[Pkg-samba-maint] [Bug 8598] force user fails for active directory users

samba-bugs at samba.org samba-bugs at samba.org
Thu Apr 24 23:45:05 UTC 2014 

https://bugzilla.samba.org/show_bug.cgi?id=8598

--- Comment #33 from Brian Campbell <brian.campbell at editshare.com> 2014-04-24 23:45:02 UTC ---
I need to be able to map local users to AD users, so we can have certain
services impersonate the AD users for purposes of file ownership and
permissions on the server. Based on the bug description, this patch looked like
what I would need, but when I tried applying the latest v4-1-test patch to
4.1.7, I get the same behavior described in the original report; the connection
fails with an error about mismatched groups. In this particular test case, I
have a local user "andy" with "force user = andy.liebman", an AD user.

[2014/04/24 19:41:13.675568, 10, pid=3230, effective(0, 0), real(0, 0)]
../source3/passdb/lookup_sid.c:77(lookup_name)
  lookup_name: Unix User\andy.liebman => domain=[Unix User],
name=[andy.liebman]
[2014/04/24 19:41:13.675600, 10, pid=3230, effective(0, 0), real(0, 0)]
../source3/passdb/lookup_sid.c:78(lookup_name)
  lookup_name: flags = 0x073
[2014/04/24 19:41:13.676043,  5, pid=3230, effective(0, 0), real(0, 0)]
../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user andy.liebman
[2014/04/24 19:41:13.676089,  5, pid=3230, effective(0, 0), real(0, 0)]
../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is andy.liebman
[2014/04/24 19:41:13.676124,  5, pid=3230, effective(0, 0), real(0, 0)]
../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [andy.liebman]!
[2014/04/24 19:41:13.676238, 10, pid=3230, effective(0, 0), real(0, 0)]
../source3/passdb/lookup_sid.c:1220(gid_to_sid)
  gid 16777222 -> sid S-1-5-21-832283782-3302318743-1924928875-513
[2014/04/24 19:41:13.676285,  1, pid=3230, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/server_info.c:550(passwd_to_SamInfo3)
  The primary group domain sid(S-1-5-21-832283782-3302318743-1924928875-513)
does not match the domain sid(S-1-22-1) for andy.liebman(S-1-22-1-16777217)
[2014/04/24 19:41:13.676342,  5, pid=3230, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order)
  check lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb

editshare at lmbd-ad-mstr:~$ getent passwd andy.liebman
andy.liebman:*:16777217:16777222::/home/andy.liebman:/sbin/nologin

editshare at lmbd-ad-mstr:~$ getent group mxfsamba4
mxfsamba4:x:502:editshare,_flow,brian.p.campbell,andy.liebman,brian,andy

editshare at lmbd-ad-mstr:~$ wbinfo -U 16777217
S-1-5-21-832283782-3302318743-1924928875-1133

editshare at lmbd-ad-mstr:~$ wbinfo -G 16777222
S-1-5-21-832283782-3302318743-1924928875-513

It looks like for some reason it's mapping the primary group to the user's AD
primary group SID, but only mapping the user to the Unix User SID, not the AD
SID.

-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the Pkg-samba-maint mailing list