New approach to "valid users" fix

Gerald (Jerry) Carter jerry at
Fri Aug 11 21:35:01 GMT 2006

Hash: SHA1

Volker Lendecke wrote:
> On Fri, Aug 11, 2006 at 02:01:38PM -0500, Gerald (Jerry) Carter wrote:
>> NT user token of user S-1-5-21-2547222302-1596225915-2414751004-2560
>> contains 13 SIDs
>> SID[  0]: S-1-5-21-2547222302-1596225915-2414751004-2560
>> SID[  1]: S-1-22-2-100
> Isn't that going to kill a PDC the same way Jeremy's patch
> did lately? The primary group SID (the first one in the
> list) MUST be in the user's domain.

I tested connecting to a member server joined to an
LDAP based PDC for a user with an unmapped primary
group.  This was the server that failed before.

$ id lizard
uid=1004(lizard) gid=100(users)

The token looks like:

NT user token of user S-1-5-21-2547222302-1596225915-2414751004-3008
contains 4 SIDs
SID[  0]: S-1-5-21-2547222302-1596225915-2414751004-3008
SID[  1]: S-1-1-0
SID[  2]: S-1-5-2
SID[  3]: S-1-5-11

usrmgr.exe reports Domain Users as the primary group.
The relevant portion of the NetSamlogon reply is

        0064 logon_count   : 0000
        0066 bad_pw_count  : 0000
        0068 user_rid      : 00000bc0
        006c group_rid     : 00000201
        0070 num_groups    : 00000000
        0074 buffer_groups : 00000001
        0078 user_flgs     : 00000020

I think we are ok.  But if someone has an smbpasswd based PDC
and would like to confirm my results, that would be great.

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list