after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
Rowland Penny
repenny241155 at gmail.com
Sat Jan 31 02:12:15 MST 2015
On 31/01/15 06:27, Davor Vusir wrote:
>
> "Dr. Hansjörg Maurer" skrev den 2015-01-29 23:00:
>>> OK, just had a thought, try changing 'force user = maurerh' to 'force
>>> user = XXX\maurerh', where 'XXX' is your domain/workgroup name
>>>
>>> Rowland
>>>
>> Hi
>>
>> tried it already, but not with the patch form Andrew...
>> Therefore I tried it with this patch, but ist still does not work
>>
>> The user who posted https://bugzilla.samba.org/show_bug.cgi?id=11044 ,
>> has a log messages like
>>
>> ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>> The primary group domain
>> sid(S-1-5-21-1497163937-2947169817-3520470860-513) does not match the
>> domain sid(S-1-22-1) for mtester(S-1-22-1-521)
>>
>>
>> Without the patch our logs show somthing similar
>>
>> [2015/01/28 15:22:55.911105, 1]
>> ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>> The primary group domain
>> sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match
>> the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
>>
>>
>> With the patch our log say
>>
>> [2015/01/29 22:47:39.669288, 1]
>> ../source3/auth/server_info.c:396(SamInfo3_handle_sids)
>> The primary group domain
>> sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the
>> domain sid(S-1-5-21-996664766-3924031551-1934014251) for
>> maurerh(S-1-22-1-7740)
>>
>> What is the SID S-1-5-21-996664766-3924031551-1934014251 about
>
> Hello Hansjörg!
>
> The SID is probably the servers SID. Below you got a listing from
> running wbinfo on my fileserver 'ostraaros'.
> To me it looks like the code is getting the domains SID where the user
> account resides and then trying to match it to the server (domain) SID.
>
> admin at ostraaros:~$ wbinfo -D EXAMPLE
> Name : EXAMPLE
> Alt_Name : internal.example.se
> SID : S-1-5-21-3764816001-1961040586-2408178444
> Active Directory : Yes
> Native : Yes
> Primary : Yes
> admind at ostraaros:~$ wbinfo -n davor
> S-1-5-21-3764816001-1961040586-2408178444-1105 SID_USER (1)
> admin at ostraaros:~$ wbinfo -D OSTRAAROS
> Name : OSTRAAROS
> Alt_Name :
> SID : S-1-5-21-4190857068-4168617998-2793135748
> Active Directory : No
> Native : No
> Primary : No
> admind at ostraaros:~$
>
> Regards
> Davor
>
>>
>> Regrads
>>
>> Hansjörg
>>
>>
>>
>>
>>
>> ----------------------------
>> Unser System ist mit einem Mailverschluesselungs-Gateway
>> ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails
>> verschluesselt werden, senden Sie einfach eine S/MIME-signierte
>> E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
>>
>> Our system is equipped with an email encryption gateway. If you want
>> email sent to you to be encrypted please send a S/MIME signed email
>> or your PGP public key to hansjoerg.maurer at itsd.de.
>>
>
Hi Davor, you could be onto something here.
If I run your wbinfo command on my DC, I get this:
root at dc01:~# wbinfo -D EXAMPLE
Name : EXAMPLE
Alt_Name : EXAMPLE
SID : S-1-2-3-4
Active Directory : No
Native : No
Primary : No
The DC runs:
root at dc01:~# samba -V
Version 4.1.11-Debian
But if I run the same command on a test 4.2rc4 DC
root at rc4:~# wbinfo -D EXAMPLE
Name : EXAMPLE
Alt_Name : example.com
SID : S-1-5-21-743049145-1936447484-1534344825
Active Directory : Yes
Native : Yes
Primary : Yes
Rowland
More information about the samba-technical
mailing list