SAMR_SET_USERINFO on Windows NT

Moritz Mühlenhoff muehlenhoff at univention.de
Wed Jun 27 12:54:17 GMT 2007 

Hi,
we noticed a problem with domain joins on Windows NT4 when using the LDAP 
backend. This is a different issue than the one solved with the patch 
referenced in http://lists.samba.org/archive/samba/2006-December/127605.html.

From rpc_server/srv_samr_util.c , function copy_id23_to_sam_passwd():

if (from->fields_present & ACCT_PRIMARY_GID) {
	if  (from->group_rid == 0) {
		DEBUG(10, ("INFO_23: Asked to set Group RID to 0 !? Skipping change!\n"));
	} else if (from->group_rid != pdb_get_group_rid(to)) {
		DEBUG(10,("INFO_23 
GROUP_RID: %u -> %u\n",pdb_get_group_rid(to),from->group_rid));
                        pdb_set_group_sid_from_rid(to, from->group_rid, 	
PDB_CHANGED);
	}
}

In the log we find:

[2007/06/27 00:30:25, 5] passdb/pdb_interface.c:pdb_default_lookup_rids(1601)
  lookup_rids: Windows Hosts:2
[2007/06/27 00:30:25, 10] passdb/lookup_sid.c:lookup_sid(867)
  Sid S-1-5-21-735105577-1126129934-2591602541-11011 -> HOSTS3\Windows 
Hosts(2)
[2007/06/27 00:30:25, 10] 
rpc_server/srv_samr_util.c:copy_id23_to_sam_passwd(485)
  INFO_23 GROUP_RID: 11011 -> 513

11011 is the correct RID for "Windows Hosts", however 513 is "Domain Users", 
which causes subsequent breakages such as object class violations in LDAP.

Apparently the value is taken directly from the SAMR_SET_USERINFO packet, as 
0x201 results in 513.

[2007/06/27 00:30:25, 5] rpc_parse/parse_prs.c:prs_uint32(704)
              00bc group_rid     : 00000201

However, if compared with a Windows XP client no such RID is passed from 
Windows:

[2007/04/21 04:04:21, 5] rpc_parse/parse_prs.c:prs_uint32(704)
              00bc group_rid     : 00000000

This didn't cause problems up to 3.0.22, but with later versions (likely 
caused by the user and group changes in 3.0.23) this results in NT4 clients 
no longer being able to join (at least with the LDAP backend).

Is this known Windows behaviour or a known Samba bug? Does anyone know a 
workaround or fix?

Cheers,
Moritz
-- 
Moritz Muehlenhoff muehlenhoff at univention.de     fon: +49 421 22 232- 0
Development        Linux for Your Business       fax: +49 421 22 232-99
Univention GmbH    http://www.univention.de/   mobil: +49 175 22 999 23

More information about the samba-technical mailing list