[Samba] 3.0.20 -> 3.0.23 SID/group error?? Won't connect.

Gerald (Jerry) Carter jerry at samba.org
Sat Aug 12 18:49:13 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Franz Sirl wrote:

> v2 of the patch still works fine, but the list 
> of working syntaxes changed. These work:
> 
>         valid users = +users
>         valid users = +"Unix Group\users"
>         valid users = S-1-22-2-100
> 
> These didn't work:
> 
>         valid users = +HOSTNAME\users
>         valid users = +BUILTIN\users
>         valid users = S-1-5-21-1540046517-542637695-1028676802-1201

This is to be expected.  All unmapped users will
possess a SID in the S-1-22-1 domain and all unmapped
groups will be in the S-1-22-2 domain.

HOSTNAME\users would work for a mapped group.
BUILTIN\users would work if you have local builtin group
  called users (e.g. "net sam createbuiltin Users")

> And it's not that I expect all of these to work, it's 
> more that I tried about any combo that I saw in the
> logs :-). Though I believe that the +"Unix Group\users"
> is nice to have in case I switch to PDC, cause
> personally I like to be explicit in configuration files.

There problem is that if you create a group map entry
for HOSTNAME\users, "unix Group\users" will resolve to
a different SID and hence anyone actually in the users
group from /etc/group will have the HOSTNAME\users SID in
their token.

At this time we are *not* recommending that anyone qualify
names with HOSTNAME or "Unix XXX".  Samba will handle
the steps necessary to resolve the name, giving precedence
to mapped users and groups over unmapped ones.  You only
have to qualify domain names and groups in the BUILTIN domain.

I've got a long mail that explains we made this change
and we had a hard time with 3.0.23.  I'll try to send
it out next week.







cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE3iKpIR7qMdg1EfYRAtvGAKCCdblzwxS5qv2iL4Dplt9HTEwq6QCgsm6l
jVl0lWeAB0JQtsUreRW0xzs=
=63O3
-----END PGP SIGNATURE-----

More information about the samba mailing list