12579 – force user results in share not available for active directory users

Bug 12579 - force user results in share not available for active directory users

Summary: force user results in share not available for active directory users

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.2.14
Hardware:	x64 Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-02-13 10:13 UTC by Tony Guepin
Modified:	2018-03-28 22:54 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
samba log debug level 10 (187.80 KB, text/plain) 2017-02-13 10:13 UTC, Tony Guepin	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tony Guepin 2017-02-13 10:13:39 UTC

Created attachment 12920 [details]
samba log debug level 10

I'm trying to use the 'force user' feature on a share in an AD environment and it fails, I cannot access the share from a windows domain member as user 'toon', neither with user 'stel' (see below).
When I remove the 'force user', then the share is available.
I want files stored on the share(by other domain users, such as user 'stel', see below), to obtain the uid/gid of the 'force user = toon'.

I know this bug/error has been discussed before, however, the related posts do not solve this problem for me.

I have tried:
1) remove 'force user' and the share is available
2) added 'force group' does not change things, share still not available
3) 'winbind use default domain = no' and 'force user = VONDERKAMP\toon',
does not change things, share still not available
4) tested with other users, no change

Using samba 4.2.14-Debian in Debian-Lenny, It was working previously in Debian-Wheezy.

The log (at debug level = 10) shows:

2017/02/13 08:49:05.153857,  1, pid=31911, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info.c:396(SamInfo3_handle_sids)
  The primary group domain sid(S-1-5-21-2784292050-724950362-990980605-3001) does not match the domain sid(S-1-5-21-437306792-4118923543-1308149834) for toon(S-1-22-1-1001)

My configuration:

[global]
        security = ADS
        workgroup = VONDERKAMP
        realm = VONDERKAMP.XX.XXXXXX.COM
        netbios name = LENO

        log file = /var/log/samba/%m.log
        log level = 10

        # use the winbind 'ad' backend. (see https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Preparing_the_host_for_the_domain_join )
        # Default idmap config used for BUILTIN and local windows accounts/groups
        idmap config *:backend = tdb
        idmap config *:range = 100-999

        # idmap config for domain VONDERKAMP
        idmap config VONDERKAMP:backend = ad
        idmap config VONDERKAMP:schema_mode = rfc2307
        idmap config VONDERKAMP:range = 1000-99999

        username map = /etc/samba/user.map
        kerberos method = secrets and keytab

        # Use settings from AD for login shell and home directory
        winbind nss info = rfc2307

[svn]
        writeable = yes
        valid users = stel,toon,@guepin
        write list = guepin
        path = /home/toon/svn
        force group = guepin
        force user = toon


The samba server LENO :
root@leno:/etc/samba# net getdomainsid
SID for local machine LENO is: S-1-5-21-437306792-4118923543-1308149834
SID for domain VONDERKAMP is: S-1-5-21-2784292050-724950362-990980605

The mapping toon(S-1-22-1-1001) seems to be correct.
The mapping group domain sid(S-1-5-21-2784292050-724950362-990980605-3001) seems correct (toon belongs to this group).

What occurs awkward to me is that the domain sid(S-1-5-21-437306792-4118923543-1308149834) in the error matches the
SID of the local machine.

Is this a bug or a configuration error ?