samba - Mar 2025 - If a NetBIOS name used within a week is reused, an incorrect owner is returned.

Hi,

 

I suspect this behavior comes from a bug. If the behavior is as designed,
I'd like to know the background of the design. 

- Bug information

Version: 4.20.2

When a shared guest account is enabled and a NetBIOS name that was used
within the past week is reassigned, the owner of the guest account becomes
Account Unknown (S-1-5-21-*-501), and WRITE returns ACCESS_DENIED. (For
example, this issue occurs when the NetBIOS name is changed from
"AAAA" to
"BBBB" and then back to "AAAA" again.) 

This behavior seems to be caused by the idmap cache.  

 

Changing the NetBIOS name leads to a modification of the local SID.

This results in the following cache updates:

* The cache entries corresponding to the updated local SID are added,
specifically:
"IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501"
"IDMAP/UID2SID/65534"

* The previous cache entry
"IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501" remains
in
gencache.tdb.

--

* Before 

# net getlocalsid

SID for domain AAAA is: S-1-5-21-4103205838-3119001155-2670119449

# net cache list |grep IDMAP

Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501
Timeout: Fri Feb  7 06:18:40 2025       Value: 65534:U

Key: IDMAP/UID2SID/65534         Timeout: Fri Feb  7 06:42:24 2025
Value: S-1-5-21-4103205838-3119001155-2670119449-501 

 

* After  

# net getlocalsid

SID for domain BBBB is: S-1-5-21-1007219585-1734150146-233539565

# net cache list |grep IDMAP

Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501
Timeout: Fri Feb  7 06:18:40 2025       Value: 65534:U

Key: IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501  Timeout:
Fri Feb  7 06:42:24 2025       Value: 65534:U

Key: IDMAP/UID2SID/65534         Timeout: Fri Feb  7 06:42:24 2025
Value: S-1-5-21-1007219585-1734150146-233539565-501

-- 

 

If the NetBIOS name corresponding to this previous local SID is reassigned,
"IDMAP/UID2SID/65534" (nobody) is not updated, and the owner is
returned as
the guest account SID that differs from the current local SID.

--

# net getlocalsid

SID for domain AAAA is: S-1-5-21-4103205838-3119001155-2670119449

# net cache list |grep IDMAP

Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501
Timeout: Fri Feb  7 06:18:40 2025       Value: 65534:U

Key: IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501  Timeout:
Fri Feb  7 06:42:24 2025       Value: 65534:U

Key: IDMAP/UID2SID/65534         Timeout: Fri Feb  7 06:42:24 2025
Value: S-1-5-21-1007219585-1734150146-233539565-501

--- 

 

Best regards,

Hiroshi Chiba

On Wed, 12 Mar 2025 08:19:29 +0000
CHIBA HIROSHI(????) via samba <samba at lists.samba.org> wrote:
> Hi,
> 
>  
> 
> I suspect this behavior comes from a bug. If the behavior is as
> designed, I'd like to know the background of the design. 
> 
> - Bug information
> 
> Version: 4.20.2
> 
> When a shared guest account is enabled and a NetBIOS name that was
> used within the past week is reassigned, the owner of the guest
> account becomes Account Unknown (S-1-5-21-*-501), and WRITE returns
> ACCESS_DENIED. (For example, this issue occurs when the NetBIOS name
> is changed from "AAAA" to "BBBB" and then back to
"AAAA" again.)
> 
> This behavior seems to be caused by the idmap cache.  
Well, yes, but only because you are failing to do something.

Every time you change the computers hostname, Samba issues a new SID.
Which means that your 'Account Unknown' (which actually is known, it is
'Guest') gets a new SID and when someone connects to Samba, this is
stored in the cache.

The cache is just that, it is a cache, it is not permanent.
The fix for your problem is very easy, every time you change the
hostname, clear the cache with 'net cache flush'.

Can I close your bug report ?

Rowland