Bug 12579 - force user results in share not available for active directory users
Summary: force user results in share not available for active directory users
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.2.14
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-02-13 10:13 UTC by Tony Guepin
Modified: 2018-03-28 22:54 UTC (History)
2 users (show)

See Also:

samba log debug level 10 (187.80 KB, text/plain)
2017-02-13 10:13 UTC, Tony Guepin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tony Guepin 2017-02-13 10:13:39 UTC
Created attachment 12920 [details]
samba log debug level 10

I'm trying to use the 'force user' feature on a share in an AD environment and it fails, I cannot access the share from a windows domain member as user 'toon', neither with user 'stel' (see below).
When I remove the 'force user', then the share is available.
I want files stored on the share(by other domain users, such as user 'stel', see below), to obtain the uid/gid of the 'force user = toon'.

I know this bug/error has been discussed before, however, the related posts do not solve this problem for me.

I have tried:
1) remove 'force user' and the share is available
2) added 'force group' does not change things, share still not available
3) 'winbind use default domain = no' and 'force user = VONDERKAMP\toon',
does not change things, share still not available
4) tested with other users, no change

Using samba 4.2.14-Debian in Debian-Lenny, It was working previously in Debian-Wheezy.

The log (at debug level = 10) shows:

2017/02/13 08:49:05.153857,  1, pid=31911, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info.c:396(SamInfo3_handle_sids)
  The primary group domain sid(S-1-5-21-2784292050-724950362-990980605-3001) does not match the domain sid(S-1-5-21-437306792-4118923543-1308149834) for toon(S-1-22-1-1001)

My configuration:

        security = ADS
        workgroup = VONDERKAMP
        netbios name = LENO

        log file = /var/log/samba/%m.log
        log level = 10

        # use the winbind 'ad' backend. (see https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Preparing_the_host_for_the_domain_join )
        # Default idmap config used for BUILTIN and local windows accounts/groups
        idmap config *:backend = tdb
        idmap config *:range = 100-999

        # idmap config for domain VONDERKAMP
        idmap config VONDERKAMP:backend = ad
        idmap config VONDERKAMP:schema_mode = rfc2307
        idmap config VONDERKAMP:range = 1000-99999

        username map = /etc/samba/user.map
        kerberos method = secrets and keytab

        # Use settings from AD for login shell and home directory
        winbind nss info = rfc2307

        writeable = yes
        valid users = stel,toon,@guepin
        write list = guepin
        path = /home/toon/svn
        force group = guepin
        force user = toon

The samba server LENO :
root@leno:/etc/samba# net getdomainsid
SID for local machine LENO is: S-1-5-21-437306792-4118923543-1308149834
SID for domain VONDERKAMP is: S-1-5-21-2784292050-724950362-990980605

The mapping toon(S-1-22-1-1001) seems to be correct.
The mapping group domain sid(S-1-5-21-2784292050-724950362-990980605-3001) seems correct (toon belongs to this group).

What occurs awkward to me is that the domain sid(S-1-5-21-437306792-4118923543-1308149834) in the error matches the
SID of the local machine.

Is this a bug or a configuration error ?