AW: AW: AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

Dr. Hansjoerg Maurer hansjoerg.maurer at itsd.de
Thu Jan 29 07:48:44 MST 2015


-----Ursprüngliche Nachricht-----
> Von:Rowland Penny <repenny241155 at gmail.com>
> Gesendet: Don 29 Januar 2015 14:09
> An: samba-technical at lists.samba.org
> Betreff: Re: AW: AW: after an upgrade from 4.1.6 to 4.2.0rc4  with  security = ADS "force user" did not work anymore
> 
> On 29/01/15 12:47, Dr. Hansjoerg Maurer wrote:
> > -----Ursprüngliche Nachricht-----
> >> Von:Rowland Penny <repenny241155 at gmail.com>
> >> Gesendet: Don 29 Januar 2015 11:45
> >> An: samba-technical at lists.samba.org
> >> Betreff: Re: AW: after an upgrade from 4.1.6 to 4.2.0rc4  with  security = ADS "force user" did not work anymore
> >>
> >> On 29/01/15 08:29, Dr. Hansjoerg Maurer wrote:
> >>> Hi
> >>>
> >>>     
> >>> -----Ursprüngliche Nachricht-----
> >>>> Von:Rowland Penny <repenny241155 at gmail.com>
> >>>> Gesendet: Mit 28 Januar 2015 16:45
> >>>> An: samba-technical at lists.samba.org
> >>>> Betreff: Re: after an upgrade from 4.1.6 to 4.2.0rc4  with  security = ADS "force user" did not work anymore
> >>>>
> >>>> On 28/01/15 14:40, Dr. Hansjoerg Maurer wrote:
> >>>>> Hi
> >>>>>
> >>>>> am trying samba 4.2.0rc4 as an AD member (security =ADS)
> >>>>>
> >>>>> I upgraded form a working 4.1.16 configuration
> >>>>>
> >>>>>              idmap config * : backend = tdb
> >>>>>              idmap config * : range = 1000001-1999999
> >>>>>
> >>>>>              idmap config XXX : backend  = ad
> >>>>>              idmap config XXX : schema_mode = rfc2307
> >>>>>
> >>>>>              idmap config XXX : readonly = yes
> >>>>>              idmap config XXX : range = 1000-1000000
> >>>>>
> >>>>>
> >>>>> I have a share with a force user line which did not work any more
> >>>>>
> >>>>> [tmpuser]
> >>>>>              path = /home_local/tmpuser
> >>>>>              comment = tmpuser-Share
> >>>>>              guest ok = no
> >>>>>              read only = no
> >>>>>              force group = +XXX\groupname
> >>>>>              force user = maurerh
> >>>>>
> >>>>> I got acces denied, neither with
> >>>>>              force user = maurerh
> >>>>> nor with
> >>>>>              force user = XXX\maurerh
> >>>>>
> >>>>> Without force user I can access the share
> >>>>> With force user samba logs
> >>>>>
> >>>>>       Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED
> >>>>> [2015/01/28 15:22:55.911105,  1] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
> >>>>>        The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
> >>>>>
> >>>>> If I create a Folder in the share without force user
> >>>>> the folder belongs to the right user and group
> >>>>> drwx------  2 maurerh groupname 4096 Jan 28 15:24 Neuer Ordner/
> >>>>> therefore the mapping seems to be ok
> >>>>>
> >>>>> The unix user maurerh ( uid=7740 ) is an AD user to, but the system get the
> >>>>> nss information from the AD using  VAS (Vintela/Quest/Dell) Authentication services
> >>>>>        
> >>>>>
> >>>>> Can someone reproduce this problem?
> >>>>> Sould I open a bug?
> >>>>>
> >>>>> Regrads
> >>>>>
> >>>>>
> >>>>> Hansjörg
> >>>>>
> >>>>>
> >>>> Try removing this: 'idmap config XXX : readonly = yes', never seen
> >>>> anybody else use this and 'S-1-22-1' is the well known SID  for the
> >>>> 'Local' group.
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>> thanks, I removed the 'idmap config XXX: readonly = yes
> >>> parameter, but with no sucess
> >>>
> >>> The SID it claims in
> >>>>>        The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
> >>> is the SID of the primary group id of the user maurerh in AD , which could be resolved to a groupid
> >>>
> >>> [root at rmc-donau samba]# wbinfo --sids-to-unix-ids  S-1-5-21-1156737867-681972312-1097073633-131379
> >>> S-1-5-21-1156737867-681972312-1097073633-131379 -> gid 43466
> >>> [root at rmc-donau samba]# id -a maurerh
> >>> uid=7740(maurerh) gid=43466(xxx_maurerh_p) groups=43466(xxx_maurerh_p)
> >>>
> >>> Why does it compare the SID of the domainuser with a "Local" SID
> >>>
> >>> I raised the debug level (below)
> >>>
> >>> Regards
> >>>
> >>> Hansjörg
> >>>
> >> Totally missed this:
> >>
> >> 'The unix user maurerh ( uid=7740 ) is an AD user to,'
> >>
> >> Probably because the last word should be 'too' (well this my excuse and
> >> I am sticking to it ;-) )
> >>
> >> You have a local Unix called 'maurerh' and a domain user called
> >> 'maurerh', is this correct ?
> >>
> >> If so, I think you should be aware that you cannot have Unix users and
> >> domain Users with the same name, this could explain the error you are
> >> getting.
> >>
> >> Rowland
> >>
> >>
> > Hi Roland
> >
> > yes, the unix user maurerh is derived from the  AD user maurerh too.
> >
> > The Unixsystem is connected to AD with Quest/Dell authentication services
> >
> > The nsswirch entry is
> > passwd: files vas4
> > group:  files vas4
> >
> > This is something comparable to sssd or winbind
> >
> > But the setup above is working with 4.1.16
> >
> > Even if I use idmap_nss
> >
> >          idmap config XXX : backend  = nss
> >          idmap config XXX : range = 1000-1000000
> >
> > it is nor working any more (even not with "winbind trusted domains only = yes" )
> >
> > NAME
> >         idmap_nss - Samba´s idmap_nss Backend for Winbind
> >
> > DESCRIPTION
> >         The idmap_nss plugin provides a means to map Unix users and groups to Windows accounts and obsoletes the "winbind trusted domains only" smb.conf option. This provides a simple
> >         means of ensuring that the SID for a Unix user named jsmith is reported as the one assigned to DOMAIN\jsmith which is necessary for reporting ACLs on files and printers stored on a
> >         Samba member server.
> >
> > Therefore I would expect 4.2 to break our installations
> >
> > Can anybody confirm that force user with security = ADS ist working in 4.2rc4
> >
> > Regards
> >
> > Hansjörg
> >
> >   
> >
> >
> >
> 
> If you have a samba member server connecting to an active directory DC 
> for authentication, you do not need anything other than winbind.
> 
> Try changing this:
> 
> passwd: files vas4
> group:  files vas4
> 
> To this:
> 
> passwd: files winbind
> group:  files winbind
> 
> remove any Unix users that are also in AD
> 
> ensure you have lines in smb.conf, like these:
> 
>          idmap config XXX : backend  = ad
>          idmap config XXX : range = 1000-1000000
>          idmap config XXX : schema_mode = rfc2307
> 
> restart samba if required.
> 
> run 'net cache flush'
> 
> run 'getent passwd maurerh'
> 
> Now provided that 'maurerh' has a 'uidNumber' attribute, you should get 
> the users info.
> 
> If you don't, change this:
> 
>          idmap config XXX : backend  = ad
>          idmap config XXX : range = 1000-1000000
>          idmap config XXX : schema_mode = rfc2307
> 
> To this:
> 
>          idmap config XXX : backend  = rid
>          idmap config XXX : range = 1000-1000000
> 
> restart samba again and try again.
> 
> Rowland
> 
> 

Hi Roland

thanks for your explanations.
I will try to reproduce the force user problem with  

> passwd: files winbind
> group:  files winbind

But switching to winbind is no option in this case.
This organisation has more than 1000 Linux systems connected to AD
and 6 years ago (when winbind has no offline mode... ) a decision was made to connect them to AD using VAS.
VAS provides a lot more options than winbind has, eg group policys, 
OU and group filtering, attribute overwriting and so on.

And both configurations with VAS and idmap_ad or idmap_nss run up to 4.1.16 and do not work any more with 4.2rc4.
Or beeing more accurate, they still work, but the force user option does not work any more in this case.
(force group still works) 

I am testing a RC in order to provide early feedback that something is not working any more as expected.

I do not now if this is a bug, a regression or that certain configurations like the one described in the  manpage of  idmap_nss
are not supported any more. 
If it is not supported any more, it should be noted in the Release Notes, because it could break running installations.

Regards

Hansjörg

 

 

----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.

Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5906 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150129/ccbd7ee3/attachment-0001.bin>


More information about the samba-technical mailing list