incorrect sid assigned to local user root?
Marc-andré Labonté
marc-andre.labonte at mail.mcgill.ca
Mon Jul 14 22:55:49 GMT 2008
Hi all,
What i'm about to say is directly related to my previous post in the
general mailing list,
http://lists.samba.org/archive/samba/2008-July/141980.html, but i think
the following belongs to the technical mailing list because, yes, there
will be code.
To make a long story shot, while both versions of samba i tested
correctly map the domain admin as the root user, it seems that samba
3.2.0 assign a bad sid (S-1-22-1) to root. Therefore,
sid_check_is_in_unix_users() will fail and samba will ultimately try
winbind to lookup the local root user. Obviously, winbind will fail to
lookup that bogus sid (S-1-22-513) as root's primary group sid as we can
see in the following line in the logs:
[2008/07/14 17:35:28, 1] auth/auth_util.c:create_token_from_username(932)
sid_to_gid(S-1-22-513) failed
On the client side, i get NT_STATUS_LOGON_FAILURE
Samba 3.0.30 assign sid S-1-22-1-0 to user root,
sid_check_is_in_unix_users() succeed and nss is used to lookup root's
primary group. Access is granted as it should.
Here is the long story. My quest begun at
auth/auth_util.c:create_token_from_username(932), being hinted by that
suspicious log message. I added a few DEBUG()s to make samba more
verbose then i looked at the logs as i was trying to login as the domain
administrator.
Lines added in Samba 3.0.30
"auth/auth_util.c" line 1120
id_to_sid(&unix_group_sid, *uid);
DEBUG(0, ("[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, sid of user
%s: %s\n", username, sid_string_static(&unix_group_sid)) );
DEBUG(0, ("[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, global sid
of unmapped unix users: %s\n", sid_string_static(&global_sid_Unix_Users)) );
"auth/auth_util.c" line 1171
Logs i got:
DEBUG(0, ("[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, we need to
ask nss directly\n") );
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2008/07/14 17:44:14, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/07/14 17:44:14, 10] passdb/lookup_sid.c:lookup_name(70)
lookup_name: Unix User\root => Unix User (domain), root (name)
[2008/07/14 17:44:14, 10] passdb/lookup_sid.c:lookup_name(71)
lookup_name: flags = 0x073
[2008/07/14 17:44:14, 10] lib/util_pw.c:getpwnam_alloc(76)
Got root from pwnam_cache
[2008/07/14 17:44:14, 10] passdb/lookup_sid.c:sid_to_uid(1407)
sid S-1-22-1-0 -> uid 0
[2008/07/14 17:44:14, 10] passdb/lookup_sid.c:uid_to_sid(1348)
uid 0 -> sid S-1-22-1-0
[2008/07/14 17:44:14, 0] auth/auth_util.c:create_token_from_username(1121)
[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, sid of user root:
S-1-22-1-0
[2008/07/14 17:44:14, 0] auth/auth_util.c:create_token_from_username(1122)
[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, global sid of
unmapped unix users: S-1-22-1
[2008/07/14 17:44:14, 0] auth/auth_util.c:create_token_from_username(1171)
[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, we need to ask nss
directly
Lines added in Samba 3.2.0
"auth/auth_util.c" line 802
uid_to_sid(&unix_group_sid, *uid);
DEBUG(0, ("[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, sid of user
%s: %s\n", username, sid_string_dbg(&unix_group_sid)) );
DEBUG(0, ("[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, global sid of
unmapped unix users: %s\n", sid_string_dbg(&global_sid_Unix_Users)) );
"auth/auth_util.c" line 917
DEBUG(0, ("[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, user is from
winbind\n") );
Logs i got :
Primary group is 0 and contains 0 supplementary groups
[2008/07/14 17:35:28, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/07/14 17:35:28, 10] passdb/lookup_sid.c:lookup_name(69)
lookup_name: Unix User\root => Unix User (domain), root (name)
[2008/07/14 17:35:28, 10] passdb/lookup_sid.c:lookup_name(70)
lookup_name: flags = 0x073
[2008/07/14 17:35:28, 0] auth/auth_util.c:create_token_from_username(803)
[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, sid of user root: S-1-22-1
[2008/07/14 17:35:28, 0] auth/auth_util.c:create_token_from_username(804)
[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, global sid of unmapped
unix users: S-1-22-1
[2008/07/14 17:35:28, 0] auth/auth_util.c:create_token_from_username(917)
[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, user is from winbind
[2008/07/14 17:35:28, 10] passdb/lookup_sid.c:sid_to_gid(1426)
winbind failed to find a gid for sid S-1-22-513
[2008/07/14 17:35:28, 1] auth/auth_util.c:create_token_from_username(932)
sid_to_gid(S-1-22-513) failed
[2008/07/14 17:35:28, 10]
auth/auth_ntlmssp.c:auth_ntlmssp_check_password(131)
create_local_token failed: NT_STATUS_NO_SUCH_USER
[2008/07/14 17:35:28, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2008/07/14 17:35:28, 5] lib/util.c:show_msg(645)
[2008/07/14 17:35:28, 5] lib/util.c:show_msg(655)
My question is why samba 3.2.0 assign a different SID to root?, does it
act like this on purpose? I can feel my path will lead me to
lookup_name() in passdb/lookup_sid.c. I'm kindly asking for your help
Cheers
Marc-andré
More information about the samba-technical
mailing list