[Samba] "Account Unknown" problem (Samba3 domain users in
WinNTpermissions)
Fermín Galán Márquez
fermin.galan at agora-2000.com
Wed Jan 7 11:42:29 GMT 2004
I have been working on the "Account Unknown" problem and I have found that
it could be related with some kind of WinNT4 to Samba3 SID conversion bug.
In particular, let be "user1" a user of the Samba3 domain with SID:
S-1-5-21-4241608303-34714143-466288756-2092
After assign permissions for user1 in a WinNT4 domain folder, I get a dump
of the ACEs for that folder (I have used a Perl script with Win32::Perms,
due to I cannot find a built-in Windows tool to do that) and I get that the
entry for "user1" have an associated SID of:
S-1-5-21--53358993-34714143-466288756-2092
So, it's logical that when the Permission dialog opens, it cannot resolve a
SID that is not associated with any user and, therefore, shows "Account
Unknown".
The problem seems to be in the way WinNT4 stores the SID in the ACE. In
particular, the conversion of the token '4241608303' -> '-53358993'.
Again, the problem only seems to affect to visualization. Permission access
defined works fine (that is, if I have defined Read only permission for
user1, user1 cannot write in the folder, regardless of he appears as
"Unknown User" in the Permission dialog).
So, a pair of questions:
1. Is a WinNT4 or Samba3 known bug?
2. How SID works? That is, how is structured, what means the hyphens, how
it's generated, etc. (I need this information to try going deeper into the
problem).
Any hint about the cause of the problem will be welcome, in particular from
other users that also are suffering it.
------
Fermín
-----Mensaje original-----
De: samba-bounces+fermin.galan=agora-2000.com at lists.samba.org
[mailto:samba-bounces+fermin.galan=agora-2000.com at lists.samba.org] En nombre
de Fermín Galán
Enviado el: miércoles, 24 de diciembre de 2003 11:23
Para: samba at lists.samba.org
Asunto: [Samba] "Account Unknown" problem (Samba3 domain users in
WinNTpermissions)
Hello,
I'm suffering a estrange problem in a WinNT-Samba3 environment. I have two
servers: WinNT4 (PDC of domain A-DOMAIN) and Samba3 (PDC of B-DOMAIN).
A-DOMAIN and B-DOMAIN trust each other (I had followed the procedures
described in HOWTO Chapter 16 successfully).
The problem arises when I assign permission in WinNT server's folders
(A-DOMAIN) for users in the Samba domain (B-DOMAIN). I can add users of the
B-DOMAIN in the Permissions dialog, but after accepting changes, the next
time that I open the Permission dialog the previously added users appears as
"B-DOMAIN/Account Unknown" instead of the their original name. The estrange
thing is that the permission access defined works fine: the problem seems to
affect only to visualization.
I have searched through the archives and found several mails with the same
or similar problem, but referring to old Samba releases (I'm using Samba
3.0.1rc1) and giving no convincing solution. For example:
http://lists.samba.org/archive/samba-ntdom/1999-September/006794.html)
http://lists.samba.org/archive/samba-ntdom/2000-November/016126.html
http://groups.google.com/groups?q=%22account+unknown%22+samba&hl=es&lr=&ie=U
TF-8&selm=Pine.GSO.4.21.0003061606200.268-100000%40timon&rnum=5
Is there any solution to this problem in Samba3 (or, at least, an indication
of what the cause could be)?
Thanks!
------
Fermín
More information about the samba
mailing list