Hi, I'm working on bug https://bugzilla.samba.org/show_bug.cgi?id=6592 and something that has apparently changed in my setup is preventing me from testing the final stages of the fix. I have a machine running Samba server and joined to the domain, and am accessing that from the W2K3 domain server logged, logged into the latter as the domain administrator. But the problem is that in its access checks smbd is not getting the sid for the Administrators group (S-1-5-32-544). In an email that I sent back in July (http://lists.samba.org/archive/samba/2009-July/149285.html) I included my samba log file, and at that point I was getting the S-1-5-32-544 sid, but something has changed since then and now I am not. My question is does anyone have any idea of what may have changed that would cause that? Here is an extract from the log in that email: Checking password for unmapped user [SD80]\[Administrator]@[IANSERVER] with the new password interface check_ntlm_password: mapped user is: [SD80]\[Administrator]@[IANSERVER] check_ntlm_password: winbind authentication for user [Administrator] succeeded check_ntlm_password: authentication for user [Administrator] ->[Administrator] -> [SD80+administrator] succeeded se_access_check: user sid is S-1-5-21-4023909512-3739307249-2032274589-500 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512 se_access_check: also S-1-5-32-545 se_access_check: also S-1-5-32-544 se_access_check: also S-1-22-1-601 se_access_check: also S-1-22-2-604 se_access_check: also S-1-22-2-607 se_access_check: also S-1-22-2-608 se_access_check: also S-1-22-2-609 se_access_check: also S-1-22-2-610 se_access_check: also S-1-22-2-603 se_access_check: also S-1-22-2-602 And here is what I am seeing now: check_ntlm_password: Checking password for unmapped user [SD80]\[Administrator]@[IANSERVER] with the new password interface check_ntlm_password: mapped user is: [SD80]\[Administrator]@[IANSERVER] check_ntlm_password: winbind authentication for user [Administrator] succeeded check_ntlm_password: authentication for user [Administrator] -> [Administrator] -> [SD80+administrator] succeeded se_access_check: user sid is S-1-5-21-4023909512-3739307249-2032274589-500 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512 The missing sids are for the Users and Administrators group, plus those "S-2-22-2" sids, whatever they are. Thanks Ian
> -----Original Message----- > From: samba-bounces at lists.samba.org On Behalf Of Ian Puleston > Sent: Thursday, October 29, 2009 11:22 AM > > I'm working on bug https://bugzilla.samba.org/show_bug.cgi?id=6592 and > something that has apparently changed in my setup is preventing mefrom> testing the final stages of the fix. I have a machine running Samba > server and joined to the domain, and am accessing that from the W2K3 > domain server, logged into the latter as the domain > administrator. But the problem is that in its access checks smbd isnot> getting the sid for the Administrators group (S-1-5-32-544). > > Back in July I was getting the S-1-5-32-544 sid, > but something has changed since then and now I am not.The samba log from back in July:> se_access_check: user sid is > S-1-5-21-4023909512-3739307249-2032274589-500 > se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513 > se_access_check: also S-1-1-0 > se_access_check: also S-1-5-2 > se_access_check: also S-1-5-11 > se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520 > se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519 > se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518 > se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512 > se_access_check: also S-1-5-32-545 > se_access_check: also S-1-5-32-544 > se_access_check: also S-1-22-1-601 > se_access_check: also S-1-22-2-604 > se_access_check: also S-1-22-2-607 > se_access_check: also S-1-22-2-608 > se_access_check: also S-1-22-2-609 > se_access_check: also S-1-22-2-610 > se_access_check: also S-1-22-2-603 > se_access_check: also S-1-22-2-602 > > The missing sids are for the Users and Administrators group, plusthose> "S-2-22-2" sids, whatever they are.A bit more information I've managed to glean. I'm working on Fedora 10 which has Samba 3.2.15 installed, but the version I was building and testing with was 3.2.4. Having now downloaded and built 3.2.15 I am now seeing those "S-2-22-[12]" sids, but still not the sids for the Administrators and Users groups. But if I run the Fedora version of smbd 3.2.15 then I see the S-1-5-32-545 sid too, but still not S-1-5-32-544. If I run the version of 3.2.15 that I built I see neither. To build it I used "./configure --with-ads", are there maybe some other options I should have used that may explain that difference? And I still need to find why I don't see sid S-1-5-32-544 with any version? Ian