incorrect sid assigned to local user root?

Jeremy Allison jra at samba.org
Wed Jul 16 00:43:54 GMT 2008 

On Mon, Jul 14, 2008 at 06:55:49PM -0400, Marc-andré Labonté wrote:
> Hi all,
> 
>     What i'm about to say is directly related to my previous post in the
> general mailing list,
> http://lists.samba.org/archive/samba/2008-July/141980.html, but i think
> the following belongs to the technical mailing list because, yes, there
> will be code.
> 
>     To make a long story shot, while both versions of samba i tested
> correctly map the domain admin as the root user, it seems that samba
> 3.2.0 assign a bad sid (S-1-22-1) to root.  Therefore,
> sid_check_is_in_unix_users() will fail and samba will ultimately try
> winbind to lookup the local root user.  Obviously, winbind will fail to
> lookup that bogus sid (S-1-22-513) as root's primary group sid as we can
> see in the following line in the logs:
> 
> [2008/07/14 17:35:28,  1] auth/auth_util.c:create_token_from_username(932)
> sid_to_gid(S-1-22-513) failed
> 
> On the client side, i get NT_STATUS_LOGON_FAILURE
> 
>    Samba 3.0.30 assign sid S-1-22-1-0 to user root,
> sid_check_is_in_unix_users() succeed and nss is used to lookup root's 
> primary group.   Access is granted as it should.
> 
> 
> Here is the long story.  My quest begun at
> auth/auth_util.c:create_token_from_username(932), being hinted by that
> suspicious log message.  I added a few DEBUG()s to make samba more
> verbose then i looked at the logs as i was trying to login as the domain
> administrator.
> 
> Lines added in Samba 3.0.30
> 
> "auth/auth_util.c" line 1120
> 
> id_to_sid(&unix_group_sid, *uid);
> DEBUG(0, ("[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, sid of user
> %s: %s\n", username, sid_string_static(&unix_group_sid)) );
> DEBUG(0, ("[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, global sid
> of unmapped unix users: %s\n", sid_string_static(&global_sid_Unix_Users)) );
> 
> "auth/auth_util.c" line 1171
> 
> Logs i got:
> 
> DEBUG(0, ("[samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, we need to
> ask nss directly\n") );
> 
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2008/07/14 17:44:14, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2008/07/14 17:44:14, 10] passdb/lookup_sid.c:lookup_name(70)
>   lookup_name: Unix User\root => Unix User (domain), root (name)
> [2008/07/14 17:44:14, 10] passdb/lookup_sid.c:lookup_name(71)
>   lookup_name: flags = 0x073
> [2008/07/14 17:44:14, 10] lib/util_pw.c:getpwnam_alloc(76)
>   Got root from pwnam_cache
> [2008/07/14 17:44:14, 10] passdb/lookup_sid.c:sid_to_uid(1407)
>   sid S-1-22-1-0 -> uid 0
> [2008/07/14 17:44:14, 10] passdb/lookup_sid.c:uid_to_sid(1348)
>   uid 0 -> sid S-1-22-1-0
> [2008/07/14 17:44:14, 0] auth/auth_util.c:create_token_from_username(1121)
>   [samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, sid of user root:
> S-1-22-1-0
> [2008/07/14 17:44:14, 0] auth/auth_util.c:create_token_from_username(1122)
>   [samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, global sid of
> unmapped unix users: S-1-22-1
> [2008/07/14 17:44:14, 0] auth/auth_util.c:create_token_from_username(1171)
>   [samba 3.0.30]marc-andre.labonte at mail.mcgill.ca, we need to ask nss
> directly
> 
> 
> Lines added in Samba 3.2.0
> 
> "auth/auth_util.c" line 802
> 
> uid_to_sid(&unix_group_sid, *uid);
> DEBUG(0, ("[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, sid of user
> %s: %s\n", username, sid_string_dbg(&unix_group_sid)) );
> DEBUG(0, ("[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, global sid of
> unmapped unix users: %s\n", sid_string_dbg(&global_sid_Unix_Users)) );
> 
> "auth/auth_util.c" line 917
> 
> DEBUG(0, ("[samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, user is from
> winbind\n") );
> 
> Logs i got :
> 
> 
>   Primary group is 0 and contains 0 supplementary groups
> [2008/07/14 17:35:28,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2008/07/14 17:35:28, 10] passdb/lookup_sid.c:lookup_name(69)
>   lookup_name: Unix User\root => Unix User (domain), root (name)
> [2008/07/14 17:35:28, 10] passdb/lookup_sid.c:lookup_name(70)
>   lookup_name: flags = 0x073
> [2008/07/14 17:35:28,  0] auth/auth_util.c:create_token_from_username(803)
>   [samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, sid of user root: S-1-22-1
> [2008/07/14 17:35:28,  0] auth/auth_util.c:create_token_from_username(804)
>   [samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, global sid of unmapped
> unix users: S-1-22-1
> [2008/07/14 17:35:28,  0] auth/auth_util.c:create_token_from_username(917)
>   [samba 3.2.0]marc-andre.labonte at mail.mcgill.ca, user is from winbind
> [2008/07/14 17:35:28, 10] passdb/lookup_sid.c:sid_to_gid(1426)
>   winbind failed to find a gid for sid S-1-22-513
> [2008/07/14 17:35:28,  1] auth/auth_util.c:create_token_from_username(932)
>   sid_to_gid(S-1-22-513) failed
> [2008/07/14 17:35:28, 10]
> auth/auth_ntlmssp.c:auth_ntlmssp_check_password(131)
>   create_local_token failed: NT_STATUS_NO_SUCH_USER
> [2008/07/14 17:35:28,  3] smbd/error.c:error_packet_set(61)
>   error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2008/07/14 17:35:28,  5] lib/util.c:show_msg(645)
> [2008/07/14 17:35:28,  5] lib/util.c:show_msg(655)
> 
> 
> 
> My question is why samba 3.2.0 assign a different SID to root?, does it
> act like this on purpose?  I can feel my path will lead me to
> lookup_name() in passdb/lookup_sid.c.  I'm kindly asking for your help

Good analysis - thanks.

Can you add a debug statement to lookup_name that prints
out all the incoming arguments in Samba 3.2.0 and post
the debug messages you're getting.

The problem is definately the miss-assignment of S-1-22-1
to root instead of S-1-22-1-0 in your case, now we need
to understand why that happens..

Jeremy.

More information about the samba-technical mailing list