Windows displays incorrect ACE Trustee Names when displaying ACEs for Samba server in an ADS parent/child forest?

Richard Sharpe realrichardsharpe at
Thu Jun 30 17:39:31 MDT 2011

On Thu, Jun 30, 2011 at 3:33 PM, Volker Lendecke
<Volker.Lendecke at> wrote:
> On Thu, Jun 30, 2011 at 03:00:11PM -0700, Richard Sharpe wrote:
>> >> Well, a quick rebuild demonstrates that this problem has nothing to do
>> >> with DsRoleGetPrimaryDomainInfomation, it seems. I hard coded the
>> >> correct info, but nothing has changed.
>> >
>> > Verified that the same problem does not occur on a Win2K08 member
>> > server ... digging deeper now.
>> OK, so the bug seems to be in lsa_LookupSids2 ... the node requesting
>> the SecDesc is sending the lsa_LookupSids2 request to the Samba server
>> (but so it did to the Win2K08 member server) and Samba is
>> mis-translating the SIDs. It returns the domain as the same even
>> though the authorities portions are different.
>> I guess I know where to look to fix the code now.
> Even comes with patches :-)

Great, thanks ... I had tracked it down to winbindd, but now I can
stop looking :-)

Richard Sharpe

More information about the samba-technical mailing list