[Samba] Is Samba unable to resolve secodary group membership?
Michael Schwarz
schwarz at uni-paderborn.de
Fri Oct 9 10:00:50 UTC 2020
Hi all,
i read the logfiles again and again and stumbled over some lines:
[2020/10/07 11:25:45.191784, 5]
../../libcli/security/security_token.c:63(security_token_debug)
Security token SIDs (38):
SID[ 0]: S-1-5-21-3542048200-3079820972-537594794-55128
SID[ 1]: S-1-5-21-3542048200-3079820972-537594794-513
SID[ 2]: S-1-5-21-3542048200-3079820972-537594794-211797
SID[ 3]: S-1-5-21-3542048200-3079820972-537594794-92780
SID[ 4]: S-1-5-21-3542048200-3079820972-537594794-214631
SID[ 5]: S-1-5-21-3542048200-3079820972-537594794-5516
SID[ 6]: S-1-5-21-3542048200-3079820972-537594794-123946
SID[ 7]: S-1-5-21-3542048200-3079820972-537594794-73686
SID[ 8]: S-1-5-21-3542048200-3079820972-537594794-101266
SID[ 9]: S-1-5-21-3542048200-3079820972-537594794-84994
SID[ 10]: S-1-5-21-3542048200-3079820972-537594794-58615
SID[ 11]: S-1-5-21-3542048200-3079820972-537594794-62264
SID[ 12]: S-1-5-21-3542048200-3079820972-537594794-73690
SID[ 13]: S-1-5-21-3542048200-3079820972-537594794-211816
SID[ 14]: S-1-5-21-3542048200-3079820972-537594794-63615
SID[ 15]: S-1-5-21-3542048200-3079820972-537594794-75305
SID[ 16]: S-1-5-21-3542048200-3079820972-537594794-211815
SID[ 17]: S-1-5-21-3542048200-3079820972-537594794-211804
SID[ 18]: S-1-5-21-3542048200-3079820972-537594794-211820
SID[ 19]: S-1-5-21-3542048200-3079820972-537594794-211818
SID[ 20]: S-1-5-21-3542048200-3079820972-537594794-22920
SID[ 21]: S-1-5-21-3542048200-3079820972-537594794-92746
SID[ 22]: S-1-5-21-3542048200-3079820972-537594794-211805
SID[ 23]: S-1-5-21-3542048200-3079820972-537594794-92828
SID[ 24]: S-1-5-21-3542048200-3079820972-537594794-73088
SID[ 25]: S-1-5-21-3542048200-3079820972-537594794-211799
SID[ 26]: S-1-5-21-3542048200-3079820972-537594794-169945
SID[ 27]: S-1-5-21-3542048200-3079820972-537594794-211819
SID[ 28]: S-1-5-21-3542048200-3079820972-537594794-128864
SID[ 29]: S-1-5-21-3542048200-3079820972-537594794-101268
SID[ 30]: S-1-5-21-3542048200-3079820972-537594794-128934
SID[ 31]: S-1-1-0
SID[ 32]: S-1-5-2
SID[ 33]: S-1-5-11
SID[ 34]: S-1-5-32-545
SID[ 35]: S-1-22-1-20597
SID[ 36]: S-1-22-2-10000
SID[ 37]: S-1-22-2-10000001
Privileges (0x 0):
Rights (0x 0):
[2020/10/07 11:25:45.191945, 5]
../../source3/auth/token_util.c:866(debug_unix_user_token)
UNIX token of user 20597
Primary group is 10000 and contains 1 supplementary groups
Group[ 0]: 10000001
If i read the lines correct, the S-1-5-21 sids are the ones which come
from the ads. The SIDs starting with S-1-22 are the ones which are build
by the unix user and unix groups the user is in. So it seems to me, that
samba doesn't read the unix group memberships while building this
security context. Is this behavior correct?
Unix user 20597 has a primary group id 10000 and 27 supplementary
groups. None of these groups has an id of 10000001. Beside of this,
shouldn't these groups also appear in the security token / unix user token?
Regards,
Michael
Am 08.10.20 um 11:31 schrieb Rowland penny via samba:
> On 08/10/2020 10:23, Michael Schwarz via samba wrote:
>>
>>
>> Am 08.10.20 um 10:41 schrieb Rowland penny via samba:
>>> On 08/10/2020 08:51, Michael Schwarz via samba wrote:
>>>
>>>> The setup at our university is not quite trivial. I can understand
>>>> that. I'll try to explain it again in a different way:
>>>
>>> Lets see if I understand this, you have one kerberos domain for the
>>> Linux machines and another kerberos domain for the Windows machines,
>>> you have virtually the same users and groups in both. Why two
>>> domains, why not just use the AD for both ? This would make your
>>> setup trivial. I feel this is probably all down to department politics.
>>>
>>
>> Yes this is correct. I'm not sure why there are two domains. I'm not
>> working at the central computer center, but i'm sure, they have their
>> reasons why they are doing it this way. We are only using this
>> infrastructure. The LDAP is storing much more information than only
>> simple posixAccounts. It might be, that an AD is not so flexible if
>> you want to store more than the standard attributes. But i don't now
>> in detail as i am not so familiar with windows ad services.
>
> There are no posixAccounts in AD, there are just Accounts (but all the
> RFC2307 attributes are available, so any account can be a Unix
> account) and you will be surprised just how extendable the AD schema
> is. No, I think it is just down to politics, Windows versus Linux
> politics :-)
>
> Rowland
>
>
>
--
// Michael Schwarz - Universität Paderborn - PC2
// O2.152 - Warburger Str. 100 - 33098 Paderborn
// Telefon: +49 5251 601728 - Fax: +49 5251 601714
// E-Mail: schwarz at uni-paderborn.de
More information about the samba
mailing list