after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

Rowland Penny repenny241155 at gmail.com
Thu Jan 29 14:46:07 MST 2015 

On 29/01/15 21:35, "Dr. Hansjörg Maurer" wrote:
> Am 29.01.2015 um 19:39 schrieb Andrew Bartlett:
>> Can you please try the patch from:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=11044
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
> Hi Andrew,
>
> thank you for your reply.
>
> I applied the patch (I hope doing it right, seee below) and
> recompiled/installed, but it did not solve the problem
>
> [root at rmc-donau samba-4.2.0rc4]# patch -p 1 < ../patch_force_user.diff
> patching file source3/auth/server_info.c
> patching file source3/auth/server_info.c
> patching file source3/auth/auth_util.c
> patching file source3/auth/proto.h
> patching file source3/auth/server_info.c
> patching file source3/auth/server_info.c
> patching file selftest/target/Samba3.pm
> patching file source3/script/tests/test_smbclient_auth.sh
>
>
> I do not know anytthing about the internal logic, but
> the patch seems to fix a problem, where user gdm
> is a unix user only (not in AD) but in our case maurerh is a AD User,
> which is available
> on unix to (same UID)
>
> it does not work with
> force user = maurerh
>   
>   smbclient //ftpserver/tmpuser -Umaurerh
> Enter maurerh's password:
> Domain=[XXX] OS=[Windows 6.1] Server=[Samba 4.2.0rc4]
> tree connect failed: NT_STATUS_INVALID_SID
>
> without force user = maurerh
> it works
>
>   smbclient //ftpserver/tmpuser -Umaurerh
> Enter maurerh's password:
> Domain=[XXX] OS=[Windows 6.1] Server=[Samba 4.2.0rc4]
> smb: \> quit
>
> Regards
>
>
> Hansjörg Maurer
>
>
>
> ----------------------------
> Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
>
> Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.
>

OK, just had a thought, try changing 'force user = maurerh' to 'force 
user = XXX\maurerh', where 'XXX' is your domain/workgroup name

Rowland

More information about the samba-technical mailing list