samba 4.3.1 - unable to access a share of an AD memberserver with force user set (since 4.2.0)
Dr. Hansjoerg Maurer
hansjoerg.maurer at itsd.de
Thu Oct 29 11:26:50 UTC 2015
Hi
I have tried 4.3.1 on an AD memberserver with idmap_nss and force user
Up to samba 4.1.X the following configuration works, starting with 4.2.0 it stops working.
I am unable to access a share with "force user = username" set
I have already opend
https://bugzilla.samba.org/show_bug.cgi?id=11082
Now I have traced down which commit causes the change in behavoir .
(therefore adressing you directly, Jeremy)
It was
https://git.samba.org/?p=samba.git;a=commitdiff;h=9395243890aff5bb2166e18e33492afb28850097
Our config is:
idmap config * : backend = tdb
idmap config * : range = 1000001-1999999
idmap config XXX : backend = nss
idmap config XXX : range = 1000-1000000
I have a Share
[test]
path = /home_local/test
comment = Testshare
browseable = yes
writable = yes
force group = +XXX\rmc_sysadmin_mf
# force user = XXX\maurerh
force user = maurerh
Up to samba 4.1.X this works, starting with 4.2.0 this stops working
( neither with force user = XXX\maurerh nor with force user = maurerh )
User maurerh ist provided by nss (not winbind)
The error logged is
[2015/10/29 09:13:19.249421, 1] ../source3/auth/server_info.c:396(SamInfo3_handle_sids)
The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-5-21-1081861954-281718795-110746834) for maurerh(S-1-22-1-7740)
The relevant code is
./source3/auth/server_info.c:396(SamInfo3_handle_sids)
else {
bool ok = sid_peek_check_rid(domain_sid, group_sid,
&info3->base.primary_gid);
if (!ok) {
DEBUG(1, ("The primary group domain sid(%s) does not "
"match the domain sid(%s) for %s(%s)\n",
sid_string_dbg(group_sid),
sid_string_dbg(domain_sid),
username,
sid_string_dbg(user_sid)));
return NT_STATUS_INVALID_SID;
}
}
return NT_STATUS_OK;
and
ok = sid_peek_check_rid(&domain_sid, &group_sid,
&info3->base.primary_gid);
if (!ok) {
DEBUG(1, ("The primary group domain sid(%s) does not "
"match the domain sid(%s) for %s(%s)\n",
sid_string_dbg(&group_sid),
sid_string_dbg(&domain_sid),
unix_username,
sid_string_dbg(&user_sid)));
status = NT_STATUS_INVALID_SID;
goto done;
}
If I invalidate the call of sid_peek_check_rid for testing purposes (2 times in the file above) , both force user = XXX\maurerh and force user = maurerh work again in our environment
Some information about the SID's in the logs
The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-5-21-1081861954-281718795-110746834) for maurerh(S-1-22-1-7740)
In our case
S-1-5-21-1156737867-681972312-1097073633-131379 ist the SID of the primaryGID uf maurerh
wbinfo --sids-to-unix-ids S-1-5-21-1156737867-681972312-1097073633-131379
S-1-5-21-1156737867-681972312-1097073633-131379 -> gid 43466
id -a maurerh
uid=7740(maurerh) gid=43466(xxx_maurerh_p)
S-1-5-21-1081861954-281718795-110746834 is the LOCAL SID of the samba host RMC-VAULT
[root at rmc-vault01 samba]# net GETLOCALSID
SID for domain RMC-VAULT is: S-1-5-21-1081861954-281718795-110746834
S-1-22-1-7740 ist the SID of the local user maurerh (uid=7740)
Maybe with this information someone can trace/solve the problem.
Regards
Hansjörg
----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7039 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151029/181b7ced/smime.bin>
More information about the samba-technical
mailing list