after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

"Dr. Hansjörg Maurer" hansjoerg.maurer at
Thu Jan 29 11:29:42 MST 2015

Am 29.01.2015 um 17:06 schrieb Rowland Penny:
> On 29/01/15 15:57, Dr. Hansjoerg Maurer wrote:
>> sorry, there we may have a missunderstanding.
>> We have only ONE unix user maurerh, which VAS retrieves directly from
>> the AD Domain
>> getent passwd | grep maurerh
>> maurerh:VAS:7740:43466:YYY:/home/maurerh:/usr/local/bin/tcsh
>> VAS is just another way for providing AD User with rfc2307 attributes
>> to a unix system.
>> The UID/GID of this user is the one stored in AD.
>> And they are identical to the ones, wbinbind provides, because its
>> the same user object
>> wbinfo --uid-info 7740
>> XXX\maurerh:*:7740:43466:YYY:/home/maurerh:/bin/false
>> With idmap_nss the Unix User maurerh should automatically be mapped
>> to the Domainuser XXX\maurerh
>> In this case I do net expect any difference, if we have
>> passwd: files winbind
>> or
>> passwd: files vas4
>> or
>> passwd: files sss
>>   in order to provide  the unix users form the AD to the unix system.
>> The AD provides a unique unix user with Unix attributes stored in AD
>> in   rfc2307 attributes
>> If I connect to the samba server form the windows side as XXX\maurerh
>> every file I create is owned by maurerh with UID 7740 in the filesystem.
>> Therefore the mapping works.
>> Only when I use
>> force user = maurerh
>> or
>> force user = XXX\maurerh
>> I can not access the share anymore (which worked in 4.1.16)
>> And therefore I think we have a problem with  force user in 4.2,
>> which of course could be related to the winbind changes you mention
>> Regards
>> Hansjörg
> OK, lets see if I have it correct, you only have *one* user in AD with
> a 'uidNumber' attribute and this is the AD user 'maurerh' and this
> user does not appear in /etc/passwd.
> Does 'Domain Users' have a 'gidNumber' ?
> Can you please post your entire (sanitized if you like) smb.conf
> Rowland

we have about > 50.000 Users and groups in AD and most auf them are unix
User maurerh is one of them.
maurerh is an AD user  with rfc2307 attributes set.

Here some of his AD attributes

unixHomeDirectory: /home/maurerh
gidNumber: 43466
uidNumber: 7740

User maurerh is NOT in /etc/passwd

getent passwd maurerh shows the AD attributes using VAS

wbinfo --uid-info 7740

wbinfo -U 7740

The domainusers group is not unix enabled (has no gidNumber)
Every user is member of domainusers.
But every user has an individual gidNumber  in his  user Object of an
individuel unix enabled group.

In this group only the user can be member of (managed by a Metadirectory).

getent group xxx_maurerh_p

wbinfo -n xxx_maurerh_p
S-1-5-21-1156737867-681972312-1097073633-131379 SID_DOM_GROUP (2)

This group is logged when I try to accesss the share

  The primary group domain
sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the
domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)

Why does samba here show a LOCAL SID (S-1-22-1-7740 = S-1-22-1- + UID of
maurerh) and not the SID of maurerh (
S-1-5-21-1156737867-681972312-1097073633-27527 )

Attached you find the smb.conf

Thank you very much



        workgroup = XXX
        realm = INTRA.XXX.DE
        netbios name = FTPSERVER
        server string = RM-FTP-Server
        interfaces =, eth0                                                                           
        bind interfaces only = Yes                                                                             
        security = ADS                                                                                         
        password server = *                                                                                    
        username map = /etc/samba/smbusers                                                                     
        log level = 1                                                                                          
        syslog = 0                                                                                             
        log file = /var/log/samba/log.%m                                                                       

        printcap name = /dev/null                                                                              
        machine password timeout = 604800                                                                      
        os level = 25                                                                                          
        preferred master = No                                                                                  
        local master = No                                                                                      
        domain master = No                                                                                     
        dns proxy = No                                                                                         
        encrypt passwords = yes                                                                                
        idmap config * : backend = tdb
        idmap config * : range = 1000001-1999999

        idmap config DLR : backend  = nss
        idmap config DLR : range = 1000-1000000

        max protocol = smb2                

        wins server =  
        create mask = 0664
        directory mask = 0775
        use sendfile = Yes   
        hide dot files = No  
        map archive = No     
        dont descend = lost+found
        load printers= no        
        printing = bsd           
        printcap name = /dev/null

        path = /home_local/ftp
        comment = FTP-Share   
        browseable = yes      
        writeable = yes       
        force group = +XXX\rmc_office-rob_mf
        force create mode = 0664            
        wide links = no                     

        path = /home_local/tmpgroup
        comment = tmpgroup-Share
        browseable = yes
        writeable = yes
        wide links = no
        valid users = +XXX\rmc_sysadmin_mf
        writeable = yes
        write list = +XXX\rmc_sysadmin_mf
        force group = +XXX\rmc_sysadmin_mf
        create mask = 0660
        force create mode = 0660
        directory mask = 2770

        path = /home_local/tmpuser
        comment = tmpuser-Share
        guest ok = no
        read only = no
        force group = +XXX\rmc_sysadmin_mf
        force user = maurerh
        create mask = 0600
        force create mode = 0600
        directory mask = 0700
        wide links = no
        follow symlinks = yes

Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at

Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5906 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list