BUG #281 / Only SIDs displayed on Win 2K

Pierre Filippone pierre.filippone at Retail-sc.com
Wed Dec 10 15:40:07 GMT 2003 

Hi,

I am not sure, if samba-technical is the right list, but I think I found 
two bugs in Samba 3. If not, pls. tell me and I will send it to the samba 
list next time.

First of all, thanks for your great work on Samba 3.
At the moment I am testing its PDC capabilities in conjunction with 
OpenLDAP and I think there is only some small steps to take to deploy 
it in our company as PDC/BDC replacement for NT.

Even interdomain trusts seem to work well enough for our needs.
To NT 4 bidirectional trusts work without problem. To Win2K and Win2003 AD 
only unidirectional trust with Samba 3 as trusted domain work fine.
It works even with AD domain controllers in native mode !

Unfortunately a trust between two Samba3/LDAP domains does not work 
properly. 
The trusted domain's groups are not visible in the trusting domain.
"wbinfo -g" works fine, but "getent groups" does not show the groups from 
the other domain. 
I don't think it is a configuration error because it works fine with 
trusted Windows domains as well as with trusted Samba 3 domains without 
ldapsam.
I know there is a bug #281 which is marked as fixed, but I think it is not 
completely. 
The error occurs on 3.0.0 (with the supplied patch in bugzilla) and on 
3.0.1rc1. 

I traced the error with ethereal and found that the grouplist is returned 
properly (ENUM_DOM_GROUPS) by the trusted DC but the group members 
are not (QUERY_GROUPMEM). The samba log on the trusted domain controller 
shows: 

[2003/12/10 09:31:45, 5, effective(99, 99), real(0, 0)] 
rpc_server/srv_samr_nt.c:access_check_samr_function(105)
  _samr_query_groupmem: access check ((granted: 0x00020011;  required: 
0x00000010)
[2003/12/10 09:31:45, 2, effective(99, 99), real(0, 0)] 
passdb/pdb_ldap.c:ldapsam_search_one_group(1598)
  ldapsam_search_one_group: searching 
for:[(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-1649454465-441161653-3509230753-41009))]
[2003/12/10 09:31:45, 0, effective(99, 99), real(0, 0)] 
lib/smbldap.c:smbldap_open(846)
  smbldap_open: cannot access LDAP when not root..
[2003/12/10 09:31:45, 1, effective(99, 99), real(0, 0)] 
lib/smbldap.c:smbldap_retry_open(935)
  Connection to LDAP Server failed for the 1 try!
[2003/12/10 09:31:45, 0, effective(99, 99), real(0, 0)] 
passdb/pdb_ldap.c:ldapsam_search_one_group(1611)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error: 
(Insufficient access)ldapsam_search_one_group: Query was: 
ou=rscd,ou=posixgroups,ou=groups,dc=retail-sc,dc=com, 
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-1649454465-441161653-3509230753-41009))

To see, if this is the reason, I tried a "#define  NO_LDAP_SECURITY" in 
lib/smbldap.c (version 3.0.0).
It worked as expected, the groups were now visible.
So I think there is still a bug in the ldapsam module. 
Am I right, or am I doing something wrong ? The used OSs are Rehhat 7.2 
and 7.3 with Kerberos updated to 1.3.1. 


Question number 2:

When I try to list domain users/groups on share permissions or on 
filesystem permissions on a Win2k member server in a Samba 3 LDAP Domain, 
I see only the user's/group's SIDs and not their uids. This happens after 
logging off and on or after rebooting. 
Installing the share is no problem. All users and groups can be displayed 
and selected properly with their uids/names.
Probably the resolution from SID to uid does not work under special 
conditions.
 
Everything works fine on Win2003 and WinXP domain members. 

This error happens only in Samba versions 3.0.1x. A downgrade to 3.0.0 
solves the problem immediately.

If you like, I can send you a ethereal dump of the error. 

Thank you for your help.

------------------------
Pierre Filippone
RSC Commercial Services oHG

More information about the samba-technical mailing list