[Samba] sid_to_uid: Domain controller lookup missing

abartlet at dp.samba.org abartlet at dp.samba.org
Mon Sep 16 09:31:00 GMT 2002


On Mon, Sep 16, 2002 at 11:20:24AM +0200, Christopher Odenbach wrote:
> 
> Hi,
> 
> > > I hope you understand the problem.
> >
> > This behaviour is by design.  Winbind is an nss module and expects to
> > be the final authority on these matters.  Given recent issues with
> > Win2k SP3 and WinXP SP1, this might change, but this is not a trivial
> > change.
> >
> > The basic idea is that if you have users in /etc/passwd or yp, you
> > don't need to run winbind.
> 
> OK - this is what I said in the first place. You just told me two mails 
> ago to use winbind... ;-)

And to ditch yp and /etc/passwd... ;-)

> > > So I suppose there is one step missing in between: If the domain
> > > part of the SID is equal to the domain name (set by the workgroup
> > > parameter) ask a PDC or BDC (set by the password server parameter
> > > or magically found out with *).
> > 
> > This is what winbind does.  smbd asks winbind, winbind asks the
> > relevent DC.
> 
> I am a bit confused now. Let me try to explain what I think is going on:
> 
> Scenario: A simple user (me) tries to add another user to the ACL of a 
> file which lies on a samba server with ACL support and underlying XFS. 
> The added user shall be called 'axel'.
> 
> - User (me) adds user and klicks ok
> - Windows box sends request to samba server asking to add the SID xyz 
> to the ACL of the file abc
> - Samba tries to resolve the SID locally which does not work, because 
> the samba server ist not the domain controller
> - Samba asks winbind to resolve the SID
> - winbind send a 'lookupsid' request to a domain controller and gets 
> HNIRB\axel
> 
> up to this point no problem
> 
> - winbind looks for this username in its own database and - as there is 
> no such user - creates a new one with the first uid of the specified 
> pool (40000)

Correct.  This behaviour is by design.

> This is wrong as there already exists such a user in yp. Could the 
> trouble be that winbind assumes that if it is used, there will be an 
> entry "winbind" in the nsswitch.conf? Perhaps it should just do a 
> 'getpwnam <name without domain part>' to see if there is a user in the 
> database that is specified in nsswitch.conf. If this does not give 
> anything then try the name including the domain.

There are recursion problems here.  If you run winbind, it is assumed that 
you use it in nss.

Andrew Bartlett



More information about the samba mailing list