AW: AW: AW: AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

[Rowland Penny]

On 29/01/15 15:57, Dr. Hansjoerg Maurer wrote:
> sorry, there we may have a missunderstanding.
>
> We have only ONE unix user maurerh, which VAS retrieves directly from the AD Domain
>
> getent passwd | grep maurerh
> maurerh:VAS:7740:43466:YYY:/home/maurerh:/usr/local/bin/tcsh
>
> VAS is just another way for providing AD User with rfc2307 attributes to a unix system.
>
> The UID/GID of this user is the one stored in AD.
>
> And they are identical to the ones, wbinbind provides, because its the same user object
> wbinfo --uid-info 7740
> XXX\maurerh:*:7740:43466:YYY:/home/maurerh:/bin/false
>
>
> With idmap_nss the Unix User maurerh should automatically be mapped to the Domainuser XXX\maurerh
>
> In this case I do net expect any difference, if we have
>
> passwd: files winbind
> or
> passwd: files vas4
> or
> passwd: files sss
>   
> in order to provide  the unix users form the AD to the unix system.
>
> The AD provides a unique unix user with Unix attributes stored in AD in   rfc2307 attributes
>
> If I connect to the samba server form the windows side as XXX\maurerh
> every file I create is owned by maurerh with UID 7740 in the filesystem.
> Therefore the mapping works.
>
> Only when I use
> force user = maurerh
> or
> force user = XXX\maurerh
> I can not access the share anymore (which worked in 4.1.16)
>
> And therefore I think we have a problem with  force user in 4.2, which of course could be related to the winbind changes you mention
>
>
> Regards
>
> Hansjörg
>

OK, lets see if I have it correct, you only have *one* user in AD with a 
'uidNumber' attribute and this is the AD user 'maurerh' and this user 
does not appear in /etc/passwd.

Does 'Domain Users' have a 'gidNumber' ?

Can you please post your entire (sanitized if you like) smb.conf

Rowland