samba 4.3.1 - unable to access a share of an AD memberserver with force user set (since 4.2.0)

Dr. Hansjoerg Maurer hansjoerg.maurer at itsd.de
Thu Oct 29 11:26:50 UTC 2015


Hi

I have tried 4.3.1 on an AD memberserver with idmap_nss and force user

Up to  samba 4.1.X the following configuration works, starting with 4.2.0 it  stops working.
I am unable to access a share with "force user = username" set
I have already opend

https://bugzilla.samba.org/show_bug.cgi?id=11082

Now I have traced down which commit causes the change in behavoir .
(therefore adressing you directly, Jeremy)
It was
 https://git.samba.org/?p=samba.git;a=commitdiff;h=9395243890aff5bb2166e18e33492afb28850097

Our config is:

idmap config * : backend = tdb
idmap config * : range = 1000001-1999999
idmap config XXX : backend = nss
idmap config XXX : range = 1000-1000000

I have a Share
[test]
 path = /home_local/test
   comment = Testshare
   browseable = yes
   writable = yes
   force group = +XXX\rmc_sysadmin_mf
#   force user = XXX\maurerh
   force user = maurerh

Up to  samba 4.1.X this works, starting with 4.2.0 this stops working
( neither with force user = XXX\maurerh nor with  force user = maurerh )
User maurerh ist provided by nss (not winbind)

The error logged is
[2015/10/29 09:13:19.249421,  1] ../source3/auth/server_info.c:396(SamInfo3_handle_sids)
  The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-5-21-1081861954-281718795-110746834) for maurerh(S-1-22-1-7740)

 The relevant code is
./source3/auth/server_info.c:396(SamInfo3_handle_sids)
    else {
                bool ok = sid_peek_check_rid(domain_sid, group_sid,
                                        &info3->base.primary_gid);
                if (!ok) {
                        DEBUG(1, ("The primary group domain sid(%s) does not "
                                "match the domain sid(%s) for %s(%s)\n",
                                sid_string_dbg(group_sid),
                                sid_string_dbg(domain_sid),
                                username,
                                sid_string_dbg(user_sid)));
                        return NT_STATUS_INVALID_SID;
                }
        }
        return NT_STATUS_OK;

and

        ok = sid_peek_check_rid(&domain_sid, &group_sid,
                                &info3->base.primary_gid);
        if (!ok) {
                DEBUG(1, ("The primary group domain sid(%s) does not "
                          "match the domain sid(%s) for %s(%s)\n",
                          sid_string_dbg(&group_sid),
                          sid_string_dbg(&domain_sid),
                          unix_username,
                          sid_string_dbg(&user_sid)));
                status = NT_STATUS_INVALID_SID;
                goto done;
        }

If I invalidate the call of  sid_peek_check_rid for testing purposes (2 times in the file above) ,   both force user = XXX\maurerh and  force user = maurerh  work again in our environment

Some information about the  SID's in the logs

  The primary group domain sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the domain sid(S-1-5-21-1081861954-281718795-110746834) for maurerh(S-1-22-1-7740)

In our case

S-1-5-21-1156737867-681972312-1097073633-131379 ist the SID of the primaryGID uf maurerh

wbinfo --sids-to-unix-ids S-1-5-21-1156737867-681972312-1097073633-131379
S-1-5-21-1156737867-681972312-1097073633-131379 -> gid 43466

id -a maurerh
uid=7740(maurerh) gid=43466(xxx_maurerh_p)

S-1-5-21-1081861954-281718795-110746834 is the LOCAL SID of the samba host RMC-VAULT
[root at rmc-vault01 samba]# net GETLOCALSID
SID for domain RMC-VAULT is: S-1-5-21-1081861954-281718795-110746834

S-1-22-1-7740 ist the SID of the local user maurerh (uid=7740)

Maybe with this information someone can trace/solve the problem.

Regards 

Hansjörg
----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.

Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7039 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151029/181b7ced/smime.bin>


More information about the samba-technical mailing list