Christopher Odenbach
2002-Sep-13 13:45 UTC
[Samba] sid_to_uid: Domain controller lookup missing
Hi, trying to investigate my xfs-acl problem I think I have found the missing part: In smbd/uid.c the function "sid_to_uid" resolves SIDs to unix user names. This is done as follows: - First the domain part of the SID is compared to the local domain (if the SID belongs to the samba server it can be resolved locally) - In any other cases winbindd is asked This works well if the samba server is the domain controller, but it seems to fail when an NT 4 Server is used as password server. So I suppose there is one step missing in between: If the domain part of the SID is equal to the domain name (set by the workgroup parameter) ask a PDC or BDC (set by the password server parameter or magically found out with *). Something with cli_lsa_lookup_sids() seems to be helpful, just as in rpcclient. Am I totally wrong? Greets, Christopher -- ===================================================== Dipl.-Ing. Christopher Odenbach HNI Rechnerbetrieb odenbach@uni-paderborn.de Tel.: +49 5251 60 6215 ======================================================
Andrew Bartlett
2002-Sep-14 03:49 UTC
[Samba] sid_to_uid: Domain controller lookup missing
Christopher Odenbach wrote:> > Hi, > > trying to investigate my xfs-acl problem I think I have found the > missing part: > > In smbd/uid.c the function "sid_to_uid" resolves SIDs to unix user > names. This is done as follows: > > - First the domain part of the SID is compared to the local domain (if > the SID belongs to the samba server it can be resolved locally) > - In any other cases winbindd is asked > > This works well if the samba server is the domain controller, but it > seems to fail when an NT 4 Server is used as password server. > > So I suppose there is one step missing in between: If the domain part > of the SID is equal to the domain name (set by the workgroup parameter) > ask a PDC or BDC (set by the password server parameter or magically > found out with *).This is what winbind does. smbd asks winbind, winbind asks the relevent DC. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
> Message: 21 > From: Christopher Odenbach <odenbach@hni.uni-paderborn.de> > Organization: Heinz Nixdorf Institut > To: abartlet@dp.samba.org > Subject: Re: [Samba] sid_to_uid: Domain controller lookup missing > Date: Mon, 16 Sep 2002 11:20:24 +0200 > Cc: samba@samba.org > > > Hi, > > >> > I hope you understand the problem. > >> >> This behaviour is by design. Winbind is an nss module and expects to >> be the final authority on these matters. Given recent issues with >> Win2k SP3 and WinXP SP1, this might change, but this is not a trivial >> change. >> >> The basic idea is that if you have users in /etc/passwd or yp, you >> don't need to run winbind. > > > OK - this is what I said in the first place. You just told me two mails > ago to use winbind... ;-) > >> > So I suppose there is one step missing in between: If the domain >> > part of the SID is equal to the domain name (set by the workgroup >> > parameter) ask a PDC or BDC (set by the password server parameter >> > or magically found out with *). > >> >> This is what winbind does. smbd asks winbind, winbind asks the >> relevent DC. > > > I am a bit confused now. Let me try to explain what I think is going on: > > Scenario: A simple user (me) tries to add another user to the ACL of a > file which lies on a samba server with ACL support and underlying XFS. > The added user shall be called 'axel'. > > - User (me) adds user and klicks ok > - Windows box sends request to samba server asking to add the SID xyz > to the ACL of the file abc > - Samba tries to resolve the SID locally which does not work, because > the samba server ist not the domain controller > - Samba asks winbind to resolve the SID > - winbind send a 'lookupsid' request to a domain controller and gets > HNIRB\axel > > up to this point no problem > > - winbind looks for this username in its own database and - as there is > no such user - creates a new one with the first uid of the specified > pool (40000) > > This is wrong as there already exists such a user in yp. Could the > trouble be that winbind assumes that if it is used, there will be an > entry "winbind" in the nsswitch.conf? Perhaps it should just do a > 'getpwnam <name without domain part>' to see if there is a user in the > database that is specified in nsswitch.conf. If this does not give > anything then try the name including the domain. > > Please make things clearer to me. :-)In samba-2.2.x there is no way for ACLs to work on a server that does not have the SID matching the domain, and winbind supposedly can't (except with older vversions of samba-2.2.x on the DC) use a samba server. This means: 1)Make all your samba servers that need ACLs domain controllers. This can be done with ldap as passdb backend (haven't tested, but it should work I think) 2)Only use ACLs on the DC 3)Use samba_head on the DC If winbind is actually working, but the only problem is that the username it gets doesn't match the local username, then you should try 'winbind use default domain = yes' in your smb.conf on all the machines running winbind, so that winbind will look up axel, instead of HNIRB\axel. If I were you (and we're going to be doing this soon), I would choose (a). Buchan -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7