New approach to "valid users" fix
jra at samba.org
Fri Aug 11 23:14:38 GMT 2006
On Fri, Aug 11, 2006 at 04:35:01PM -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Volker Lendecke wrote:
> > On Fri, Aug 11, 2006 at 02:01:38PM -0500, Gerald (Jerry) Carter wrote:
> >> NT user token of user S-1-5-21-2547222302-1596225915-2414751004-2560
> >> contains 13 SIDs
> >> SID[ 0]: S-1-5-21-2547222302-1596225915-2414751004-2560
> >> SID[ 1]: S-1-22-2-100
> > Isn't that going to kill a PDC the same way Jeremy's patch
> > did lately? The primary group SID (the first one in the
> > list) MUST be in the user's domain.
> I tested connecting to a member server joined to an
> LDAP based PDC for a user with an unmapped primary
> group. This was the server that failed before.
> $ id lizard
> uid=1004(lizard) gid=100(users)
> The token looks like:
> NT user token of user S-1-5-21-2547222302-1596225915-2414751004-3008
> contains 4 SIDs
> SID[ 0]: S-1-5-21-2547222302-1596225915-2414751004-3008
> SID[ 1]: S-1-1-0
> SID[ 2]: S-1-5-2
> SID[ 3]: S-1-5-11
> usrmgr.exe reports Domain Users as the primary group.
> The relevant portion of the NetSamlogon reply is
> 0064 logon_count : 0000
> 0066 bad_pw_count : 0000
> 0068 user_rid : 00000bc0
> 006c group_rid : 00000201
> 0070 num_groups : 00000000
> 0074 buffer_groups : 00000001
> 0078 user_flgs : 00000020
> I think we are ok. But if someone has an smbpasswd based PDC
> and would like to confirm my results, that would be great.
Yes we're ok - it's the code in here :
than ensures the primary group sid is always a domain group
sid and is called by the SAMR calls to get the token to
return to a member server.
The user token listed here is how the user is represented
on a connection to the PDC, not how the token is returned
to a netlogon.
More information about the samba-technical