[Samba] sid_to_uid: Domain controller lookup missing

Christopher Odenbach odenbach at hni.uni-paderborn.de
Mon Sep 16 09:21:01 GMT 2002


> > I hope you understand the problem.
> This behaviour is by design.  Winbind is an nss module and expects to
> be the final authority on these matters.  Given recent issues with
> Win2k SP3 and WinXP SP1, this might change, but this is not a trivial
> change.
> The basic idea is that if you have users in /etc/passwd or yp, you
> don't need to run winbind.

OK - this is what I said in the first place. You just told me two mails 
ago to use winbind... ;-)

> > So I suppose there is one step missing in between: If the domain
> > part of the SID is equal to the domain name (set by the workgroup
> > parameter) ask a PDC or BDC (set by the password server parameter
> > or magically found out with *).
> This is what winbind does.  smbd asks winbind, winbind asks the
> relevent DC.

I am a bit confused now. Let me try to explain what I think is going on:

Scenario: A simple user (me) tries to add another user to the ACL of a 
file which lies on a samba server with ACL support and underlying XFS. 
The added user shall be called 'axel'.

- User (me) adds user and klicks ok
- Windows box sends request to samba server asking to add the SID xyz 
to the ACL of the file abc
- Samba tries to resolve the SID locally which does not work, because 
the samba server ist not the domain controller
- Samba asks winbind to resolve the SID
- winbind send a 'lookupsid' request to a domain controller and gets 

up to this point no problem

- winbind looks for this username in its own database and - as there is 
no such user - creates a new one with the first uid of the specified 
pool (40000)

This is wrong as there already exists such a user in yp. Could the 
trouble be that winbind assumes that if it is used, there will be an 
entry "winbind" in the nsswitch.conf? Perhaps it should just do a 
'getpwnam <name without domain part>' to see if there is a user in the 
database that is specified in nsswitch.conf. If this does not give 
anything then try the name including the domain.

Please make things clearer to me. :-)


    Dipl.-Ing. Christopher Odenbach
    HNI Rechnerbetrieb
    odenbach at uni-paderborn.de
    Tel.: +49 5251 60 6215

More information about the samba mailing list