after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

Davor Vusir davortvusir at gmail.com
Sat Jan 31 04:20:54 MST 2015


"Dr. Hansjörg Maurer" skrev den 2015-01-31 12:58:
> Am 31.01.2015 07:27, schrieb Davor Vusir:
>> "Dr. Hansjörg Maurer" skrev den 2015-01-29 23:00:
>>>> OK, just had a thought, try changing 'force user = maurerh' to 'force
>>>> user = XXX\maurerh', where 'XXX' is your domain/workgroup name
>>>>
>>>> Rowland
>>>>
>>> Hi
>>>
>>> tried it already, but not with the patch form Andrew...
>>> Therefore I tried it with this patch, but ist still does not work
>>>
>>> The user who posted https://bugzilla.samba.org/show_bug.cgi?id=11044 ,
>>> has a log messages like
>>>
>>> ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>>>     The primary group domain
>>> sid(S-1-5-21-1497163937-2947169817-3520470860-513) does not match the
>>> domain sid(S-1-22-1) for mtester(S-1-22-1-521)
>>>
>>>
>>> Without the patch our logs show somthing similar
>>>
>>> [2015/01/28 15:22:55.911105,  1]
>>> ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>>>         The primary group domain
>>> sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match
>>> the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
>>>
>>>
>>> With the patch our log say
>>>
>>> [2015/01/29 22:47:39.669288,  1]
>>> ../source3/auth/server_info.c:396(SamInfo3_handle_sids)
>>>     The primary group domain
>>> sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the
>>> domain sid(S-1-5-21-996664766-3924031551-1934014251) for
>>> maurerh(S-1-22-1-7740)
>>>
>>> What is the SID S-1-5-21-996664766-3924031551-1934014251 about
>> Hello Hansjörg!
>>
>> The SID is probably the servers SID. Below you got a listing from
>> running wbinfo on my fileserver 'ostraaros'.
>> To me it looks like the code is getting the domains SID where the user
>> account resides and then trying to match it to the server (domain) SID.
>>
>> admin at ostraaros:~$ wbinfo -D EXAMPLE
>> Name              : EXAMPLE
>> Alt_Name          : internal.example.se
>> SID               : S-1-5-21-3764816001-1961040586-2408178444
>> Active Directory  : Yes
>> Native            : Yes
>> Primary           : Yes
>> admind at ostraaros:~$ wbinfo -n davor
>> S-1-5-21-3764816001-1961040586-2408178444-1105 SID_USER (1)
>> admin at ostraaros:~$ wbinfo -D OSTRAAROS
>> Name              : OSTRAAROS
>> Alt_Name          :
>> SID               : S-1-5-21-4190857068-4168617998-2793135748
>> Active Directory  : No
>> Native            : No
>> Primary           : No
>> admind at ostraaros:~$
>>
>> Regards
>> Davor
>>
> Hi Davor
>
> you are right, the SID it complains is the SID of the server
>
> regards
>
> Hansjörg
>
>
>
> wbinfo -n maurerh
> S-1-5-21-1156737867-681972312-1097073633-27527 SID_USER (1)
>
> wbinfo -D FTPSERVER
> Name              : FTPSERVER
> Alt_Name          :
> SID               : S-1-5-21-996664766-3924031551-1934014251
> Active Directory  : No
> Native            : No
> Primary           : No
>

...and fails and maps user account 'maurerh' to the unix account (7740) 
and prefixes it with S-1-22-1 
(https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html).

I'd say that, when Samba is trying to match the user account with the 
account database (AD) it accidentally looks in the wrong domain (local 
domain, the server domain).

Regards
Davor

>>> Regrads
>>>
>>> Hansjörg
>>>
>>>
>>>
>>>
>>>
>>> ----------------------------
>>> Unser System ist mit einem Mailverschluesselungs-Gateway
>>> ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails
>>> verschluesselt werden, senden Sie einfach eine S/MIME-signierte
>>> E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
>>>
>>> Our system is equipped with an email encryption gateway. If you want
>>> email sent to you to be encrypted please send a S/MIME signed email
>>> or your PGP public key to hansjoerg.maurer at itsd.de.
>>>
>



More information about the samba-technical mailing list