[Samba] Problem using 3.0.23 client in a domain with a Samba 3.0.20c PDC.

M. D. Parker mike.parker at ga.com
Thu Jul 13 15:24:55 GMT 2006


 Just for the record, I did find a workaround that seemed to work after
looking at the debug files a little more closely.

In the smbusers file (mapping account names to local names), I put in the
line

DOMAIN\user = user

And that seemed to work too.  Not really the best solution for me
operationally....so.....I'll be working on compiling and installing the
patch and let you all know if it works.

Thanks for the quick turnaround on the patch.


==========================================

M. D. Parker
Systems Administrator
General Atomics / Electromagnetic Systems
+1 858 455 2877
mike.parker at ga.com


-----Original Message-----
From: Volker Lendecke [mailto:vlendec at sernet.de] On Behalf Of Volker
Lendecke
Sent: Thursday, July 13, 2006 4:01 AM
To: M. D. Parker
Cc: 'Gerald (Jerry) Carter'; samba at lists.samba.org;
samba-technical at samba.org
Subject: Re: [Samba] Problem using 2.0.23 client in a domain with a Samba
2.0.20c PDC.

On Wed, Jul 12, 2006 at 09:04:22AM -0700, M. D. Parker wrote:
> Ok...ok...I'll appologize to the everybody.  And yes I do understand 
> that bugs unreported cannot be fixed, but on a 'beta' you cannot be 
> very sure that maybe what you built was not quite right.  I remember 
> this because I tried one of the CVS versions for the alpha 3.0.23 and 
> had the same problem that I have now.  However, it was a problem to 
> build it at that point and again I assummed that it was some issue 
> that was being addressed in the build process causing the build problem.

Build problems are also welcome on
samba-technical at samba.org!

Attached find a patch that should solve your problem.

The circumstances are: security=domain, no winbind, and valid users =
username. 

The code to evaluate the valid users line has been restructured to make use
of the lookup_name routine to create a central point where arbitrary names
are being coverted to SIDs. When winbind is not around, this routine is
incomplete in the sense that it does not connect to the domain controller,
whereas winbind would. So lookup_name falls back to returning
S-1-22-1-<uid>. It is checked whether this SID is part of the user's NT
token.

Before this happens, we have however assigned the SID the domain controller
has returned in the SamLogon reply. This is a S-1-5-21-<a>-<b>-<c>-RID type
SID, not the S-1-22-1 one locally defined.

The attached patch adds the S-1-22-1-<uid> to the user's token. It is a bit
larger than strictly necessary, but the minimum diff size would have made
the code a bit clumsy.

Volker


More information about the samba mailing list