[Samba] sid_to_uid: Domain controller lookup missing
Christopher Odenbach
odenbach at hni.uni-paderborn.de
Mon Sep 16 09:21:01 GMT 2002
Hi,
> > I hope you understand the problem.
>
> This behaviour is by design. Winbind is an nss module and expects to
> be the final authority on these matters. Given recent issues with
> Win2k SP3 and WinXP SP1, this might change, but this is not a trivial
> change.
>
> The basic idea is that if you have users in /etc/passwd or yp, you
> don't need to run winbind.
OK - this is what I said in the first place. You just told me two mails
ago to use winbind... ;-)
> > So I suppose there is one step missing in between: If the domain
> > part of the SID is equal to the domain name (set by the workgroup
> > parameter) ask a PDC or BDC (set by the password server parameter
> > or magically found out with *).
>
> This is what winbind does. smbd asks winbind, winbind asks the
> relevent DC.
I am a bit confused now. Let me try to explain what I think is going on:
Scenario: A simple user (me) tries to add another user to the ACL of a
file which lies on a samba server with ACL support and underlying XFS.
The added user shall be called 'axel'.
- User (me) adds user and klicks ok
- Windows box sends request to samba server asking to add the SID xyz
to the ACL of the file abc
- Samba tries to resolve the SID locally which does not work, because
the samba server ist not the domain controller
- Samba asks winbind to resolve the SID
- winbind send a 'lookupsid' request to a domain controller and gets
HNIRB\axel
up to this point no problem
- winbind looks for this username in its own database and - as there is
no such user - creates a new one with the first uid of the specified
pool (40000)
This is wrong as there already exists such a user in yp. Could the
trouble be that winbind assumes that if it is used, there will be an
entry "winbind" in the nsswitch.conf? Perhaps it should just do a
'getpwnam <name without domain part>' to see if there is a user in the
database that is specified in nsswitch.conf. If this does not give
anything then try the name including the domain.
Please make things clearer to me. :-)
Christopher
--
======================================================
Dipl.-Ing. Christopher Odenbach
HNI Rechnerbetrieb
odenbach at uni-paderborn.de
Tel.: +49 5251 60 6215
======================================================
More information about the samba
mailing list