Ryan
2019-Jul-31 15:58 UTC
[Samba] The primary group domain sid(...) does not match the domain sid(.) for user(...)
I have a domain member server running totally separate authorization against an LDAP server independent of the domain. Refer to the email chain "[Samba] WBC_ERR_DOMAIN_NOT_FOUND error with RFC2307" for more details if necessary. All user and group authentication against the AD server works correctly, and all user and group authorization using the LDAP server works correctly with my custom script, the brief and simple source of which is included above. For shares that use "force user", however, users are not authorized correctly, and I get an error such as "The primary group domain sid(...) does not match the domain sid(.) for user(...)". This occurs even if the connecting user is the same as the user defined by "force user" and in cases where the connecting user would otherwise be able to access the share. Why is this happening? How can I correct this? Ryan
Ryan
2019-Jul-31 16:04 UTC
[Samba] The primary group domain sid(...) does not match the domain sid(.) for user(...)
Also, "force group" works just fine, not resulting in the same issue, but the groups do not exist in the AD, whereas the usernames do. Also, whether "force user" is set with <user> or DOMAIN\<user>, I still have the same problem. On Wed, Jul 31, 2019 at 11:58 AM Ryan <rlichtenwalter at gmail.com> wrote:> I have a domain member server running totally separate authorization > against an LDAP server independent of the domain. > > Refer to the email chain "[Samba] WBC_ERR_DOMAIN_NOT_FOUND error with > RFC2307" for more details if necessary. > > All user and group authentication against the AD server works correctly, > and all user and group authorization using the LDAP server works correctly > with my custom script, the brief and simple source of which is included > above. For shares that use "force user", however, users are not authorized > correctly, and I get an error such as "The primary group domain sid(...) > does not match the domain sid(.) for user(...)". This occurs even if the > connecting user is the same as the user defined by "force user" and in > cases where the connecting user would otherwise be able to access the share. > > Why is this happening? How can I correct this? > > Ryan >