with most recent git master smbd fails to start in AD DC mode

Andrew Bartlett abartlet at samba.org
Sun Mar 23 00:56:59 MDT 2014


On Sat, 2014-03-22 at 20:11 -0700, Jeremy Allison wrote:
> On Sat, Mar 22, 2014 at 07:55:49PM -0700, Jeremy Allison wrote:
> > On Sun, Mar 23, 2014 at 01:03:35PM +1300, Andrew Bartlett wrote:
> > > On Sat, 2014-03-22 at 12:39 -0700, Jeremy Allison wrote:
> > > > 
> > > > username -> getpwnam() -> uid_to_sid() -> sid_to_uid() -> getpwuid() -> username
> > > 
> > > | This part                              |
> > > 
> > > doesn't happen in the AD DC case.  We start with a SID from the sam.ldb
> > > database. 
> > 
> > Are you saying this SID from the sam.ldb database doesn't
> > map to a UNIX uid ? It is only the guest SID that is causing
> > the problem for Günter.
> > 
> > I guess I don't understand what you're trying to tell
> > me here (explain like I'm five please :-).
> 
> Just to be clear what I don't understand :-).
> 
> Even if the 'username -> getpwnam() -> uid_to_sid()'
> part isn't done and we start with a SID from sam.ldb,
> if this SID is a primary user in a token (which
> it is in this case) I would expect that we must
> be able to do :
> 
> sid_to_uid() -> getpwuid()
> 
> and get back a valid 'struct passwd' coming
> from the smbd winbindd, or if we're inside the AD-DC
> code coming from the built-in winbindd.
> 
> Even if winbindd isn't running the SID
> should be from the 'legacy' uid_to_sid/sid_to_uid
> code so it should still map to a valid user
> on the system (*somewhere* inside /etc/passwd :-).
> 
> Under what circumstances is this not the
> case ?

When the getpwuid() call fails because nss_winbindd is not installed or
configured (typical and even often recommended to work around built-in
winbind issues). 

> Remember we're creating a token here which
> is then mapped into a UNIX uid+gid_list
> credential struct that can be set on the
> process, so I think it needs to mean *something*
> to the system.

Sure, it is a set of UID+GID list, just not an nss entry.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list