[Samba] Missing sids for domain administrator?
Ian Puleston
ipuleston at SonicWALL.com
Thu Oct 29 12:22:17 MDT 2009
Hi,
I'm working on bug https://bugzilla.samba.org/show_bug.cgi?id=6592 and
something that has apparently changed in my setup is preventing me from
testing the final stages of the fix. I have a machine running Samba
server and joined to the domain, and am accessing that from the W2K3
domain server logged, logged into the latter as the domain
administrator. But the problem is that in its access checks smbd is not
getting the sid for the Administrators group (S-1-5-32-544).
In an email that I sent back in July
(http://lists.samba.org/archive/samba/2009-July/149285.html) I included
my samba log file, and at that point I was getting the S-1-5-32-544 sid,
but something has changed since then and now I am not. My question is
does anyone have any idea of what may have changed that would cause
that?
Here is an extract from the log in that email:
Checking password for unmapped user [SD80]\[Administrator]@[IANSERVER]
with the new password interface
check_ntlm_password: mapped user is:
[SD80]\[Administrator]@[IANSERVER]
check_ntlm_password: winbind authentication for user [Administrator]
succeeded
check_ntlm_password: authentication for user [Administrator]
->[Administrator] -> [SD80+administrator] succeeded
se_access_check: user sid is
S-1-5-21-4023909512-3739307249-2032274589-500
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512
se_access_check: also S-1-5-32-545
se_access_check: also S-1-5-32-544
se_access_check: also S-1-22-1-601
se_access_check: also S-1-22-2-604
se_access_check: also S-1-22-2-607
se_access_check: also S-1-22-2-608
se_access_check: also S-1-22-2-609
se_access_check: also S-1-22-2-610
se_access_check: also S-1-22-2-603
se_access_check: also S-1-22-2-602
And here is what I am seeing now:
check_ntlm_password: Checking password for unmapped user
[SD80]\[Administrator]@[IANSERVER] with the new password interface
check_ntlm_password: mapped user is:
[SD80]\[Administrator]@[IANSERVER]
check_ntlm_password: winbind authentication for user [Administrator]
succeeded
check_ntlm_password: authentication for user [Administrator] ->
[Administrator] -> [SD80+administrator] succeeded
se_access_check: user sid is
S-1-5-21-4023909512-3739307249-2032274589-500
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512
The missing sids are for the Users and Administrators group, plus those
"S-2-22-2" sids, whatever they are.
Thanks
Ian
More information about the samba
mailing list