AW: AW: AW: AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
Dr. Hansjoerg Maurer
hansjoerg.maurer at itsd.de
Thu Jan 29 08:57:55 MST 2015
>
> This may have something to do with the change of winbind in 4.2, but
> whatever the cause, it is not helping if VAS allows you to have Unix
> users and Domain users with the same name, just how is Unix to know
> which user 'maurerh' is, is it the local user or is the domain user ?
sorry, there we may have a missunderstanding.
We have only ONE unix user maurerh, which VAS retrieves directly from the AD Domain
getent passwd | grep maurerh
maurerh:VAS:7740:43466:YYY:/home/maurerh:/usr/local/bin/tcsh
VAS is just another way for providing AD User with rfc2307 attributes to a unix system.
The UID/GID of this user is the one stored in AD.
And they are identical to the ones, wbinbind provides, because its the same user object
wbinfo --uid-info 7740
XXX\maurerh:*:7740:43466:YYY:/home/maurerh:/bin/false
With idmap_nss the Unix User maurerh should automatically be mapped to the Domainuser XXX\maurerh
In this case I do net expect any difference, if we have
passwd: files winbind
or
passwd: files vas4
or
passwd: files sss
in order to provide the unix users form the AD to the unix system.
The AD provides a unique unix user with Unix attributes stored in AD in rfc2307 attributes
If I connect to the samba server form the windows side as XXX\maurerh
every file I create is owned by maurerh with UID 7740 in the filesystem.
Therefore the mapping works.
Only when I use
force user = maurerh
or
force user = XXX\maurerh
I can not access the share anymore (which worked in 4.1.16)
And therefore I think we have a problem with force user in 4.2, which of course could be related to the winbind changes you mention
Regards
Hansjörg
----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5906 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150129/38c00ffa/attachment.bin>
More information about the samba-technical
mailing list