Fermín Galán
2003-Dec-24 10:22 UTC
[Samba] "Account Unknown" problem (Samba3 domain users in WinNT permissions)
Hello, I'm suffering a estrange problem in a WinNT-Samba3 environment. I have two servers: WinNT4 (PDC of domain A-DOMAIN) and Samba3 (PDC of B-DOMAIN). A-DOMAIN and B-DOMAIN trust each other (I had followed the procedures described in HOWTO Chapter 16 successfully). The problem arises when I assign permission in WinNT server's folders (A-DOMAIN) for users in the Samba domain (B-DOMAIN). I can add users of the B-DOMAIN in the Permissions dialog, but after accepting changes, the next time that I open the Permission dialog the previously added users appears as "B-DOMAIN/Account Unknown" instead of the their original name. The estrange thing is that the permission access defined works fine: the problem seems to affect only to visualization. I have searched through the archives and found several mails with the same or similar problem, but referring to old Samba releases (I'm using Samba 3.0.1rc1) and giving no convincing solution. For example: http://lists.samba.org/archive/samba-ntdom/1999-September/006794.html) http://lists.samba.org/archive/samba-ntdom/2000-November/016126.html http://groups.google.com/groups?q=%22account+unknown%22+samba&hl=es&lr=&ie=U TF-8&selm=Pine.GSO.4.21.0003061606200.268-100000%40timon&rnum=5 Is there any solution to this problem in Samba3 (or, at least, an indication of what the cause could be)? Thanks! ------ Ferm?n
Fermín Galán Márquez
2004-Jan-07 11:38 UTC
[Samba] "Account Unknown" problem (Samba3 domain users in WinNTpermissions)
I have been working on the "Account Unknown" problem and I have found that it could be related with some kind of WinNT4 to Samba3 SID conversion bug. In particular, let be "user1" a user of the Samba3 domain with SID: S-1-5-21-4241608303-34714143-466288756-2092 After assign permissions for user1 in a WinNT4 domain folder, I get a dump of the ACEs for that folder (I have used a Perl script with Win32::Perms, due to I cannot find a built-in Windows tool to do that) and I get that the entry for "user1" have an associated SID of: S-1-5-21--53358993-34714143-466288756-2092 So, it's logical that when the Permission dialog opens, it cannot resolve a SID that is not associated with any user and, therefore, shows "Account Unknown". The problem seems to be in the way WinNT4 stores the SID in the ACE. In particular, the conversion of the token '4241608303' -> '-53358993'. Again, the problem only seems to affect to visualization. Permission access defined works fine (that is, if I have defined Read only permission for user1, user1 cannot write in the folder, regardless of he appears as "Unknown User" in the Permission dialog). So, a pair of questions: 1. Is a WinNT4 or Samba3 known bug? 2. How SID works? That is, how is structured, what means the hyphens, how it's generated, etc. (I need this information to try going deeper into the problem). Any hint about the cause of the problem will be welcome, in particular from other users that also are suffering it. ------ Ferm?n -----Mensaje original----- De: samba-bounces+fermin.galan=agora-2000.com@lists.samba.org [mailto:samba-bounces+fermin.galan=agora-2000.com@lists.samba.org] En nombre de Ferm?n Gal?n Enviado el: mi?rcoles, 24 de diciembre de 2003 11:23 Para: samba@lists.samba.org Asunto: [Samba] "Account Unknown" problem (Samba3 domain users in WinNTpermissions) Hello, I'm suffering a estrange problem in a WinNT-Samba3 environment. I have two servers: WinNT4 (PDC of domain A-DOMAIN) and Samba3 (PDC of B-DOMAIN). A-DOMAIN and B-DOMAIN trust each other (I had followed the procedures described in HOWTO Chapter 16 successfully). The problem arises when I assign permission in WinNT server's folders (A-DOMAIN) for users in the Samba domain (B-DOMAIN). I can add users of the B-DOMAIN in the Permissions dialog, but after accepting changes, the next time that I open the Permission dialog the previously added users appears as "B-DOMAIN/Account Unknown" instead of the their original name. The estrange thing is that the permission access defined works fine: the problem seems to affect only to visualization. I have searched through the archives and found several mails with the same or similar problem, but referring to old Samba releases (I'm using Samba 3.0.1rc1) and giving no convincing solution. For example: http://lists.samba.org/archive/samba-ntdom/1999-September/006794.html) http://lists.samba.org/archive/samba-ntdom/2000-November/016126.html http://groups.google.com/groups?q=%22account+unknown%22+samba&hl=es&lr=&ie=U TF-8&selm=Pine.GSO.4.21.0003061606200.268-100000%40timon&rnum=5 Is there any solution to this problem in Samba3 (or, at least, an indication of what the cause could be)? Thanks! ------ Ferm?n