samba - Oct 2021 - Security token SIDs does not contain the right SID for users in username map

We have a Samba installation up and running as a file server. It's security
parameter is ADS and all the AD users have corresponding Unix users;
particularly Unix users are FreeIPA users, so the host is configured as a
FreeIPA client too. We are using winbind with tdb backend for the mapping
between users (as we are migrating from an old version of the server, and
we already have the file with mappings). Besides, for the users that have
different usernames in AD and Unix (FreeIPA), we have a file for the
"username map" Samba parameter (the same that was in the old
installation).

Everything works right for users that have the same username in AD and in
Unix. However, if the user has different usernames (ie: he has a line in
username map file), Windows ACLs are not honoured for him. That is, if a
directory has been given write permissions for the user by an AD
administrator, the user cannot write in it anyway.

We investigated a little further, and we found in the logs that the
security token SIDs for the user with the same username, contain his SID
from the AD domain, whereas the security token SIDs for the user with
different usernames, not. In fact, we have made the same test with other
users with and without the same usernames, and the results were the same.

More details:

AD domain: XXX

User with the same username:
Username: mduffour
Unix UID: 2228
AD SID: S-X-X-X-X-X-X-2314

  Security token SIDs (16):
    SID[  0]: S-X-X-X-X-X-X-2314
    SID[  1]: S-X-X-X-X-X-X-513
    SID[  2]: S-X-X-X-X-X-X-2271
    SID[  3]: S-X-X-X-X-X-X-1157
    SID[  4]: S-1-18-1
    SID[  5]: S-X-X-X-X-X-X-1559
    SID[  6]: S-1-1-0
    SID[  7]: S-1-5-2
    SID[  8]: S-1-5-11
    SID[  9]: S-1-5-32-545
    SID[ 10]: S-1-22-1-2228
    SID[ 11]: S-1-22-2-2005
    SID[ 12]: S-1-22-2-700000003
    SID[ 13]: S-1-22-2-700000004
    SID[ 14]: S-1-22-2-700000005
    SID[ 15]: S-1-22-2-700000001
   Privileges (0x               0):
   Rights (0x               0):

User with different username:
AD username: andres
Unix username: jghigliazza
Unix UID: 2000
AD SID: S-X-X-X-X-X-X-1176
Line in username map file:
jghigliazza = XXX\andres

  Security token SIDs (9):
    SID[  0]: S-1-22-1-2000
    SID[  1]: S-X-X-X-X-X-X-1157
    SID[  2]: S-1-22-2-2005
    SID[  3]: S-1-1-0
    SID[  4]: S-1-5-2
    SID[  5]: S-1-5-11
    SID[  6]: S-1-22-2-700000003
    SID[  7]: S-1-22-2-700000004
    SID[  8]: S-1-22-2-700000005
   Privileges (0x               0):
   Rights (0x               0):

OS: Rocky Linux release 8.4 (Green Obsidian)
Samba version: 4.13.3 (packaged in Rocky Linux)

smb.conf

[global]
dedicated keytab file = /etc/samba/krb5.keytab
disable spoolss = Yes
kerberos method = secrets and keytab
load printers = No
log file = /var/log/samba/log.%m
max log size = 50
printcap name = /dev/null
realm = XXX.YYY.ZZ
security = ADS
server string = Samba Server Version %v
username map = /etc/samba/mapeousuarios
winbind refresh tickets = Yes
workgroup = XXX
idmap config fnr : backend = tdb
idmap config fnr : range = 1200-669000000
idmap config * : range = 700000000-710000000
idmap config * : backend = tdb
map acl inherit = Yes
printing = bsd
vfs objects = acl_xattr


[Demo]
path = /srv/samba/Demo/
read only = No
acl_xattr:ignore system acl = yes

Thanks very much. Any help is appreciated.

On Thu, 2021-10-28 at 10:07 -0300, tizo via samba wrote:
> We have a Samba installation up and running as a file server. It's
> security
> parameter is ADS and all the AD users have corresponding Unix users;
> particularly Unix users are FreeIPA users, so the host is configured
> as a
> FreeIPA client too. We are using winbind with tdb backend for the
> mapping
> between users (as we are migrating from an old version of the server,
> and
> we already have the file with mappings). Besides, for the users that
> have
> different usernames in AD and Unix (FreeIPA), we have a file for the
> "username map" Samba parameter (the same that was in the old
> installation).
> 
> Everything works right for users that have the same username in AD
> and in
> Unix. However, if the user has different usernames (ie: he has a line
> in
> username map file), Windows ACLs are not honoured for him. That is,
> if a
> directory has been given write permissions for the user by an AD
> administrator, the user cannot write in it anyway.
> 
> We investigated a little further, and we found in the logs that the
> security token SIDs for the user with the same username, contain his
> SID
> from the AD domain, whereas the security token SIDs for the user with
> different usernames, not. In fact, we have made the same test with
> other
> users with and without the same usernames, and the results were the
> same.
> 
> More details:
> 
> AD domain: XXX
> 
> User with the same username:
> Username: mduffour
> Unix UID: 2228
> AD SID: S-X-X-X-X-X-X-2314
> 
>   Security token SIDs (16):
>     SID[  0]: S-X-X-X-X-X-X-2314
>     SID[  1]: S-X-X-X-X-X-X-513
>     SID[  2]: S-X-X-X-X-X-X-2271
>     SID[  3]: S-X-X-X-X-X-X-1157
>     SID[  4]: S-1-18-1
>     SID[  5]: S-X-X-X-X-X-X-1559
>     SID[  6]: S-1-1-0
>     SID[  7]: S-1-5-2
>     SID[  8]: S-1-5-11
>     SID[  9]: S-1-5-32-545
>     SID[ 10]: S-1-22-1-2228
>     SID[ 11]: S-1-22-2-2005
>     SID[ 12]: S-1-22-2-700000003
>     SID[ 13]: S-1-22-2-700000004
>     SID[ 14]: S-1-22-2-700000005
>     SID[ 15]: S-1-22-2-700000001
>    Privileges (0x               0):
>    Rights (0x               0):
> 
> User with different username:
> AD username: andres
> Unix username: jghigliazza
> Unix UID: 2000
> AD SID: S-X-X-X-X-X-X-1176
> Line in username map file:
> jghigliazza = XXX\andres
> 
>   Security token SIDs (9):
>     SID[  0]: S-1-22-1-2000
>     SID[  1]: S-X-X-X-X-X-X-1157
>     SID[  2]: S-1-22-2-2005
>     SID[  3]: S-1-1-0
>     SID[  4]: S-1-5-2
>     SID[  5]: S-1-5-11
>     SID[  6]: S-1-22-2-700000003
>     SID[  7]: S-1-22-2-700000004
>     SID[  8]: S-1-22-2-700000005
>    Privileges (0x               0):
>    Rights (0x               0):
> 
> OS: Rocky Linux release 8.4 (Green Obsidian)
> Samba version: 4.13.3 (packaged in Rocky Linux)
> 
> smb.conf
> 
> [global]
> dedicated keytab file = /etc/samba/krb5.keytab
> disable spoolss = Yes
> kerberos method = secrets and keytab
> load printers = No
> log file = /var/log/samba/log.%m
> max log size = 50
> printcap name = /dev/null
> realm = XXX.YYY.ZZ
> security = ADS
> server string = Samba Server Version %v
> username map = /etc/samba/mapeousuarios
> winbind refresh tickets = Yes
> workgroup = XXX
> idmap config fnr : backend = tdb
No, that is, in my opinion, totally wrong, you cannot use 'tdb' for the
'DOMAIN' backend, you need to use the 'rid', 'autorid'
or 'ad' backend.
You also do not map the users in the user.map, you just make the AD
users into Unix users by using using the correct winbind backend.
 
Rowland