after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

Rowland Penny repenny241155 at gmail.com
Sat Jan 31 05:20:27 MST 2015 

On 31/01/15 11:20, Davor Vusir wrote:
>
> "Dr. Hansjörg Maurer" skrev den 2015-01-31 12:58:
>> Am 31.01.2015 07:27, schrieb Davor Vusir:
>>> "Dr. Hansjörg Maurer" skrev den 2015-01-29 23:00:
>>>>> OK, just had a thought, try changing 'force user = maurerh' to 'force
>>>>> user = XXX\maurerh', where 'XXX' is your domain/workgroup name
>>>>>
>>>>> Rowland
>>>>>
>>>> Hi
>>>>
>>>> tried it already, but not with the patch form Andrew...
>>>> Therefore I tried it with this patch, but ist still does not work
>>>>
>>>> The user who posted https://bugzilla.samba.org/show_bug.cgi?id=11044 ,
>>>> has a log messages like
>>>>
>>>> ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>>>>     The primary group domain
>>>> sid(S-1-5-21-1497163937-2947169817-3520470860-513) does not match the
>>>> domain sid(S-1-22-1) for mtester(S-1-22-1-521)
>>>>
>>>>
>>>> Without the patch our logs show somthing similar
>>>>
>>>> [2015/01/28 15:22:55.911105,  1]
>>>> ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>>>>         The primary group domain
>>>> sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match
>>>> the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
>>>>
>>>>
>>>> With the patch our log say
>>>>
>>>> [2015/01/29 22:47:39.669288,  1]
>>>> ../source3/auth/server_info.c:396(SamInfo3_handle_sids)
>>>>     The primary group domain
>>>> sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match 
>>>> the
>>>> domain sid(S-1-5-21-996664766-3924031551-1934014251) for
>>>> maurerh(S-1-22-1-7740)
>>>>
>>>> What is the SID S-1-5-21-996664766-3924031551-1934014251 about
>>> Hello Hansjörg!
>>>
>>> The SID is probably the servers SID. Below you got a listing from
>>> running wbinfo on my fileserver 'ostraaros'.
>>> To me it looks like the code is getting the domains SID where the user
>>> account resides and then trying to match it to the server (domain) SID.
>>>
>>> admin at ostraaros:~$ wbinfo -D EXAMPLE
>>> Name              : EXAMPLE
>>> Alt_Name          : internal.example.se
>>> SID               : S-1-5-21-3764816001-1961040586-2408178444
>>> Active Directory  : Yes
>>> Native            : Yes
>>> Primary           : Yes
>>> admind at ostraaros:~$ wbinfo -n davor
>>> S-1-5-21-3764816001-1961040586-2408178444-1105 SID_USER (1)
>>> admin at ostraaros:~$ wbinfo -D OSTRAAROS
>>> Name              : OSTRAAROS
>>> Alt_Name          :
>>> SID               : S-1-5-21-4190857068-4168617998-2793135748
>>> Active Directory  : No
>>> Native            : No
>>> Primary           : No
>>> admind at ostraaros:~$
>>>
>>> Regards
>>> Davor
>>>
>> Hi Davor
>>
>> you are right, the SID it complains is the SID of the server
>>
>> regards
>>
>> Hansjörg
>>
>>
>>
>> wbinfo -n maurerh
>> S-1-5-21-1156737867-681972312-1097073633-27527 SID_USER (1)
>>
>> wbinfo -D FTPSERVER
>> Name              : FTPSERVER
>> Alt_Name          :
>> SID               : S-1-5-21-996664766-3924031551-1934014251
>> Active Directory  : No
>> Native            : No
>> Primary           : No
>>
>
> ...and fails and maps user account 'maurerh' to the unix account 
> (7740) and prefixes it with S-1-22-1 
> (https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html).
>
> I'd say that, when Samba is trying to match the user account with the 
> account database (AD) it accidentally looks in the wrong domain (local 
> domain, the server domain).
>
> Regards
> Davor
>
>>>> Regrads
>>>>
>>>> Hansjörg
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ----------------------------
>>>> Unser System ist mit einem Mailverschluesselungs-Gateway
>>>> ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails
>>>> verschluesselt werden, senden Sie einfach eine S/MIME-signierte
>>>> E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
>>>>
>>>> Our system is equipped with an email encryption gateway. If you want
>>>> email sent to you to be encrypted please send a S/MIME signed email
>>>> or your PGP public key to hansjoerg.maurer at itsd.de.
>>>>
>>
>

Which is why I said to change 'force user = maurerh' to 'force user = 
XXX\maurerh', where 'XXX' is your domain/workgroup name.

Worth a try

Rowland

More information about the samba-technical mailing list