Local Users in Winbind mode

[Esh, Andrew]

I have a question about the display info for users which are local to the
Samba server. I am running with winbindd, and it is possible to display
non-Windows users as "UNIXHOSTNAME\username". This is what is displayed when
I look at the Windows permissions dialog to see the owner of a file which is
owned by a Unix user. When a Windows user owns the file, the owner is
displayed in Windows as "DOMAINNAME\username".

When I use the Windows permission dialog to add to the permissions list,
another "Add Users and Groups" dialog is displayed. It has a small drop-down
menu at the top with defaults to showing users and groups from the domain.
If I change that menu to point at the local Samba host, the Unix and Windows
Built-in groups (Account Operators, Administrators, ...) are displayed.
Everything is correct up to that point.

If I choose "Show Users", a small dialog pops up which says: "The tag is
invalid", with nothing but an "OK" button to push. If I push it, the "Add
..." dialog is still shown, but the "Show Users" button is grayed out.

I have spent some time investigating this, and I have some questions. Here's
what I saw in the log:

The "_samr_query_dispinfo" function starts:
[2002/03/29 09:27:19, 5, pid=10093, effective(1041, 599), real(0, 0)]
rpc_server/srv_samr_nt.c: _samr_query_dispinfo(892)
  samr_reply_query_dispinfo: 892

...

The pwd entries are sought, BUT ONLY IN THE SMBPASSWD FILE:
[2002/03/29 09:27:19, 10, pid=10093, effective(0, 0), real(0, 0)]
rpc_server/srv_samr_nt.c:load_sampwd_entries(153)
  load_sampwd_entries
[2002/03/29 09:27:19, 10, pid=10093, effective(0, 0), real(0, 0)]
passdb/pdb_smbpasswd.c:startsmbfilepwent(167)
  startsmbfilepwent_internal: opening file
/usr/local/samba/private/smbpasswd
[2002/03/29 09:27:19, 2, pid=10093, effective(0, 0), real(0, 0)]
passdb/pdb_smbpasswd.c:startsmbfilepwent(170)
  startsmbfilepwent_internal: unable to open file
/usr/local/samba/private/smbpasswd. Error was No such file or directory
[2002/03/29 09:27:19, 0, pid=10093, effective(0, 0), real(0, 0)]
rpc_server/srv_samr_nt.c:load_sampwd_entries(162)
  load_sampwd_entries: Unable to open passdb.

...

Failure:
[2002/03/29 09:27:19, 5, pid=10093, effective(1041, 599), real(0, 0)]
rpc_server/srv_samr_nt.c:_samr_query_dispinfo(943)
  _samr_query_dispinfo: load_sampwd_entries failed

...

[2002/03/29 09:27:19, 5, pid=10093, effective(1041, 599), real(0, 0)]
rpc_parse/parse_prs.c:prs_ntstatus(587)
      0014 status: NT_STATUS_ACCESS_DENIED


The function "_samr_query_dispinfo" in rpc_server/srv_samr_nt.c is the one
which seems to have the problem. The code appears to be making the
assumption that the only source of display information about local users is
to be found in the smbpasswd file. If this is the case, how is the file
owner being displayed? How are the group names being displayed?

I tested this, by choosing a group and setting an ACL on a file owned by
root. Then I did an smbcacls on that file:

[root at pluto source]# smbcacls //localhost/test unix.txt -U
labweb+administrator%not_my_password
REVISION:1
OWNER:PLUTO+root
GROUP:PLUTO+root
ACL:PLUTO+wheel:ALLOWED/0/READ
ACL:Everyone:ALLOWED/0/FULL

PLUTO+wheel is a local group. It has a SID, or the ACL couldn't be formed.
If that can be processed, why can't the local users?

It seems to me that if the groups can be resolved and displayed, then the
users can too. I think there is code to do this which was never added to
"_samr_query_dispinfo".

---
Andrew C. Esh                mail:Andrew.Esh at tricord.com
Tricord Systems, Inc.
2905 Northwest Blvd., Suite 20        763-557-9005 (main)
Plymouth, MN 55441-2644 USA      763-551-6418 (direct)
http://www.tricord.com - Tricord Home Page

-------------- next part --------------
HTML attachment scrubbed and removed