[Bug 1583056] [NEW] regression: "force user" does no work correctly in security=ads with idmap backend=nss

Ian Gordon ian.gordon at strath.ac.uk
Wed May 18 08:53:05 UTC 2016 

Public bug reported:

In the most recent release of samba 3.6.25-0ubuntu0.12.04.3 on Ubuntu
12.04 the "force user" does not work if the specified user happens to
also be an AD domain user. "force user" works entirely properly if the
user is a local NSS user only (/etc/passwd and ldap).

Symptoms:
Windows clients don't let you access any files which have unix permissions 700.
Mac OS clients let you create files but not delete files. The macos problem can be worked around by adding

acl check permissions = no

to the share.

I have tried Xenial's samba 4.3.9 packages and they seem to have a
similar problem in that "force user" works if the user specified is not
in the domain but you can't even map the drive if it is in the domain.

This all used to work in 12.04 before the recent security updates to
samba.

Any ideas what could be wrong?

My winbind and idmap config lines from smb.conf are

   security = ads
   realm = DOM.DOMAIN.COM

   winbind use default domain = yes
   winbind offline logon = false
   winbind refresh tickets = true
   winbind enum users = false
   winbind enum groups = false

   idmap config *:backend  = tdb
   idmap config *:range = 100000 - 199999

   idmap config DOM:backend  = nss
   idmap config DOM:readonly = yes
   idmap config DOM:default = yes
   idmap config DOM:range = 100 - 99999

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: samba 2:3.6.25-0ubuntu0.12.04.3
ProcVersionSignature: Ubuntu 3.2.0-102.142-generic 3.2.79
Uname: Linux 3.2.0-102-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.13
Architecture: amd64
Date: Wed May 18 09:17:45 2016
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
MarkForUpload: True
SambaServerRegression: Yes
SmbConfIncluded: No
SourcePackage: samba
UbuntuFailedConnect: Yes
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.logrotate.d.samba: [modified]
mtime.conffile..etc.logrotate.d.samba: 2014-06-25T12:47:37

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug precise

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1583056

Title:
  regression: "force user" does no work correctly in security=ads with
  idmap backend=nss

Status in samba package in Ubuntu:
  New

Bug description:
  In the most recent release of samba 3.6.25-0ubuntu0.12.04.3 on Ubuntu
  12.04 the "force user" does not work if the specified user happens to
  also be an AD domain user. "force user" works entirely properly if the
  user is a local NSS user only (/etc/passwd and ldap).

  Symptoms:
  Windows clients don't let you access any files which have unix permissions 700.
  Mac OS clients let you create files but not delete files. The macos problem can be worked around by adding

  acl check permissions = no

  to the share.

  I have tried Xenial's samba 4.3.9 packages and they seem to have a
  similar problem in that "force user" works if the user specified is
  not in the domain but you can't even map the drive if it is in the
  domain.

  This all used to work in 12.04 before the recent security updates to
  samba.

  Any ideas what could be wrong?

  My winbind and idmap config lines from smb.conf are

     security = ads
     realm = DOM.DOMAIN.COM

     winbind use default domain = yes
     winbind offline logon = false
     winbind refresh tickets = true
     winbind enum users = false
     winbind enum groups = false

     idmap config *:backend  = tdb
     idmap config *:range = 100000 - 199999

     idmap config DOM:backend  = nss
     idmap config DOM:readonly = yes
     idmap config DOM:default = yes
     idmap config DOM:range = 100 - 99999

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: samba 2:3.6.25-0ubuntu0.12.04.3
  ProcVersionSignature: Ubuntu 3.2.0-102.142-generic 3.2.79
  Uname: Linux 3.2.0-102-generic x86_64
  ApportVersion: 2.0.1-0ubuntu17.13
  Architecture: amd64
  Date: Wed May 18 09:17:45 2016
  InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
  MarkForUpload: True
  SambaServerRegression: Yes
  SmbConfIncluded: No
  SourcePackage: samba
  UbuntuFailedConnect: Yes
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.logrotate.d.samba: [modified]
  mtime.conffile..etc.logrotate.d.samba: 2014-06-25T12:47:37

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1583056/+subscriptions

More information about the foundations-bugs mailing list