incorrect sid assigned to local user root?

Marc-andré Labonté marc-andre.labonte at mail.mcgill.ca
Mon Jul 14 22:55:49 GMT 2008 

Hi all,

    What i'm about to say is directly related to my previous post in the
general mailing list,
http://lists.samba.org/archive/samba/2008-July/141980.html, but i think
the following belongs to the technical mailing list because, yes, there
will be code.

    To make a long story shot, while both versions of samba i tested
correctly map the domain admin as the root user, it seems that samba
3.2.0 assign a bad sid (S-1-22-1) to root.  Therefore,
sid_check_is_in_unix_users() will fail and samba will ultimately try
winbind to lookup the local root user.  Obviously, winbind will fail to
lookup that bogus sid (S-1-22-513) as root's primary group sid as we can
see in the following line in the logs:

[2008/07/14 17:35:28,  1] auth/auth_util.c:create_token_from_username(932)
sid_to_gid(S-1-22-513) failed

On the client side, i get NT_STATUS_LOGON_FAILURE

   Samba 3.0.30 assign sid S-1-22-1-0 to user root,
sid_check_is_in_unix_users() succeed and nss is used to lookup root's 
primary group.   Access is granted as it should.


Here is the long story.  My quest begun at
auth/auth_util.c:create_token_from_username(932), being hinted by that
suspicious log message.  I added a few DEBUG()s to make samba more
verbose then i looked at the logs as i was trying to login as the domain
administrator.

Lines added in Samba 3.0.30

"auth/auth_util.c" line 1120

id_to_sid(&unix_group_sid, *uid);
DEBUG(0, ("[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, sid of user
%s: %s\n", username, sid_string_static(&unix_group_sid)) );
DEBUG(0, ("[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, global sid
of unmapped unix users: %s\n", sid_string_static(&global_sid_Unix_Users)) );

"auth/auth_util.c" line 1171

Logs i got:

DEBUG(0, ("[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, we need to
ask nss directly\n") );

  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2008/07/14 17:44:14, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/07/14 17:44:14, 10] passdb/lookup_sid.c:lookup_name(70)
  lookup_name: Unix User\root => Unix User (domain), root (name)
[2008/07/14 17:44:14, 10] passdb/lookup_sid.c:lookup_name(71)
  lookup_name: flags = 0x073
[2008/07/14 17:44:14, 10] lib/util_pw.c:getpwnam_alloc(76)
  Got root from pwnam_cache
[2008/07/14 17:44:14, 10] passdb/lookup_sid.c:sid_to_uid(1407)
  sid S-1-22-1-0 -> uid 0
[2008/07/14 17:44:14, 10] passdb/lookup_sid.c:uid_to_sid(1348)
  uid 0 -> sid S-1-22-1-0
[2008/07/14 17:44:14, 0] auth/auth_util.c:create_token_from_username(1121)
  [samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, sid of user root:
S-1-22-1-0
[2008/07/14 17:44:14, 0] auth/auth_util.c:create_token_from_username(1122)
  [samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, global sid of
unmapped unix users: S-1-22-1
[2008/07/14 17:44:14, 0] auth/auth_util.c:create_token_from_username(1171)
  [samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, we need to ask nss
directly


Lines added in Samba 3.2.0

"auth/auth_util.c" line 802

uid_to_sid(&unix_group_sid, *uid);
DEBUG(0, ("[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, sid of user
%s: %s\n", username, sid_string_dbg(&unix_group_sid)) );
DEBUG(0, ("[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, global sid of
unmapped unix users: %s\n", sid_string_dbg(&global_sid_Unix_Users)) );

"auth/auth_util.c" line 917

DEBUG(0, ("[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, user is from
winbind\n") );

Logs i got :


  Primary group is 0 and contains 0 supplementary groups
[2008/07/14 17:35:28,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/07/14 17:35:28, 10] passdb/lookup_sid.c:lookup_name(69)
  lookup_name: Unix User\root => Unix User (domain), root (name)
[2008/07/14 17:35:28, 10] passdb/lookup_sid.c:lookup_name(70)
  lookup_name: flags = 0x073
[2008/07/14 17:35:28,  0] auth/auth_util.c:create_token_from_username(803)
  [samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, sid of user root: S-1-22-1
[2008/07/14 17:35:28,  0] auth/auth_util.c:create_token_from_username(804)
  [samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, global sid of unmapped
unix users: S-1-22-1
[2008/07/14 17:35:28,  0] auth/auth_util.c:create_token_from_username(917)
  [samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, user is from winbind
[2008/07/14 17:35:28, 10] passdb/lookup_sid.c:sid_to_gid(1426)
  winbind failed to find a gid for sid S-1-22-513
[2008/07/14 17:35:28,  1] auth/auth_util.c:create_token_from_username(932)
  sid_to_gid(S-1-22-513) failed
[2008/07/14 17:35:28, 10]
auth/auth_ntlmssp.c:auth_ntlmssp_check_password(131)
  create_local_token failed: NT_STATUS_NO_SUCH_USER
[2008/07/14 17:35:28,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2008/07/14 17:35:28,  5] lib/util.c:show_msg(645)
[2008/07/14 17:35:28,  5] lib/util.c:show_msg(655)



My question is why samba 3.2.0 assign a different SID to root?, does it
act like this on purpose?  I can feel my path will lead me to
lookup_name() in passdb/lookup_sid.c.  I'm kindly asking for your help

Cheers

Marc-andré

More information about the samba-technical mailing list