Winbind separator as viewed from Windows
Mike Pain
mtp at blaby.gov.uk
Wed Dec 12 06:32:05 GMT 2001
Further to my previous posting on 27th Nov:
>I appear to have a problem (on the stable 2.2.2 samba compiled with
>winbind and acls (and Brandon Stone's recycle bin), with a 2.4.14 kernel
>along with acls from acl.bestbits.at on a RedHat 7.2 box)...
>If I change the default winbind separator from \ to + as suggested (I
>agree that at the unix level the backslash is problematic with a shell),
>then the File Permissions window (from the Permissions tab of the Security
>tab of a file's properties) on a file shows either:
>a) No user/groupnames at all from an NT4sp6a box or
>b) User/groupnames like domain+user or domain+group from a Win9x box using
>the nexus sysadmin tools.
>When using the \ the names appear correctly on both NT and 9x boxes (just
>the username without the domain part), plus the full name appears in
>brackets as supplied by the PDC, which our users will need as they will not
>necessarily know each others usernames.
>My C isn't up to changing this but surely, regardless of the separator used
>on the samba box, it should return a backslash to the external client such
>that user/groupnames are displayed correctly?
>This is a bit of a showstopper for us as we also wish to access the unix
>shell, and the backslash is causing problems, but without it the ACLs at
>the windows clients are unusable.
Doing a level 10 debug on selecting the permissions button on the security
tab, I get a clear discrepancy in the way usernames are handled. With \ as
the winbind separator, I see the following names on a test file (names and
domains changed to protect the innocent):
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(150)
Found policy hnd[0] [000] 00 00 00 00 06 00 00 00 00 00 00 00 41 80 07 3C
........ ....A..<
lib/util.c:dump_data(1443)
[010] E3 75 00 00 .u..
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-1-0
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-1-0 -> Everyone
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user '\Everyone' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-user1-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-user1-sid -> DOMAIN user1
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user 'DOMAIN\user1' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-user2-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-user2-sid -> DOMAIN user2
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user 'DOMAIN\user2' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-group1-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-group1-sid -> DOMAIN group1
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user 'DOMAIN\group1' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-my-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-my-sid -> DOMAIN me
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user 'DOMAIN\me' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-mygroup-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-mygroup-sid -> DOMAIN mygroup
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user 'DOMAIN\mygroup' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-my-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-my-sid -> DOMAIN me
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user 'DOMAIN\me' to referenced list.
You can clearly see the names are in the form DOMAIN\USER.
But if I repeat the experiment with + as the separator, I get the following:
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(150)
Found policy hnd[0] [000] 00 00 00 00 10 00 00 00 00 00 00 00 93 93 07 3C
........ .......<
lib/util.c:dump_data(1443)
[010] E3 75 00 00 .u..
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-1-0
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-1-0 -> Everyone
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user '\Everyone' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-user1-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-user1-sid -> DOMAIN+user1
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user '\DOMAIN+user1' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-user2-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-user2-sid -> DOMAIN+user2
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user '\DOMAIN+user2' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-group1-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-group1-sid -> DOMAIN+group1
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user '\DOMAIN+group1' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-my-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-my-sid -> DOMAIN+me
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user '\DOMAIN+me' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-mygroup-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-mygroup-sid -> DOMAIN+mygroup
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user '\DOMAIN+mygroup' to referenced list.
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219)
init_lsa_trans_names: looking up sid S-1-5-21-my-sid
nsswitch/wb_client.c:winbind_lookup_sid(107)
winbind_lookup_sid: SUCCESS: SID S-1-5-21-my-sid -> DOMAIN+me
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228)
init_lsa_trans_names: found
rpc_server/srv_lsa_nt.c:init_lsa_trans_names(248)
init_lsa_trans_names: added user '\DOMAIN+me' to referenced list.
This time, the winbind_lookup_sid line returns a blank for the domain name
and DOMAIN+user for the username (there is an extra space after the ->).
I looked at the CVS 2_2 code on 4th December, and the wb_client.c code has
changed where the resolution is done, but it still does not work. It
appears to fail in the function parse_domain_user(), where it takes the
domuser (from the looked up SID) and splits it on the separator into domain
and user, and returns blank for the domain if the separator can't be found.
Adding some debugging lines, it appears that parse_domain_user still thinks
that the separator is \ so it doesn't get a match.
Please can anyone point at what could be going wrong?
Thanks
Mike
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This message has been scanned for viruses.
Blaby District Council - 0116 275 0555
**********************************************************************
More information about the samba-technical
mailing list