CHIBA HIROSHI(千葉 洋)
2025-Mar-12 08:19 UTC
[Samba] If a NetBIOS name used within a week is reused, an incorrect owner is returned.
Hi, I suspect this behavior comes from a bug. If the behavior is as designed, I'd like to know the background of the design. - Bug information Version: 4.20.2 When a shared guest account is enabled and a NetBIOS name that was used within the past week is reassigned, the owner of the guest account becomes Account Unknown (S-1-5-21-*-501), and WRITE returns ACCESS_DENIED. (For example, this issue occurs when the NetBIOS name is changed from "AAAA" to "BBBB" and then back to "AAAA" again.) This behavior seems to be caused by the idmap cache. Changing the NetBIOS name leads to a modification of the local SID. This results in the following cache updates: * The cache entries corresponding to the updated local SID are added, specifically: "IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501" "IDMAP/UID2SID/65534" * The previous cache entry "IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501" remains in gencache.tdb. -- * Before # net getlocalsid SID for domain AAAA is: S-1-5-21-4103205838-3119001155-2670119449 # net cache list |grep IDMAP Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501 Timeout: Fri Feb 7 06:18:40 2025 Value: 65534:U Key: IDMAP/UID2SID/65534 Timeout: Fri Feb 7 06:42:24 2025 Value: S-1-5-21-4103205838-3119001155-2670119449-501 * After # net getlocalsid SID for domain BBBB is: S-1-5-21-1007219585-1734150146-233539565 # net cache list |grep IDMAP Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501 Timeout: Fri Feb 7 06:18:40 2025 Value: 65534:U Key: IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501 Timeout: Fri Feb 7 06:42:24 2025 Value: 65534:U Key: IDMAP/UID2SID/65534 Timeout: Fri Feb 7 06:42:24 2025 Value: S-1-5-21-1007219585-1734150146-233539565-501 -- If the NetBIOS name corresponding to this previous local SID is reassigned, "IDMAP/UID2SID/65534" (nobody) is not updated, and the owner is returned as the guest account SID that differs from the current local SID. -- # net getlocalsid SID for domain AAAA is: S-1-5-21-4103205838-3119001155-2670119449 # net cache list |grep IDMAP Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501 Timeout: Fri Feb 7 06:18:40 2025 Value: 65534:U Key: IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501 Timeout: Fri Feb 7 06:42:24 2025 Value: 65534:U Key: IDMAP/UID2SID/65534 Timeout: Fri Feb 7 06:42:24 2025 Value: S-1-5-21-1007219585-1734150146-233539565-501 --- Best regards, Hiroshi Chiba
Rowland Penny
2025-Mar-12 09:49 UTC
[Samba] If a NetBIOS name used within a week is reused, an incorrect owner is returned.
On Wed, 12 Mar 2025 08:19:29 +0000 CHIBA HIROSHI(????) via samba <samba at lists.samba.org> wrote:> Hi, > > > > I suspect this behavior comes from a bug. If the behavior is as > designed, I'd like to know the background of the design. > > - Bug information > > Version: 4.20.2 > > When a shared guest account is enabled and a NetBIOS name that was > used within the past week is reassigned, the owner of the guest > account becomes Account Unknown (S-1-5-21-*-501), and WRITE returns > ACCESS_DENIED. (For example, this issue occurs when the NetBIOS name > is changed from "AAAA" to "BBBB" and then back to "AAAA" again.) > > This behavior seems to be caused by the idmap cache.Well, yes, but only because you are failing to do something. Every time you change the computers hostname, Samba issues a new SID. Which means that your 'Account Unknown' (which actually is known, it is 'Guest') gets a new SID and when someone connects to Samba, this is stored in the cache. The cache is just that, it is a cache, it is not permanent. The fix for your problem is very easy, every time you change the hostname, clear the cache with 'net cache flush'. Can I close your bug report ? Rowland
Possibly Parallel Threads
- If a NetBIOS name used within a week is reused, an incorrect owner is returned.
- If a NetBIOS name used within a week is reused, an incorrect owner is returned.
- If a NetBIOS name used within a week is reused, an incorrect owner is returned.
- If a NetBIOS name used within a week is reused, an incorrect owner is returned.
- quasi-random vector according to an independent graph