[Samba] Missing sids for domain administrator?

Ian Puleston ipuleston at SonicWALL.com
Thu Oct 29 12:22:17 MDT 2009 

Hi,

I'm working on bug https://bugzilla.samba.org/show_bug.cgi?id=6592 and
something that has apparently changed in my setup is preventing me from
testing the final stages of the fix. I have a machine running Samba
server and joined to the domain, and am accessing that from the W2K3
domain server logged, logged into the latter as the domain
administrator. But the problem is that in its access checks smbd is not
getting the sid for the Administrators group (S-1-5-32-544).

In an email that I sent back in July
(http://lists.samba.org/archive/samba/2009-July/149285.html) I included
my samba log file, and at that point I was getting the S-1-5-32-544 sid,
but something has changed since then and now I am not. My question is
does anyone have any idea of what may have changed that would cause
that?

Here is an extract from the log in that email:

  Checking password for unmapped user [SD80]\[Administrator]@[IANSERVER]
with the new password interface
  check_ntlm_password:  mapped user is:
[SD80]\[Administrator]@[IANSERVER]
  check_ntlm_password: winbind authentication for user [Administrator]
succeeded
  check_ntlm_password:  authentication for user [Administrator]
->[Administrator] -> [SD80+administrator] succeeded
  se_access_check: user sid is
S-1-5-21-4023909512-3739307249-2032274589-500
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512
  se_access_check: also S-1-5-32-545
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-22-1-601
  se_access_check: also S-1-22-2-604
  se_access_check: also S-1-22-2-607
  se_access_check: also S-1-22-2-608
  se_access_check: also S-1-22-2-609
  se_access_check: also S-1-22-2-610
  se_access_check: also S-1-22-2-603
  se_access_check: also S-1-22-2-602

And here is what I am seeing now:

  check_ntlm_password:  Checking password for unmapped user
[SD80]\[Administrator]@[IANSERVER] with the new password interface
  check_ntlm_password:  mapped user is:
[SD80]\[Administrator]@[IANSERVER]
  check_ntlm_password: winbind authentication for user [Administrator]
succeeded
  check_ntlm_password:  authentication for user [Administrator] ->
[Administrator] -> [SD80+administrator] succeeded
  se_access_check: user sid is
S-1-5-21-4023909512-3739307249-2032274589-500
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512

The missing sids are for the Users and Administrators group, plus those
"S-2-22-2" sids, whatever they are.

Thanks
Ian

More information about the samba mailing list