AW: AW: AW: AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

Dr. Hansjoerg Maurer hansjoerg.maurer at itsd.de
Thu Jan 29 08:57:55 MST 2015



> 
> This may have something to do with the change of winbind in 4.2, but 
> whatever the cause, it is not helping if VAS allows you to have Unix 
> users and Domain users with the same name, just how is Unix to know 
> which user 'maurerh' is, is it the local user or is the domain user ?

sorry, there we may have a missunderstanding.

We have only ONE unix user maurerh, which VAS retrieves directly from the AD Domain

getent passwd | grep maurerh
maurerh:VAS:7740:43466:YYY:/home/maurerh:/usr/local/bin/tcsh

VAS is just another way for providing AD User with rfc2307 attributes to a unix system.

The UID/GID of this user is the one stored in AD.

And they are identical to the ones, wbinbind provides, because its the same user object 
wbinfo --uid-info 7740
XXX\maurerh:*:7740:43466:YYY:/home/maurerh:/bin/false


With idmap_nss the Unix User maurerh should automatically be mapped to the Domainuser XXX\maurerh

In this case I do net expect any difference, if we have

passwd: files winbind
or 
passwd: files vas4
or 
passwd: files sss
 
in order to provide  the unix users form the AD to the unix system.

The AD provides a unique unix user with Unix attributes stored in AD in   rfc2307 attributes

If I connect to the samba server form the windows side as XXX\maurerh
every file I create is owned by maurerh with UID 7740 in the filesystem.
Therefore the mapping works.

Only when I use
force user = maurerh
or 
force user = XXX\maurerh 
I can not access the share anymore (which worked in 4.1.16)

And therefore I think we have a problem with  force user in 4.2, which of course could be related to the winbind changes you mention


Regards

Hansjörg





----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.

Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5906 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150129/38c00ffa/attachment.bin>


More information about the samba-technical mailing list