AW: AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
Rowland Penny
repenny241155 at gmail.com
Thu Jan 29 06:08:36 MST 2015
On 29/01/15 12:47, Dr. Hansjoerg Maurer wrote:
> -----Ursprüngliche Nachricht-----
>> Von:Rowland Penny <repenny241155 at gmail.com>
>> Gesendet: Don 29 Januar 2015 11:45
>> An: samba-technical at lists.samba.org
>> Betreff: Re: AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
>>
>> On 29/01/15 08:29, Dr. Hansjoerg Maurer wrote:
>>> Hi
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>>> Von:Rowland Penny <repenny241155 at gmail.com>
>>>> Gesendet: Mit 28 Januar 2015 16:45
>>>> An: samba-technical at lists.samba.org
>>>> Betreff: Re: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
>>>>
>>>> On 28/01/15 14:40, Dr. Hansjoerg Maurer wrote:
>>>>> Hi
>>>>>
>>>>> am trying samba 4.2.0rc4 as an AD member (security =ADS)
>>>>>
>>>>> I upgraded form a working 4.1.16 configuration
>>>>>
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 1000001-1999999
>>>>>
>>>>> idmap config XXX : backend = ad
>>>>> idmap config XXX : schema_mode = rfc2307
>>>>>
>>>>> idmap config XXX : readonly = yes
>>>>> idmap config XXX : range = 1000-1000000
>>>>>
>>>>>
>>>>> I have a share with a force user line which did not work any more
>>>>>
>>>>> [tmpuser]
>>>>> path = /home_local/tmpuser
>>>>> comment = tmpuser-Share
>>>>> guest ok = no
>>>>> read only = no
>>>>> force group = +XXX\groupname
>>>>> force user = maurerh
>>>>>
>>>>> I got acces denied, neither with
>>>>> force user = maurerh
>>>>> nor with
>>>>> force user = XXX\maurerh
>>>>>
>>>>> Without force user I can access the share
>>>>> With force user samba logs
>>>>>
>>>>> Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED
>>>>> [2015/01/28 15:22:55.911105, 1] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>>>>> The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
>>>>>
>>>>> If I create a Folder in the share without force user
>>>>> the folder belongs to the right user and group
>>>>> drwx------ 2 maurerh groupname 4096 Jan 28 15:24 Neuer Ordner/
>>>>> therefore the mapping seems to be ok
>>>>>
>>>>> The unix user maurerh ( uid=7740 ) is an AD user to, but the system get the
>>>>> nss information from the AD using VAS (Vintela/Quest/Dell) Authentication services
>>>>>
>>>>>
>>>>> Can someone reproduce this problem?
>>>>> Sould I open a bug?
>>>>>
>>>>> Regrads
>>>>>
>>>>>
>>>>> Hansjörg
>>>>>
>>>>>
>>>> Try removing this: 'idmap config XXX : readonly = yes', never seen
>>>> anybody else use this and 'S-1-22-1' is the well known SID for the
>>>> 'Local' group.
>>>>
>>>> Rowland
>>>>
>>>>
>>> thanks, I removed the 'idmap config XXX: readonly = yes
>>> parameter, but with no sucess
>>>
>>> The SID it claims in
>>>>> The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
>>> is the SID of the primary group id of the user maurerh in AD , which could be resolved to a groupid
>>>
>>> [root at rmc-donau samba]# wbinfo --sids-to-unix-ids S-1-5-21-1156737867-681972312-1097073633-131379
>>> S-1-5-21-1156737867-681972312-1097073633-131379 -> gid 43466
>>> [root at rmc-donau samba]# id -a maurerh
>>> uid=7740(maurerh) gid=43466(xxx_maurerh_p) groups=43466(xxx_maurerh_p)
>>>
>>> Why does it compare the SID of the domainuser with a "Local" SID
>>>
>>> I raised the debug level (below)
>>>
>>> Regards
>>>
>>> Hansjörg
>>>
>> Totally missed this:
>>
>> 'The unix user maurerh ( uid=7740 ) is an AD user to,'
>>
>> Probably because the last word should be 'too' (well this my excuse and
>> I am sticking to it ;-) )
>>
>> You have a local Unix called 'maurerh' and a domain user called
>> 'maurerh', is this correct ?
>>
>> If so, I think you should be aware that you cannot have Unix users and
>> domain Users with the same name, this could explain the error you are
>> getting.
>>
>> Rowland
>>
>>
> Hi Roland
>
> yes, the unix user maurerh is derived from the AD user maurerh too.
>
> The Unixsystem is connected to AD with Quest/Dell authentication services
>
> The nsswirch entry is
> passwd: files vas4
> group: files vas4
>
> This is something comparable to sssd or winbind
>
> But the setup above is working with 4.1.16
>
> Even if I use idmap_nss
>
> idmap config XXX : backend = nss
> idmap config XXX : range = 1000-1000000
>
> it is nor working any more (even not with "winbind trusted domains only = yes" )
>
> NAME
> idmap_nss - Samba´s idmap_nss Backend for Winbind
>
> DESCRIPTION
> The idmap_nss plugin provides a means to map Unix users and groups to Windows accounts and obsoletes the "winbind trusted domains only" smb.conf option. This provides a simple
> means of ensuring that the SID for a Unix user named jsmith is reported as the one assigned to DOMAIN\jsmith which is necessary for reporting ACLs on files and printers stored on a
> Samba member server.
>
> Therefore I would expect 4.2 to break our installations
>
> Can anybody confirm that force user with security = ADS ist working in 4.2rc4
>
> Regards
>
> Hansjörg
>
>
>
>
>
If you have a samba member server connecting to an active directory DC
for authentication, you do not need anything other than winbind.
Try changing this:
passwd: files vas4
group: files vas4
To this:
passwd: files winbind
group: files winbind
remove any Unix users that are also in AD
ensure you have lines in smb.conf, like these:
idmap config XXX : backend = ad
idmap config XXX : range = 1000-1000000
idmap config XXX : schema_mode = rfc2307
restart samba if required.
run 'net cache flush'
run 'getent passwd maurerh'
Now provided that 'maurerh' has a 'uidNumber' attribute, you should get
the users info.
If you don't, change this:
idmap config XXX : backend = ad
idmap config XXX : range = 1000-1000000
idmap config XXX : schema_mode = rfc2307
To this:
idmap config XXX : backend = rid
idmap config XXX : range = 1000-1000000
restart samba again and try again.
Rowland
More information about the samba-technical
mailing list