uid_to_sid issues since 2.0.23 with servers under Samba NT domain
buc at odusz.so-cdu.ru
Thu Aug 31 16:51:25 GMT 2006
I have a Samba server, which is a member of the Samba NT (+OpenLDAP +
UNIX etc.) domain. Winbind is running on that server too. No any
"idmap"s used, just direct "unix uid" to "samba sid" mapping at DC.
Since the upgrade to 2.0.23 some "uid==>sid" issues have appeared.
I have the option "hide unreadable = yes". With 2.0.23, some files which
are actually readable appear as unreadable. The reason is Samba uses
"local sid prefix" when compute SID from file's uid/gid, instead of the
"domain sid prefix".
Looking at source/passdb/lookup_sid.c:uid_to_sid() :
If "lp_server_role() == ROLE_DOMAIN_MEMBER", then
"winbind_uid_to_sid()" is called, and all is fine.
the role check have disappeared. As a result, winbind_uid_to_sid() is
not called, and pdb_uid_to_rid() is used instead. With the default
passdb (smbpasswd) it knows nothing about my domain...
I've tried to use "passdb backend = ldapsam", but this trying was
unsuccessful because Samba requires ldap admin password in this case,
and I don't wanna give that password for this server...
Is it a feature or a bug?
If it is a new behaviour, how can I cause uid_to_sid() to use
winbind_uid_to_sid() in my environment?
Please note, that no any algorithmic rids/idmaps etc are used in my
case. Winbind just received sids from the Samba DC servers, which store
uid/sid etc. at the OpenLDAP backend.
Fedora Extras/Livna co-maintainer, RHCE
More information about the samba-technical