valid users again

Gerald (Jerry) Carter jerry at
Sun Aug 6 18:49:53 GMT 2006

Hash: SHA1

Copied to samba-technical.  Original patch attached.

- ------- Background email ---------------------------

I've got to head out in a few minutes.  I looked quickly and
didn't seen an easy fix....

* Samba member server in Samba domain
* winbind trusted domains only = yes

	valid users = %S

Technically jerry is VALE\jerry but was mapped to a local
account (nss_ldap).  DRIZZT is the name of the member server.

The problem in create_local_token() seems to be
that winbindd is running but just configured not to handle
accounts in its own domain.


The problem is that the valid users = jerry resolved
to the S-1-22-1-780 SID and the user's token was the domain
SID for VALE\jerry.  This patch fixes.  I hate to look
at winbind parameters in smbd.  Anyone think of an easier way?


I think I would rather just follow the mantra "all domain account
have to be fully qualified".  And technically jerry on a Samba member
server is still a domain account.  winbind trusted domains only = yes
just prevents winbindd from allocating a uid for him.

I checked and

	    valid users = VALE+%S

works with the current SAMBA_3_0_23 tree.

- ------- Background email ---------------------------

Jeremy Allison wrote:

> I would argue it does in that it changes how smbd ends up
> seeing a resolved name.

I added 'winbind trusted domains only' strictly to deal
with winbind uid/gid allocation.  It may affect smbd
now but that is not the original design. I should know :-)

>> A member server in a Windows domain (or a Samba domain
>> with 'winbind trusted domains only = no') would require
>> [homes]
>>     valid users = %(DOMAIN)+%S
>> to work.  Why make an exception for this small corner case.
> Because it's a small corner case that is extremely
> difficult to explain to someone not deeply steeped
> in this stuff. What this means is that the standard
> "valid users = %S" that works everywhere breaks in
> this one case.

Incorrect.  "valid users = %S" doesn't work on any domain
member with winbindd regardless of "winbind trusted domains
only".  If a local user exists that matches the domain username
you will have this problem.  Remember that we know consider
unqualified names in smb.conf as local names.  Domain users
are still domain users even if mapped to an existing Unix
account uid in this one case.

Saying that "allow domain accounts on member servers
running winbindd must be fully qualified" solves this
in ever case.

>> Our problem in the past has been that we were too lenient
>> on what a name mapped to and hence ambiguous.
> I agree we're allowing an ambiguity, but for this small
> corner case it makes sense to bend the rule. It is a
> very non-invasive change to the new code, that allows
> %S to work in this corner case. In this case it pays
> to be inconsistent to allow consistency in configuration
> (if you see what I mean :-).
> The change looks harmless to me. If you can point out
> a case where it breaks something else I'd agree with
> you.

It overloads a parameter and has smbd looking at winbind
smb.conf options.  That's a violation IMO.  And it means
we have to remember not to break this one exception.
One rule is earlier to keep that one rule plus one exception.

Despite my original patch, I feel really strongly that
forcing an update to smb.conf is the correct decision here.

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla -

-------------- next part --------------
Index: passdb/lookup_sid.c
--- passdb/lookup_sid.c	(revision 17431)
+++ passdb/lookup_sid.c	(working copy)
@@ -394,9 +394,15 @@
 	/* Try with our own SAM name. */
-	qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
-				get_global_sam_name(),
-				full_name );
+	if ( !lp_winbind_trusted_domains_only() ) {
+		qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
+					get_global_sam_name(),
+					full_name );
+	} else {
+		qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
+					lp_workgroup(),
+					full_name );
+	}
 	if (!qualified_name) {
 		return False;

More information about the samba-technical mailing list