AW: AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

Rowland Penny repenny241155 at gmail.com
Thu Jan 29 06:08:36 MST 2015 

On 29/01/15 12:47, Dr. Hansjoerg Maurer wrote:
> -----Ursprüngliche Nachricht-----
>> Von:Rowland Penny <repenny241155 at gmail.com>
>> Gesendet: Don 29 Januar 2015 11:45
>> An: samba-technical at lists.samba.org
>> Betreff: Re: AW: after an upgrade from 4.1.6 to 4.2.0rc4  with  security = ADS "force user" did not work anymore
>>
>> On 29/01/15 08:29, Dr. Hansjoerg Maurer wrote:
>>> Hi
>>>
>>>     
>>> -----Ursprüngliche Nachricht-----
>>>> Von:Rowland Penny <repenny241155 at gmail.com>
>>>> Gesendet: Mit 28 Januar 2015 16:45
>>>> An: samba-technical at lists.samba.org
>>>> Betreff: Re: after an upgrade from 4.1.6 to 4.2.0rc4  with  security = ADS "force user" did not work anymore
>>>>
>>>> On 28/01/15 14:40, Dr. Hansjoerg Maurer wrote:
>>>>> Hi
>>>>>
>>>>> am trying samba 4.2.0rc4 as an AD member (security =ADS)
>>>>>
>>>>> I upgraded form a working 4.1.16 configuration
>>>>>
>>>>>              idmap config * : backend = tdb
>>>>>              idmap config * : range = 1000001-1999999
>>>>>
>>>>>              idmap config XXX : backend  = ad
>>>>>              idmap config XXX : schema_mode = rfc2307
>>>>>
>>>>>              idmap config XXX : readonly = yes
>>>>>              idmap config XXX : range = 1000-1000000
>>>>>
>>>>>
>>>>> I have a share with a force user line which did not work any more
>>>>>
>>>>> [tmpuser]
>>>>>              path = /home_local/tmpuser
>>>>>              comment = tmpuser-Share
>>>>>              guest ok = no
>>>>>              read only = no
>>>>>              force group = +XXX\groupname
>>>>>              force user = maurerh
>>>>>
>>>>> I got acces denied, neither with
>>>>>              force user = maurerh
>>>>> nor with
>>>>>              force user = XXX\maurerh
>>>>>
>>>>> Without force user I can access the share
>>>>> With force user samba logs
>>>>>
>>>>>       Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED
>>>>> [2015/01/28 15:22:55.911105,  1] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>>>>>        The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
>>>>>
>>>>> If I create a Folder in the share without force user
>>>>> the folder belongs to the right user and group
>>>>> drwx------  2 maurerh groupname 4096 Jan 28 15:24 Neuer Ordner/
>>>>> therefore the mapping seems to be ok
>>>>>
>>>>> The unix user maurerh ( uid=7740 ) is an AD user to, but the system get the
>>>>> nss information from the AD using  VAS (Vintela/Quest/Dell) Authentication services
>>>>>        
>>>>>
>>>>> Can someone reproduce this problem?
>>>>> Sould I open a bug?
>>>>>
>>>>> Regrads
>>>>>
>>>>>
>>>>> Hansjörg
>>>>>
>>>>>
>>>> Try removing this: 'idmap config XXX : readonly = yes', never seen
>>>> anybody else use this and 'S-1-22-1' is the well known SID  for the
>>>> 'Local' group.
>>>>
>>>> Rowland
>>>>
>>>>
>>> thanks, I removed the 'idmap config XXX: readonly = yes
>>> parameter, but with no sucess
>>>
>>> The SID it claims in
>>>>>        The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
>>> is the SID of the primary group id of the user maurerh in AD , which could be resolved to a groupid
>>>
>>> [root at rmc-donau samba]# wbinfo --sids-to-unix-ids  S-1-5-21-1156737867-681972312-1097073633-131379
>>> S-1-5-21-1156737867-681972312-1097073633-131379 -> gid 43466
>>> [root at rmc-donau samba]# id -a maurerh
>>> uid=7740(maurerh) gid=43466(xxx_maurerh_p) groups=43466(xxx_maurerh_p)
>>>
>>> Why does it compare the SID of the domainuser with a "Local" SID
>>>
>>> I raised the debug level (below)
>>>
>>> Regards
>>>
>>> Hansjörg
>>>
>> Totally missed this:
>>
>> 'The unix user maurerh ( uid=7740 ) is an AD user to,'
>>
>> Probably because the last word should be 'too' (well this my excuse and
>> I am sticking to it ;-) )
>>
>> You have a local Unix called 'maurerh' and a domain user called
>> 'maurerh', is this correct ?
>>
>> If so, I think you should be aware that you cannot have Unix users and
>> domain Users with the same name, this could explain the error you are
>> getting.
>>
>> Rowland
>>
>>
> Hi Roland
>
> yes, the unix user maurerh is derived from the  AD user maurerh too.
>
> The Unixsystem is connected to AD with Quest/Dell authentication services
>
> The nsswirch entry is
> passwd: files vas4
> group:  files vas4
>
> This is something comparable to sssd or winbind
>
> But the setup above is working with 4.1.16
>
> Even if I use idmap_nss
>
>          idmap config XXX : backend  = nss
>          idmap config XXX : range = 1000-1000000
>
> it is nor working any more (even not with "winbind trusted domains only = yes" )
>
> NAME
>         idmap_nss - Samba´s idmap_nss Backend for Winbind
>
> DESCRIPTION
>         The idmap_nss plugin provides a means to map Unix users and groups to Windows accounts and obsoletes the "winbind trusted domains only" smb.conf option. This provides a simple
>         means of ensuring that the SID for a Unix user named jsmith is reported as the one assigned to DOMAIN\jsmith which is necessary for reporting ACLs on files and printers stored on a
>         Samba member server.
>
> Therefore I would expect 4.2 to break our installations
>
> Can anybody confirm that force user with security = ADS ist working in 4.2rc4
>
> Regards
>
> Hansjörg
>
>   
>
>
>

If you have a samba member server connecting to an active directory DC 
for authentication, you do not need anything other than winbind.

Try changing this:

passwd: files vas4
group:  files vas4

To this:

passwd: files winbind
group:  files winbind

remove any Unix users that are also in AD

ensure you have lines in smb.conf, like these:

         idmap config XXX : backend  = ad
         idmap config XXX : range = 1000-1000000
         idmap config XXX : schema_mode = rfc2307

restart samba if required.

run 'net cache flush'

run 'getent passwd maurerh'

Now provided that 'maurerh' has a 'uidNumber' attribute, you should get 
the users info.

If you don't, change this:

         idmap config XXX : backend  = ad
         idmap config XXX : range = 1000-1000000
         idmap config XXX : schema_mode = rfc2307

To this:

         idmap config XXX : backend  = rid
         idmap config XXX : range = 1000-1000000

restart samba again and try again.

Rowland

More information about the samba-technical mailing list