Problems with uid mappings. Bug?

Edvard Fagerholm efagerho at cc.hut.fi
Thu Apr 1 17:14:44 GMT 2004 

Hello again,

I read some source code and came up with the following...

When the file gets opened, there is a call sequence going first to

passdb/lookup_sid.c:uid_to_sid

which then calls

nsswitch/wb_client.c:winbind_uid_to_sid

This call fails and finds nothing. The problem seems to be the this:

nsswitch/winbindd_sid.c:winbindd_uid_to_sid:

if ( (state->request.data.uid < server_state.uid_low ) 
                || (state->request.data.uid > server_state.uid_high) )
{
	...
}

which seems to test that the uid is outside the idmap range. Should it really
be this way? Shouldn't it check that the uid is inside the range? If I try to
change the range to something like 65000-65001 then everything stops working
even though I'm using winbind trusted domains only = yes.

The other path in this functions only tries to access the idmap database and
it's clear that this path will fail, because the uid hasn't been encountered by
samba before.

If I change the if clause to if(1) and do the same in winbindd_gid_to_sid,
then all ACLs work perfectly... To me this looks like a bug...

Regards,
Edvard

On Thu, Apr 01, 2004 at 04:23:46PM +0300, Edvard Fagerholm wrote:
> Hello!
> 
> I'm running samba with winbind trusted domains only = yes. I have a Win2k3 DC
> and a samba 3.0.2a server (file server). Now there windows computers with CIFS
> and unix computers with NFS access to the same resources. Users are shared
> between all computers with AD4Unix and unix computers use LDAP to query uids.
> 
> I've got the following problem. If I create a new user and create a file owned
> by that user on the Samba share through NFS and view the permissions for that
> file from a Windows computer (through CIFS), then the owner looks like:
> 
> Samba_Server\Username
> 
> If I create the same file through CIFS, the permissions show correctly as:
> 
> Domain\Username
> 
> It looks like the semantics when opening a file are incorrect. This is what
> happens when I open up the file, when the user has never been encountered
> before by samba:
> 
> [2004/04/01 15:30:11, 10] passdb/pdb_smbpasswd.c:smbpasswd_getsampwnam(1297)
>   getsampwnam (smbpasswd): search by name: efagerho
> [2004/04/01 15:30:11, 10] passdb/pdb_smbpasswd.c:startsmbfilepwent(179)
>   startsmbfilepwent_internal: opening file
> /usr/local/samba-test/private/smbpasswd
> [2004/04/01 15:30:11, 5] passdb/pdb_smbpasswd.c:getsmbfilepwent(517)
>   getsmbfilepwent: end of file reached.
> [2004/04/01 15:30:11, 7] passdb/pdb_smbpasswd.c:endsmbfilepwent(291)
>   endsmbfilepwent_internal: closed password file.
> [2004/04/01 15:30:11, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>   pop_sec_ctx (60000, 1000) - sec_ctx_stack_ndx = 0
> [2004/04/01 15:30:11, 4] passdb/passdb.c:local_uid_to_sid(1121)
>   local_uid_to_sid: User efagerho [uid == 1001] has no samba account
> [2004/04/01 15:30:11, 8] passdb/passdb.c:algorithmic_uid_to_sid(1082)
>   algorithmic_uid_to_sid: falling back to RID algorithm
> [2004/04/01 15:30:11, 10] passdb/passdb.c:algorithmic_uid_to_sid(1086)
>   algorithmic_uid_to_sid:  uid (1001) -> SID
> S-1-5-21-1800506278-3384839287-522764533-3002.
> [2004/04/01 15:30:11, 10] passdb/lookup_sid.c:uid_to_sid(332)
>   uid_to_sid: local 1001 -> S-1-5-21-1800506278-3384839287-522764533-3002
> 
> and then the generated SID gets stored in uid cache. I think it should first
> ask winbindd to query the DC for a SID and not immediately generate it. If I
> delete every tdb-file, then the permissions in the file created through CIFS
> start showing up incorrectly too. 
> 
> If I add a user with uid 1006 through CIFS to the file, then I get the
> following logs:
> 
> [2004/04/01 16:03:09, 10] passdb/lookup_sid.c:uid_to_sid(319)
>   uid_to_sid: winbindd 1006 -> S-1-5-21-1847603123-3694140495-2216420365-1402
> 
> and the user shows correctly as Domain\Username in the security tab.
> 
> Regards,
> Edvard Fagerholm

More information about the samba-technical mailing list