The Samba-Bugzilla – Bug 12579
force user results in share not available for active directory users
Last modified: 2017-02-13 16:02:08 UTC
Created attachment 12920 [details]
samba log debug level 10
I'm trying to use the 'force user' feature on a share in an AD environment and it fails, I cannot access the share from a windows domain member as user 'toon', neither with user 'stel' (see below).
When I remove the 'force user', then the share is available.
I want files stored on the share(by other domain users, such as user 'stel', see below), to obtain the uid/gid of the 'force user = toon'.
I know this bug/error has been discussed before, however, the related posts do not solve this problem for me.
I have tried:
1) remove 'force user' and the share is available
2) added 'force group' does not change things, share still not available
3) 'winbind use default domain = no' and 'force user = VONDERKAMP\toon',
does not change things, share still not available
4) tested with other users, no change
Using samba 4.2.14-Debian in Debian-Lenny, It was working previously in Debian-Wheezy.
The log (at debug level = 10) shows:
2017/02/13 08:49:05.153857, 1, pid=31911, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info.c:396(SamInfo3_handle_sids)
The primary group domain sid(S-1-5-21-2784292050-724950362-990980605-3001) does not match the domain sid(S-1-5-21-437306792-4118923543-1308149834) for toon(S-1-22-1-1001)
security = ADS
workgroup = VONDERKAMP
realm = VONDERKAMP.XX.XXXXXX.COM
netbios name = LENO
log file = /var/log/samba/%m.log
log level = 10
# use the winbind 'ad' backend. (see https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Preparing_the_host_for_the_domain_join )
# Default idmap config used for BUILTIN and local windows accounts/groups
idmap config *:backend = tdb
idmap config *:range = 100-999
# idmap config for domain VONDERKAMP
idmap config VONDERKAMP:backend = ad
idmap config VONDERKAMP:schema_mode = rfc2307
idmap config VONDERKAMP:range = 1000-99999
username map = /etc/samba/user.map
kerberos method = secrets and keytab
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
writeable = yes
valid users = stel,toon,@guepin
write list = guepin
path = /home/toon/svn
force group = guepin
force user = toon
The samba server LENO :
root@leno:/etc/samba# net getdomainsid
SID for local machine LENO is: S-1-5-21-437306792-4118923543-1308149834
SID for domain VONDERKAMP is: S-1-5-21-2784292050-724950362-990980605
The mapping toon(S-1-22-1-1001) seems to be correct.
The mapping group domain sid(S-1-5-21-2784292050-724950362-990980605-3001) seems correct (toon belongs to this group).
What occurs awkward to me is that the domain sid(S-1-5-21-437306792-4118923543-1308149834) in the error matches the
SID of the local machine.
Is this a bug or a configuration error ?