 as an AD member (security =ADS)
> >>>
> >>> I upgraded form a working 4.1.16 configuration
> >>>
> >>> idmap config * : backend = tdb
> >>> idmap config * : range = 1000001-1999999
> >>>
> >>> idmap config XXX : backend = ad
> >>> idmap config XXX : schema_mode = rfc2307
> >>>
> >>> idmap config XXX : readonly = yes
> >>> idmap config XXX : range = 1000-1000000
> >>>
> >>>
> >>> I have a share with a force user line which did not work any more
> >>>
> >>> [tmpuser]
> >>> path = /home_local/tmpuser
> >>> comment = tmpuser-Share
> >>> guest ok = no
> >>> read only = no
> >>> force group = +XXX\groupname
> >>> force user = maurerh
> >>>
> >>> I got acces denied, neither with
> >>> force user = maurerh
> >>> nor with
> >>> force user = XXX\maurerh
> >>>
> >>> Without force user I can access the share
> >>> With force user samba logs
> >>>
> >>> Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED
> >>> [2015/01/28 15:22:55.911105, 1] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
> >>> The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
> >>>
> >>> If I create a Folder in the share without force user
> >>> the folder belongs to the right user and group
> >>> drwx------ 2 maurerh groupname 4096 Jan 28 15:24 Neuer Ordner/
> >>> therefore the mapping seems to be ok
> >>>
> >>> The unix user maurerh ( uid=7740 ) is an AD user to, but the system get the
> >>> nss information from the AD using VAS (Vintela/Quest/Dell) Authentication services
> >>>
> >>>
> >>> Can someone reproduce this problem?
> >>> Sould I open a bug?
> >>>
> >>> Regrads
> >>>
> >>>
> >>> Hansjörg
> >>>
> >>>
> >> Try removing this: 'idmap config XXX : readonly = yes', never seen
> >> anybody else use this and 'S-1-22-1' is the well known SID for the
> >> 'Local' group.
> >>
> >> Rowland
> >>
> >>
> > thanks, I removed the 'idmap config XXX: readonly = yes
> > parameter, but with no sucess
> >
> > The SID it claims in
> >>> The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
> > is the SID of the primary group id of the user maurerh in AD , which could be resolved to a groupid
> >
> > [root at rmc-donau samba]# wbinfo --sids-to-unix-ids S-1-5-21-1156737867-681972312-1097073633-131379
> > S-1-5-21-1156737867-681972312-1097073633-131379 -> gid 43466
> > [root at rmc-donau samba]# id -a maurerh
> > uid=7740(maurerh) gid=43466(xxx_maurerh_p) groups=43466(xxx_maurerh_p)
> >
> > Why does it compare the SID of the domainuser with a "Local" SID
> >
> > I raised the debug level (below)
> >
> > Regards
> >
> > Hansjörg
> >
> >
> Totally missed this:
>
> 'The unix user maurerh ( uid=7740 ) is an AD user to,'
>
> Probably because the last word should be 'too' (well this my excuse and
> I am sticking to it ;-) )
>
> You have a local Unix called 'maurerh' and a domain user called
> 'maurerh', is this correct ?
>
> If so, I think you should be aware that you cannot have Unix users and
> domain Users with the same name, this could explain the error you are
> getting.
>
> Rowland
>
>
Hi Roland
yes, the unix user maurerh is derived from the AD user maurerh too.
The Unixsystem is connected to AD with Quest/Dell authentication services
The nsswirch entry is
passwd: files vas4
group: files vas4
This is something comparable to sssd or winbind
But the setup above is working with 4.1.16
Even if I use idmap_nss
idmap config XXX : backend = nss
idmap config XXX : range = 1000-1000000
it is nor working any more (even not with "winbind trusted domains only = yes" )
NAME
idmap_nss - Samba´s idmap_nss Backend for Winbind
DESCRIPTION
The idmap_nss plugin provides a means to map Unix users and groups to Windows accounts and obsoletes the "winbind trusted domains only" smb.conf option. This provides a simple
means of ensuring that the SID for a Unix user named jsmith is reported as the one assigned to DOMAIN\jsmith which is necessary for reporting ACLs on files and printers stored on a
Samba member server.
Therefore I would expect 4.2 to break our installations
Can anybody confirm that force user with security = ADS ist working in 4.2rc4
Regards
Hansjörg
----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5906 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150129/1ef571ce/attachment.bin>
More information about the samba-technical
mailing list