enterprise-support team mailing list archive

Thread
Date

[Bug 1583056] [NEW] regression: "force user" does no work correctly in security=ads with idmap backend=nss

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Ian Gordon <ian.gordon@xxxxxxxxxxxx>
Date: Wed, 18 May 2016 08:53:05 -0000
Reply-to: Bug 1583056 <1583056@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In the most recent release of samba 3.6.25-0ubuntu0.12.04.3 on Ubuntu
12.04 the "force user" does not work if the specified user happens to
also be an AD domain user. "force user" works entirely properly if the
user is a local NSS user only (/etc/passwd and ldap).

Symptoms:
Windows clients don't let you access any files which have unix permissions 700.
Mac OS clients let you create files but not delete files. The macos problem can be worked around by adding

acl check permissions = no

to the share.

I have tried Xenial's samba 4.3.9 packages and they seem to have a
similar problem in that "force user" works if the user specified is not
in the domain but you can't even map the drive if it is in the domain.

This all used to work in 12.04 before the recent security updates to
samba.

Any ideas what could be wrong?

My winbind and idmap config lines from smb.conf are

   security = ads
   realm = DOM.DOMAIN.COM

   winbind use default domain = yes
   winbind offline logon = false
   winbind refresh tickets = true
   winbind enum users = false
   winbind enum groups = false

   idmap config *:backend  = tdb
   idmap config *:range = 100000 - 199999

   idmap config DOM:backend  = nss
   idmap config DOM:readonly = yes
   idmap config DOM:default = yes
   idmap config DOM:range = 100 - 99999

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: samba 2:3.6.25-0ubuntu0.12.04.3
ProcVersionSignature: Ubuntu 3.2.0-102.142-generic 3.2.79
Uname: Linux 3.2.0-102-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.13
Architecture: amd64
Date: Wed May 18 09:17:45 2016
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
MarkForUpload: True
SambaServerRegression: Yes
SmbConfIncluded: No
SourcePackage: samba
UbuntuFailedConnect: Yes
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.logrotate.d.samba: [modified]
mtime.conffile..etc.logrotate.d.samba: 2014-06-25T12:47:37

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug precise

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1583056

Title:
  regression: "force user" does no work correctly in security=ads with
  idmap backend=nss

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1583056/+subscriptions

Follow ups

[Bug 1583056] Re: regression: "force user" does no work correctly in security=ads with idmap backend=nss
From: Ian Gordon, 2016-05-18