[Samba] sid_to_uid: Domain controller lookup missing
abartlet at dp.samba.org
abartlet at dp.samba.org
Mon Sep 16 11:05:01 GMT 2002
On Mon, Sep 16, 2002 at 12:46:12PM +0200, Buchan Milne wrote:
> > Message: 21
> > From: Christopher Odenbach <odenbach at hni.uni-paderborn.de>
> > Organization: Heinz Nixdorf Institut
> > To: abartlet at dp.samba.org
> > Subject: Re: [Samba] sid_to_uid: Domain controller lookup missing
> > Date: Mon, 16 Sep 2002 11:20:24 +0200
> > Cc: samba at samba.org
> >
> >
> > Hi,
> >
> >
> >> > I hope you understand the problem.
> >
> >>
> >> This behaviour is by design. Winbind is an nss module and expects to
> >> be the final authority on these matters. Given recent issues with
> >> Win2k SP3 and WinXP SP1, this might change, but this is not a trivial
> >> change.
> >>
> >> The basic idea is that if you have users in /etc/passwd or yp, you
> >> don't need to run winbind.
> >
> >
> > OK - this is what I said in the first place. You just told me two mails
> > ago to use winbind... ;-)
> >
> >> > So I suppose there is one step missing in between: If the domain
> >> > part of the SID is equal to the domain name (set by the workgroup
> >> > parameter) ask a PDC or BDC (set by the password server parameter
> >> > or magically found out with *).
> >
> >>
> >> This is what winbind does. smbd asks winbind, winbind asks the
> >> relevent DC.
> >
> >
> > I am a bit confused now. Let me try to explain what I think is going on:
> >
> > Scenario: A simple user (me) tries to add another user to the ACL of a
> > file which lies on a samba server with ACL support and underlying XFS.
> > The added user shall be called 'axel'.
> >
> > - User (me) adds user and klicks ok
> > - Windows box sends request to samba server asking to add the SID xyz
> > to the ACL of the file abc
> > - Samba tries to resolve the SID locally which does not work, because
> > the samba server ist not the domain controller
> > - Samba asks winbind to resolve the SID
> > - winbind send a 'lookupsid' request to a domain controller and gets
> > HNIRB\axel
> >
> > up to this point no problem
> >
> > - winbind looks for this username in its own database and - as there is
> > no such user - creates a new one with the first uid of the specified
> > pool (40000)
> >
> > This is wrong as there already exists such a user in yp. Could the
> > trouble be that winbind assumes that if it is used, there will be an
> > entry "winbind" in the nsswitch.conf? Perhaps it should just do a
> > 'getpwnam <name without domain part>' to see if there is a user in the
> > database that is specified in nsswitch.conf. If this does not give
> > anything then try the name including the domain.
> >
> > Please make things clearer to me. :-)
>
> In samba-2.2.x there is no way for ACLs to work on a server that does
> not have the SID matching the domain, and winbind supposedly can't
> (except with older vversions of samba-2.2.x on the DC)
I'm not sure what you mean here...
> use a samba
> server. This means:
>
> 1)Make all your samba servers that need ACLs domain controllers. This
> can be done with ldap as passdb backend (haven't tested, but it should
> work I think)
> 2)Only use ACLs on the DC
> 3)Use samba_head on the DC
>
> If winbind is actually working, but the only problem is that the
> username it gets doesn't match the local username, then you should try
> 'winbind use default domain = yes' in your smb.conf on all the machines
> running winbind, so that winbind will look up axel, instead of HNIRB\axel.
This option is present in later 2.2 releases, but is not supported and has
known implementation flaws. If you want this, use Samba 3.0.
> If I were you (and we're going to be doing this soon), I would choose (a).
This should work...
Andrew Bartlett
More information about the samba
mailing list