after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
"Dr. Hansjörg Maurer"
hansjoerg.maurer at itsd.de
Thu Jan 29 11:29:42 MST 2015
Am 29.01.2015 um 17:06 schrieb Rowland Penny:
> On 29/01/15 15:57, Dr. Hansjoerg Maurer wrote:
>> sorry, there we may have a missunderstanding.
>>
>> We have only ONE unix user maurerh, which VAS retrieves directly from
>> the AD Domain
>>
>> getent passwd | grep maurerh
>> maurerh:VAS:7740:43466:YYY:/home/maurerh:/usr/local/bin/tcsh
>>
>> VAS is just another way for providing AD User with rfc2307 attributes
>> to a unix system.
>>
>> The UID/GID of this user is the one stored in AD.
>>
>> And they are identical to the ones, wbinbind provides, because its
>> the same user object
>> wbinfo --uid-info 7740
>> XXX\maurerh:*:7740:43466:YYY:/home/maurerh:/bin/false
>>
>>
>> With idmap_nss the Unix User maurerh should automatically be mapped
>> to the Domainuser XXX\maurerh
>>
>> In this case I do net expect any difference, if we have
>>
>> passwd: files winbind
>> or
>> passwd: files vas4
>> or
>> passwd: files sss
>> in order to provide the unix users form the AD to the unix system.
>>
>> The AD provides a unique unix user with Unix attributes stored in AD
>> in rfc2307 attributes
>>
>> If I connect to the samba server form the windows side as XXX\maurerh
>> every file I create is owned by maurerh with UID 7740 in the filesystem.
>> Therefore the mapping works.
>>
>> Only when I use
>> force user = maurerh
>> or
>> force user = XXX\maurerh
>> I can not access the share anymore (which worked in 4.1.16)
>>
>> And therefore I think we have a problem with force user in 4.2,
>> which of course could be related to the winbind changes you mention
>>
>>
>> Regards
>>
>> Hansjörg
>>
>
> OK, lets see if I have it correct, you only have *one* user in AD with
> a 'uidNumber' attribute and this is the AD user 'maurerh' and this
> user does not appear in /etc/passwd.
>
> Does 'Domain Users' have a 'gidNumber' ?
>
> Can you please post your entire (sanitized if you like) smb.conf
>
> Rowland
>
we have about > 50.000 Users and groups in AD and most auf them are unix
enabled.
User maurerh is one of them.
maurerh is an AD user with rfc2307 attributes set.
Here some of his AD attributes
uid:
maurerh
unixHomeDirectory: /home/maurerh
gidNumber: 43466
uidNumber: 7740
User maurerh is NOT in /etc/passwd
getent passwd maurerh shows the AD attributes using VAS
maurerh:VAS:7740:43466:YYY:/home/maurerh:/usr/local/bin/tcsh
wbinfo --uid-info 7740
XXX\maurerh:*:7740:43466:XXX:/home/DLR/maurerh:/bin/false
wbinfo -U 7740
S-1-5-21-1156737867-681972312-1097073633-27527
The domainusers group is not unix enabled (has no gidNumber)
Every user is member of domainusers.
But every user has an individual gidNumber in his user Object of an
individuel unix enabled group.
In this group only the user can be member of (managed by a Metadirectory).
getent group xxx_maurerh_p
xxx_maurerh_p:VAS:43466:maurerh
wbinfo -n xxx_maurerh_p
S-1-5-21-1156737867-681972312-1097073633-131379 SID_DOM_GROUP (2)
This group is logged when I try to accesss the share
The primary group domain
sid(S-1-5-21-1156737867-681972312-1097073633-131379) does not match the
domain sid(S-1-22-1) for maurerh(S-1-22-1-7740)
Why does samba here show a LOCAL SID (S-1-22-1-7740 = S-1-22-1- + UID of
maurerh) and not the SID of maurerh (
S-1-5-21-1156737867-681972312-1097073633-27527 )
Attached you find the smb.conf
Thank you very much
Hansjörg
[global]
workgroup = XXX
realm = INTRA.XXX.DE
netbios name = FTPSERVER
server string = RM-FTP-Server
interfaces = 127.0.0.1, eth0
bind interfaces only = Yes
security = ADS
password server = *
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/log.%m
printcap name = /dev/null
machine password timeout = 604800
os level = 25
preferred master = No
local master = No
domain master = No
dns proxy = No
encrypt passwords = yes
idmap config * : backend = tdb
idmap config * : range = 1000001-1999999
idmap config DLR : backend = nss
idmap config DLR : range = 1000-1000000
max protocol = smb2
wins server =
create mask = 0664
directory mask = 0775
use sendfile = Yes
hide dot files = No
map archive = No
dont descend = lost+found
load printers= no
printing = bsd
printcap name = /dev/null
[ftp]
path = /home_local/ftp
comment = FTP-Share
browseable = yes
writeable = yes
force group = +XXX\rmc_office-rob_mf
force create mode = 0664
wide links = no
[
[tmpgroup]
path = /home_local/tmpgroup
comment = tmpgroup-Share
browseable = yes
writeable = yes
wide links = no
valid users = +XXX\rmc_sysadmin_mf
writeable = yes
write list = +XXX\rmc_sysadmin_mf
force group = +XXX\rmc_sysadmin_mf
create mask = 0660
force create mode = 0660
directory mask = 2770
[tmpuser]
path = /home_local/tmpuser
comment = tmpuser-Share
guest ok = no
read only = no
force group = +XXX\rmc_sysadmin_mf
force user = maurerh
create mask = 0600
force create mode = 0600
directory mask = 0700
wide links = no
follow symlinks = yes
----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5906 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150129/d8aaea51/attachment.bin>
More information about the samba-technical
mailing list