Rowland Penny
2022-Feb-19 18:26 UTC
[Samba] 4.15.5: Lot's of errors from smbd_audit about "check_account: Failed to convert SID..."
On Sat, 2022-02-19 at 19:59 +0300, Michael Tokarev wrote:> 18.02.2022 16:07, Rowland Penny via samba wrote: > [] > > I thought I had explained why you cannot have a local user and a > > domain > > user with the same name, but here goes, lets try again. > > Nope you did not. > > > If you do have a user in /etc/passwd and AD with the same name, > > then > > depending on how /etc/nsswitch is configured, locally one will be > > used > > and one will be ignored. Samba will always attempt to use the one > > from > > AD, but if the AD user is unknown to the OS, you will get 'denied' > > errors. Even if the same username is used locally and in AD, they > > willbe different users. > > Samba *deliberately* (or due to a bug) makes the "two" users > (one listed in /etc/passwd and one listed in AD) to be different, > and only when doing uid->SID mapping. And the question why it > does that is not answered.It is NOT a bug! Unix identifies users by ID numbers 0-65535 Windows identifies users by a SID 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy- zzzzzzzzzz-rrrr' Where 'xxxxxxxxxx', 'yyyyyyyyyy' and 'zzzzzzzzzz' are groups of random numbers which along with the starting 'S-1-5-21' identify the domain and the 'rrrr' is the RID (which normal starts at 1000) and this identifies the user, group or computer etc. Samba AD uses the SID and as you can see, this is nothing like a Unix ID. You can have a user called rowland in /etc/passwd with the ID '1000' and a user in AD called rowland with the SID 'S-1-5-21-1234567890- 0987654321-1234567890-1000'. These two users, even though they have the same username, are most definitely not the same user. Windows will not know who the Unix user 'rowland' is and Unix will not know who the Windows user 'rowland' is, this is where winbind comes in. The 'autorid' and 'rid' idmap backends will calculate the Windows users Unix ID from the RID and the DOMAIN low range you set in smb.conf . The 'ad' idmap backend will use the uidNumber you set in the Windows users object in AD, provided it is inside the DOMAIN range you set in smb.conf . Provided smb.conf and possibly AD, are set up correctly, you could end up with a Unix user 'rowland' with the ID '1000' and a Windows Unix user 'rowland' with the ID '11000' (using the rid idmap backend. Which user is used locally will depend on how you set up /etc/nsswitch.conf, if the passwd line is similar to this: passwd: compat winbind /etc/passwd will be checked before winbind and the local Unix user will be used and the AD user will be ignored. If the line looks like this: passwd: winbind compat The AD user will be used and the local Unix user will be ignored. Winbind will do something similar but normally tends to use the user from AD, but this user will be unknown to the OS if 'compat' (which could be 'files') comes before winbind. If you use winbind, the AD user becomes a Unix user, so you do not need the local Unix user, there is no point. Now can you see why you cannot have a local Unix user with the same name as a Windows user. Rowland
Michael Tokarev
2022-Feb-19 18:45 UTC
[Samba] 4.15.5: Lot's of errors from smbd_audit about "check_account: Failed to convert SID..."
19.02.2022 21:26, Rowland Penny via samba wrote: ..>> Samba *deliberately* (or due to a bug) makes the "two" users >> (one listed in /etc/passwd and one listed in AD) to be different, >> and only when doing uid->SID mapping. And the question why it >> does that is not answered. > > It is NOT a bug! > Unix identifies users by ID numbers 0-65535 > Windows identifies users by a SID 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy- > zzzzzzzzzz-rrrr' > > Where 'xxxxxxxxxx', 'yyyyyyyyyy' and 'zzzzzzzzzz' are groups of random > numbers which along with the starting 'S-1-5-21' identify the domain > and the 'rrrr' is the RID (which normal starts at 1000) and this > identifies the user, group or computer etc. > > Samba AD uses the SID and as you can see, this is nothing like a Unix ID. > You can have a user called rowland in /etc/passwd with the ID '1000' > and a user in AD called rowland with the SID 'S-1-5-21-1234567890- > 0987654321-1234567890-1000'. These two users, even though they have the > same username, are most definitely not the same user. Windows will not > know who the Unix user 'rowland' is and Unix will not know who the > Windows user 'rowland' is, this is where winbind comes in. The > 'autorid' and 'rid' idmap backends will calculate the Windows users > Unix ID from the RID and the DOMAIN low range you set in smb.conf . The > 'ad' idmap backend will use the uidNumber you set in the Windows users > object in AD, provided it is inside the DOMAIN range you set in > smb.conf . > > Provided smb.conf and possibly AD, are set up correctly, you could end > up with a Unix user 'rowland' with the ID '1000' and a Windows Unix > user 'rowland' with the ID '11000' (using the rid idmap backend.I *especially* set things up so that both local and AD user named 'rowland' end up with the ID 1000. For unix it is the same user. But samba makes them different. Or, actually, *sometimes* different, depending on the order of calls (name 2 sid or uid 2 sid) and cache expiration times. This is why I continue to say it is a bug. /mjt