[Pkg-samba-maint] [Bug 8598] force user fails for active directory users

samba-bugs at samba.org samba-bugs at samba.org
Fri Apr 25 17:17:54 UTC 2014 

https://bugzilla.samba.org/show_bug.cgi?id=8598

--- Comment #37 from Brian Campbell <brian.campbell at editshare.com> 2014-04-25 17:17:53 UTC ---
Adding the domain explicitly to the "force user" option had the same effect; it
still tried looking up the user in the local domain, lmbd-ad-mstr, not the AD
domain:

[2014/04/25 11:55:44.715034, 10, pid=9454, effective(0, 0), real(0, 0)]
../source3/smbd/share_access.c:237(user_ok_token)
  user_ok_token: share mxfsamba4_1 is ok for unix user andy
[2014/04/25 11:55:44.715108,  5, pid=9454, effective(0, 0), real(0, 0)]
../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user MYDOMAIN\andy.liebman
[2014/04/25 11:55:44.715143,  5, pid=9454, effective(0, 0), real(0, 0)]
../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is mydomain\andy.liebman
[2014/04/25 11:55:44.971290,  5, pid=9454, effective(0, 0), real(0, 0)]
../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [MYDOMAIN\andy.liebman]!
[2014/04/25 11:55:44.971368, 10, pid=9454, effective(0, 0), real(0, 0)]
../source3/passdb/lookup_sid.c:77(lookup_name)
  lookup_name: LMBD-AD-MSTR\andy.liebman => domain=[LMBD-AD-MSTR],
name=[andy.liebman]
[2014/04/25 11:55:44.971400, 10, pid=9454, effective(0, 0), real(0, 0)]
../source3/passdb/lookup_sid.c:78(lookup_name)
  lookup_name: flags = 0x073
[2014/04/25 11:55:44.971431,  4, pid=9454, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2014/04/25 11:55:44.971460,  4, pid=9454, effective(0, 0), real(0, 0)]
../source3/smbd/uid.c:485(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2014/04/25 11:55:44.971486,  4, pid=9454, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2014/04/25 11:55:44.971513,  5, pid=9454, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2014/04/25 11:55:44.971534,  5, pid=9454, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:629(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2014/04/25 11:55:44.971534, 10, pid=9454, effective(0, 0), real(0, 0),
class=passdb] ../source3/passdb/pdb_smbpasswd.c:1293(smbpasswd_getsampwnam)
  getsampwnam (smbpasswd): search by name: andy.liebman
[2014/04/25 11:55:44.971534, 10, pid=9454, effective(0, 0), real(0, 0),
class=passdb] ../source3/passdb/pdb_smbpasswd.c:238(startsmbfilepwent)

... snip failed search in smbpasswd ...

[2014/04/25 11:55:44.971829,  4, pid=9454, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/04/25 11:55:44.971857,  4, pid=9454, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2014/04/25 11:55:44.971883,  4, pid=9454, effective(0, 0), real(0, 0)]
../source3/smbd/uid.c:485(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2014/04/25 11:55:44.971908,  4, pid=9454, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2014/04/25 11:55:44.971933,  5, pid=9454, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2014/04/25 11:55:44.971957,  5, pid=9454, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:629(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2014/04/25 11:55:44.972014, 10, pid=9454, effective(0, 0), real(0, 0)]
../source3/groupdb/mapping_tdb.c:272(find_map)
  failed to unpack map
[2014/04/25 11:55:44.972048, 10, pid=9454, effective(0, 0), real(0, 0)]
../source3/groupdb/mapping_tdb.c:272(find_map)
  failed to unpack map
[2014/04/25 11:55:44.972092,  4, pid=9454, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/04/25 11:55:44.972123, 10, pid=9454, effective(0, 0), real(0, 0)]
../source3/passdb/lookup_sid.c:77(lookup_name)
  lookup_name: Unix User\andy.liebman => domain=[Unix User],
name=[andy.liebman]
[2014/04/25 11:55:44.972149, 10, pid=9454, effective(0, 0), real(0, 0)]
../source3/passdb/lookup_sid.c:78(lookup_name)
  lookup_name: flags = 0x073
[2014/04/25 11:55:44.973496,  5, pid=9454, effective(0, 0), real(0, 0)]
../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user andy.liebman
[2014/04/25 11:55:44.973578,  5, pid=9454, effective(0, 0), real(0, 0)]
../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is andy.liebman
[2014/04/25 11:55:44.973810,  5, pid=9454, effective(0, 0), real(0, 0)]
../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [andy.liebman]!
[2014/04/25 11:55:44.973923, 10, pid=9454, effective(0, 0), real(0, 0)]
../source3/passdb/lookup_sid.c:1220(gid_to_sid)
  gid 16777222 -> sid S-1-5-21-832283782-3302318743-1924928875-513
[2014/04/25 11:55:44.973963,  1, pid=9454, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/server_info.c:550(passwd_to_SamInfo3)
  The primary group domain sid(S-1-5-21-832283782-3302318743-1924928875-513)
does not match the domain sid(S-1-22-1) for andy.liebman(S-1-22-1-16777217)


However, per Volker's suggestion about "winbind use default domain = yes" I
tried turning that off, and was able to successfully connect to the share, and
got the correct SID so that ACLs now work properly. In order for it to work, I
need to turn off "winbind use default domain" and provide the explicit domain
in the "force user" option.

Now I need to figure out if we can work around the lack of "winbind use default
domain = yes" or if we will need to find a way to get that to work, but that
looks like more of a bug in "winbind use default domain" than in this patch.

-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the Pkg-samba-maint mailing list