Problems with uid mappings. Bug?
efagerho at cc.hut.fi
Thu Apr 1 17:14:44 GMT 2004
I read some source code and came up with the following...
When the file gets opened, there is a call sequence going first to
which then calls
This call fails and finds nothing. The problem seems to be the this:
if ( (state->request.data.uid < server_state.uid_low )
|| (state->request.data.uid > server_state.uid_high) )
which seems to test that the uid is outside the idmap range. Should it really
be this way? Shouldn't it check that the uid is inside the range? If I try to
change the range to something like 65000-65001 then everything stops working
even though I'm using winbind trusted domains only = yes.
The other path in this functions only tries to access the idmap database and
it's clear that this path will fail, because the uid hasn't been encountered by
If I change the if clause to if(1) and do the same in winbindd_gid_to_sid,
then all ACLs work perfectly... To me this looks like a bug...
On Thu, Apr 01, 2004 at 04:23:46PM +0300, Edvard Fagerholm wrote:
> I'm running samba with winbind trusted domains only = yes. I have a Win2k3 DC
> and a samba 3.0.2a server (file server). Now there windows computers with CIFS
> and unix computers with NFS access to the same resources. Users are shared
> between all computers with AD4Unix and unix computers use LDAP to query uids.
> I've got the following problem. If I create a new user and create a file owned
> by that user on the Samba share through NFS and view the permissions for that
> file from a Windows computer (through CIFS), then the owner looks like:
> If I create the same file through CIFS, the permissions show correctly as:
> It looks like the semantics when opening a file are incorrect. This is what
> happens when I open up the file, when the user has never been encountered
> before by samba:
> [2004/04/01 15:30:11, 10] passdb/pdb_smbpasswd.c:smbpasswd_getsampwnam(1297)
> getsampwnam (smbpasswd): search by name: efagerho
> [2004/04/01 15:30:11, 10] passdb/pdb_smbpasswd.c:startsmbfilepwent(179)
> startsmbfilepwent_internal: opening file
> [2004/04/01 15:30:11, 5] passdb/pdb_smbpasswd.c:getsmbfilepwent(517)
> getsmbfilepwent: end of file reached.
> [2004/04/01 15:30:11, 7] passdb/pdb_smbpasswd.c:endsmbfilepwent(291)
> endsmbfilepwent_internal: closed password file.
> [2004/04/01 15:30:11, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (60000, 1000) - sec_ctx_stack_ndx = 0
> [2004/04/01 15:30:11, 4] passdb/passdb.c:local_uid_to_sid(1121)
> local_uid_to_sid: User efagerho [uid == 1001] has no samba account
> [2004/04/01 15:30:11, 8] passdb/passdb.c:algorithmic_uid_to_sid(1082)
> algorithmic_uid_to_sid: falling back to RID algorithm
> [2004/04/01 15:30:11, 10] passdb/passdb.c:algorithmic_uid_to_sid(1086)
> algorithmic_uid_to_sid: uid (1001) -> SID
> [2004/04/01 15:30:11, 10] passdb/lookup_sid.c:uid_to_sid(332)
> uid_to_sid: local 1001 -> S-1-5-21-1800506278-3384839287-522764533-3002
> and then the generated SID gets stored in uid cache. I think it should first
> ask winbindd to query the DC for a SID and not immediately generate it. If I
> delete every tdb-file, then the permissions in the file created through CIFS
> start showing up incorrectly too.
> If I add a user with uid 1006 through CIFS to the file, then I get the
> following logs:
> [2004/04/01 16:03:09, 10] passdb/lookup_sid.c:uid_to_sid(319)
> uid_to_sid: winbindd 1006 -> S-1-5-21-1847603123-3694140495-2216420365-1402
> and the user shows correctly as Domain\Username in the security tab.
> Edvard Fagerholm
More information about the samba-technical