Hi,
there is some progress, even I would'nt call it that. At least they
admitted it's caused through some changes from their side.
@Rowland: Remember that "old Samba method" part?
This is their answer. I don't know what to make of it. Maybe someone
with more knowledge about the develoment of Samba can give me a hint:
===============================================================================Being
denied access is indeed influenced by our product design.
As "Domain Client", in comparison to the newer version of open-source
Samba, we perform additional "lookupsids", which means we are affected
by the response from the AD server.
Open-source Samba has already made changes in version 4.13 to no longer
perform lookupsids (samba#14539
<https://bugzilla.samba.org/show_bug.cgi?id=14539>), so the listed Samba
member servers will not be affected by invalid SIDs.
However, the official modification will impact our ID mapping (recorded
in SYNOSMB#998), so we have reverted to the behavior prior to version
4.13, where we perform lookupsids.
Additionally, we have designed application privileges that require
information about the user's group list to determine if the user has
permission to use the SMB service.
When the user's group list cannot be obtained, it will also result in a
failure with an "access denied" response.
Here are the main issues related to lookupsids: receiving errors for
invalid SIDs.
If the Samba AD Server returns "STATUS_SOME_UNMAPPED" the
above-mentioned problem will not occur.
In terms of understanding, an invalid SID signifies a problem with the
format or structure of that SID, rather than its nonexistence.
In addition, it appears that Samba has been returning this error code
for quite some time (STATUS_SOME_UNMAPPED) but changed to
(NT_STATUS_INVALID_SID) since Samba AD Server 4.17.x
Users only need to add the Security Authentication Authority
(S-1-18-*)'s predefined_names_S_1_18 predefine patch to the Samba AD
code to make it work.
But third-party AD servers (Samba AD Server) are beyond our control, so
we can only provide the reasons and solutions mentioned above.
Otherwise, we recommend that users use an older version of AD or, at
least, have Windows clients joined to new Samba AD but use IP connections.
Note: It is inevitable for open-source Samba to have certain
considerations and thus not suggesting User to apply the code since they
are not officially released. Who will guarantee code that hasn't been
officially released yet?
===============================================================================
Regards
Ingo
https://github.com/WAdama
Ingo Asche via samba schrieb am 21.06.2023 um 10:30:> Hi Rowland,
>
> good point...
>
> That seems to be the only SID which popps up in the logs from the
> Synology device. I found no other.
>
> I'm just looking at the same log on my working machines if this is
> popping up there, too.
>
> At least you gave me good hints, how I can answer their request.
> Thanks for that...
>
> Regards
> Ingo
> https://github.com/WAdama