after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

Rowland Penny repenny241155 at gmail.com
Sat Jan 31 02:12:15 MST 2015 

On 31/01/15 06:27, Davor Vusir wrote:
>
> "Dr. Hansjörg Maurer" skrev den 2015-01-29 23:00:
>>> OK, just had a thought, try changing 'force user = maurerh' to 'force
>>> user = XXX\maurerh', where 'XXX' is your domain/workgroup name
>>>
>>> Rowland
>>>
>> Hi
>>
>> tried it already, but not with the patch form Andrew...
>> Therefore I tried it with this patch, but ist still does not work
>>
>> The user who posted https://bugzilla.samba.org/show_bug.cgi?id=11044 ,
>> has a log messages like
>>
>> ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>>    The primary group domain 
>> sid(S-1-5-21-1497163937-2947169817-3520470860-513) does not match the 
>> domain sid(S-1-22-1) for mtester(S-1-22-1-521)
>>
>>
>> Without the patch our logs show somthing similar
>>
>> [2015/01/28 15:22:55.911105,  1] 
>> ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>>        The primary group domain 
>> sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match 
>> the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
>>
>>
>> With the patch our log say
>>
>> [2015/01/29 22:47:39.669288,  1]
>> ../source3/auth/server_info.c:396(SamInfo3_handle_sids)
>>    The primary group domain
>> sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the
>> domain sid(S-1-5-21-996664766-3924031551-1934014251) for
>> maurerh(S-1-22-1-7740)
>>
>> What is the SID S-1-5-21-996664766-3924031551-1934014251 about
>
> Hello Hansjörg!
>
> The SID is probably the servers SID. Below you got a listing from 
> running wbinfo on my fileserver 'ostraaros'.
> To me it looks like the code is getting the domains SID where the user 
> account resides and then trying to match it to the server (domain) SID.
>
> admin at ostraaros:~$ wbinfo -D EXAMPLE
> Name              : EXAMPLE
> Alt_Name          : internal.example.se
> SID               : S-1-5-21-3764816001-1961040586-2408178444
> Active Directory  : Yes
> Native            : Yes
> Primary           : Yes
> admind at ostraaros:~$ wbinfo -n davor
> S-1-5-21-3764816001-1961040586-2408178444-1105 SID_USER (1)
> admin at ostraaros:~$ wbinfo -D OSTRAAROS
> Name              : OSTRAAROS
> Alt_Name          :
> SID               : S-1-5-21-4190857068-4168617998-2793135748
> Active Directory  : No
> Native            : No
> Primary           : No
> admind at ostraaros:~$
>
> Regards
> Davor
>
>>
>> Regrads
>>
>> Hansjörg
>>
>>
>>
>>
>>
>> ----------------------------
>> Unser System ist mit einem Mailverschluesselungs-Gateway 
>> ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails 
>> verschluesselt werden, senden Sie einfach eine S/MIME-signierte 
>> E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
>>
>> Our system is equipped with an email encryption gateway. If you want 
>> email sent to you to be encrypted please send a S/MIME signed email 
>> or your PGP public key to hansjoerg.maurer at itsd.de.
>>
>

Hi Davor, you could be onto something here.

If I run your wbinfo command on my DC, I get this:

root at dc01:~# wbinfo -D EXAMPLE
Name              : EXAMPLE
Alt_Name          : EXAMPLE
SID               : S-1-2-3-4
Active Directory  : No
Native            : No
Primary           : No

The DC runs:

root at dc01:~# samba -V
Version 4.1.11-Debian

But if I run the same command on a test 4.2rc4 DC

root at rc4:~# wbinfo -D EXAMPLE
Name              : EXAMPLE
Alt_Name          : example.com
SID               : S-1-5-21-743049145-1936447484-1534344825
Active Directory  : Yes
Native            : Yes
Primary           : Yes

Rowland

More information about the samba-technical mailing list