after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
Rowland Penny
repenny241155 at gmail.com
Sat Jan 31 05:20:27 MST 2015
On 31/01/15 11:20, Davor Vusir wrote:
>
> "Dr. Hansjörg Maurer" skrev den 2015-01-31 12:58:
>> Am 31.01.2015 07:27, schrieb Davor Vusir:
>>> "Dr. Hansjörg Maurer" skrev den 2015-01-29 23:00:
>>>>> OK, just had a thought, try changing 'force user = maurerh' to 'force
>>>>> user = XXX\maurerh', where 'XXX' is your domain/workgroup name
>>>>>
>>>>> Rowland
>>>>>
>>>> Hi
>>>>
>>>> tried it already, but not with the patch form Andrew...
>>>> Therefore I tried it with this patch, but ist still does not work
>>>>
>>>> The user who posted https://bugzilla.samba.org/show_bug.cgi?id=11044 ,
>>>> has a log messages like
>>>>
>>>> ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>>>> The primary group domain
>>>> sid(S-1-5-21-1497163937-2947169817-3520470860-513) does not match the
>>>> domain sid(S-1-22-1) for mtester(S-1-22-1-521)
>>>>
>>>>
>>>> Without the patch our logs show somthing similar
>>>>
>>>> [2015/01/28 15:22:55.911105, 1]
>>>> ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
>>>> The primary group domain
>>>> sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match
>>>> the domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
>>>>
>>>>
>>>> With the patch our log say
>>>>
>>>> [2015/01/29 22:47:39.669288, 1]
>>>> ../source3/auth/server_info.c:396(SamInfo3_handle_sids)
>>>> The primary group domain
>>>> sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match
>>>> the
>>>> domain sid(S-1-5-21-996664766-3924031551-1934014251) for
>>>> maurerh(S-1-22-1-7740)
>>>>
>>>> What is the SID S-1-5-21-996664766-3924031551-1934014251 about
>>> Hello Hansjörg!
>>>
>>> The SID is probably the servers SID. Below you got a listing from
>>> running wbinfo on my fileserver 'ostraaros'.
>>> To me it looks like the code is getting the domains SID where the user
>>> account resides and then trying to match it to the server (domain) SID.
>>>
>>> admin at ostraaros:~$ wbinfo -D EXAMPLE
>>> Name : EXAMPLE
>>> Alt_Name : internal.example.se
>>> SID : S-1-5-21-3764816001-1961040586-2408178444
>>> Active Directory : Yes
>>> Native : Yes
>>> Primary : Yes
>>> admind at ostraaros:~$ wbinfo -n davor
>>> S-1-5-21-3764816001-1961040586-2408178444-1105 SID_USER (1)
>>> admin at ostraaros:~$ wbinfo -D OSTRAAROS
>>> Name : OSTRAAROS
>>> Alt_Name :
>>> SID : S-1-5-21-4190857068-4168617998-2793135748
>>> Active Directory : No
>>> Native : No
>>> Primary : No
>>> admind at ostraaros:~$
>>>
>>> Regards
>>> Davor
>>>
>> Hi Davor
>>
>> you are right, the SID it complains is the SID of the server
>>
>> regards
>>
>> Hansjörg
>>
>>
>>
>> wbinfo -n maurerh
>> S-1-5-21-1156737867-681972312-1097073633-27527 SID_USER (1)
>>
>> wbinfo -D FTPSERVER
>> Name : FTPSERVER
>> Alt_Name :
>> SID : S-1-5-21-996664766-3924031551-1934014251
>> Active Directory : No
>> Native : No
>> Primary : No
>>
>
> ...and fails and maps user account 'maurerh' to the unix account
> (7740) and prefixes it with S-1-22-1
> (https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html).
>
> I'd say that, when Samba is trying to match the user account with the
> account database (AD) it accidentally looks in the wrong domain (local
> domain, the server domain).
>
> Regards
> Davor
>
>>>> Regrads
>>>>
>>>> Hansjörg
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ----------------------------
>>>> Unser System ist mit einem Mailverschluesselungs-Gateway
>>>> ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails
>>>> verschluesselt werden, senden Sie einfach eine S/MIME-signierte
>>>> E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
>>>>
>>>> Our system is equipped with an email encryption gateway. If you want
>>>> email sent to you to be encrypted please send a S/MIME signed email
>>>> or your PGP public key to hansjoerg.maurer at itsd.de.
>>>>
>>
>
Which is why I said to change 'force user = maurerh' to 'force user =
XXX\maurerh', where 'XXX' is your domain/workgroup name.
Worth a try
Rowland
More information about the samba-technical
mailing list