Windows displays incorrect ACE Trustee Names when displaying ACEs for Samba server in an ADS parent/child forest?

Richard Sharpe realrichardsharpe at
Thu Jun 30 13:25:10 MDT 2011

On Thu, Jun 30, 2011 at 11:35 AM, Richard Sharpe
<realrichardsharpe at> wrote:
> Hi,
> I have noticed an interesting problem in an ADS forest where I have:
> 1. rjstest.local as the root of the forest (domain is DIFFNAME),
> 2. subtree1.rjstest.local as a subtree that is part of rjstest.local
> (domain is SUBTREE1),
> 3. A Samba 2.5.8+ member server that is joined to subtree1.rjstest.local,
> 4. A share on my Samba server called FunnyShare where
> SUBTREE1\administrator has full access and the group DIFFNAME\domain
> admins also has full access.
> When I bring up the share properties on a Windows server, it shows the
> trustee that is the SID for DIFFNAME\domain admins as SUBTREE1\Domain
> Admins.
> In looking over a capture of the Trans2, NT QUERY SECURITY DESCRIPTOR
> the correct SIDs are being returned. The only interesting thing I can
> find is that there is a DsGetRolePrimaryDomainInformation request
> prior to the NT QUERY SECURITY DESCRIPTOR that is also directed at the
> member server which has what looks like wrong info:
> DNS Domain: subtree1.rjstest.local
> Forest:            subtree1.rjstest.local
> The second value looks wrong and should be rjstest.local, IMO.
> In looking at rpc_server/srv_dssetup_nt.c, I find this:
>        if (lp_security() == SEC_ADS) {
>                dnsdomain = talloc_strdup(ctx, lp_realm());
>                if (!dnsdomain) {
>                        return WERR_NOMEM;
>                }
>                strlower_m(dnsdomain);
>                basic->dns_domain = dnsdomain;
>                /* FIXME!! We really should fill in the correct forest
>                   name.  Should get this information from winbindd.  */
>                basic->forest = dnsdomain;
> Is it possible that this incorrect information is confusing Windows?
> It sure will confuse users, and I wonder if the correct SIDs will be
> set if we try to add ACEs from different domains via Windows.
> At the moment it is not clear if we are keeping the forest anywhere, either ...
> Comments would be useful. Am I barking up the wrong tree?

Well, a quick rebuild demonstrates that this problem has nothing to do
with DsRoleGetPrimaryDomainInfomation, it seems. I hard coded the
correct info, but nothing has changed.

Richard Sharpe

More information about the samba-technical mailing list