Accessing LOCAL files after login to NT-4-WS via Samba P

Paul Ashton paul at
Wed Feb 18 20:19:09 GMT 1998

Hi Ed,

At 19:03 18/02/98 , Ed Bradford wrote:
>When a workstation logs into a domain controller with the correct credentials
>(name, password), the domain controller returns a binary user token which
>consists of
> all Global Group SIDS
> list of privileges the user holds.
>Samba has to manufacture a repeatable 128 bit "thing" which can be identified
>by the workstation as a SID. Some insight into how the SID is manufactured on a
>real domain controller would be useful here. That means that whenever a user is
>created, a SID must also be created which is unique in all the world and in all
>time. How Groups are mapped and what they mean to NT is another area that has
>to be understood. However, basically, a group is merely a collection of SIDs
>and has its own SID. In NT, a group can own a file. MS recommends groups to
>administrators because it is easier to add and remove a person from a group
>than searching a file system for a particular SID.

All sorted Ed. We know exactly how to do this and allow anyone to
manufacture the domain SID of their choosing as specified in
smb.conf. If you wish to choose the SID of your existing NT PDC,
then that is a good way to start off a migration. 

Additionally, if anyone wished to spend a couple of days coding,
we could even handle supporting multiple independent NT domains
to different clients on the same Samba domain controller. Try
that on NT.

bpowell at wrote:
>The problem is that for the purposes of file permissions and ownership, the
>NT workstation does not recognize the the domain username as a valid user.
>Thus the only files a user can modify on the local workstation are ones where
>everyone has full access.  They cannot "own" any files, because the file
>security dialog cannot find their username in the domain.  Is this simply due
>to the incomplete DC support that Samba supplies in its current state, or are
>we doing something wrong?

There are a couple of RPCs that support this: LsaLookupSids/Users, and
these have been working. I initially implemented these as purely
returning the "S-1-5-21-x-y-z-rid" string without bothering to look
anything up. I think Luke improved on this (as with everything I wrote ;-)

The best way to debug it is with MS netmon in msdn or sms. NT server
comes with a version of netmon that doesn't put the network
card in promiscuous mode but is often enough. The network trace
will probably show why the RPC is invalid.


More information about the samba-ntdom mailing list