[Samba] sid_to_uid: Domain controller lookup missing

Buchan Milne bgmilne at cae.co.za
Mon Sep 16 10:46:02 GMT 2002 

> Message: 21
> From: Christopher Odenbach <odenbach at hni.uni-paderborn.de>
> Organization: Heinz Nixdorf Institut
> To: abartlet at dp.samba.org
> Subject: Re: [Samba] sid_to_uid: Domain controller lookup missing
> Date: Mon, 16 Sep 2002 11:20:24 +0200
> Cc: samba at samba.org
> 
> 
> Hi,
> 
> 
>> > I hope you understand the problem.
> 
>>
>> This behaviour is by design.  Winbind is an nss module and expects to
>> be the final authority on these matters.  Given recent issues with
>> Win2k SP3 and WinXP SP1, this might change, but this is not a trivial
>> change.
>>
>> The basic idea is that if you have users in /etc/passwd or yp, you
>> don't need to run winbind.
> 
> 
> OK - this is what I said in the first place. You just told me two mails 
> ago to use winbind... ;-)
> 
>> > So I suppose there is one step missing in between: If the domain
>> > part of the SID is equal to the domain name (set by the workgroup
>> > parameter) ask a PDC or BDC (set by the password server parameter
>> > or magically found out with *).
> 
>> 
>> This is what winbind does.  smbd asks winbind, winbind asks the
>> relevent DC.
> 
> 
> I am a bit confused now. Let me try to explain what I think is going on:
> 
> Scenario: A simple user (me) tries to add another user to the ACL of a 
> file which lies on a samba server with ACL support and underlying XFS. 
> The added user shall be called 'axel'.
> 
> - User (me) adds user and klicks ok
> - Windows box sends request to samba server asking to add the SID xyz 
> to the ACL of the file abc
> - Samba tries to resolve the SID locally which does not work, because 
> the samba server ist not the domain controller
> - Samba asks winbind to resolve the SID
> - winbind send a 'lookupsid' request to a domain controller and gets 
> HNIRB\axel
> 
> up to this point no problem
> 
> - winbind looks for this username in its own database and - as there is 
> no such user - creates a new one with the first uid of the specified 
> pool (40000)
> 
> This is wrong as there already exists such a user in yp. Could the 
> trouble be that winbind assumes that if it is used, there will be an 
> entry "winbind" in the nsswitch.conf? Perhaps it should just do a 
> 'getpwnam <name without domain part>' to see if there is a user in the 
> database that is specified in nsswitch.conf. If this does not give 
> anything then try the name including the domain.
> 
> Please make things clearer to me. :-)

In samba-2.2.x there is no way for ACLs to work on a server that does 
not have the SID matching the domain, and winbind supposedly can't 
(except with older vversions of samba-2.2.x on the DC) use a samba 
server. This means:

1)Make all your samba servers that need ACLs domain controllers. This 
can be done with ldap as passdb backend (haven't tested, but it should 
work I think)
2)Only use ACLs on the DC
3)Use samba_head on the DC

If winbind is actually working, but the only problem is that the 
username it gets doesn't match the local username, then you should try 
'winbind use default domain = yes' in your smb.conf on all the machines 
running winbind, so that winbind will look up axel, instead of HNIRB\axel.

If I were you (and we're going to be doing this soon), I would choose (a).

Buchan

-- 
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7

More information about the samba mailing list