[Samba] Security token SIDs does not contain the right SID for users in username map
tizo
tizone at gmail.com
Thu Oct 28 13:07:56 UTC 2021
We have a Samba installation up and running as a file server. It's security
parameter is ADS and all the AD users have corresponding Unix users;
particularly Unix users are FreeIPA users, so the host is configured as a
FreeIPA client too. We are using winbind with tdb backend for the mapping
between users (as we are migrating from an old version of the server, and
we already have the file with mappings). Besides, for the users that have
different usernames in AD and Unix (FreeIPA), we have a file for the
"username map" Samba parameter (the same that was in the old installation).
Everything works right for users that have the same username in AD and in
Unix. However, if the user has different usernames (ie: he has a line in
username map file), Windows ACLs are not honoured for him. That is, if a
directory has been given write permissions for the user by an AD
administrator, the user cannot write in it anyway.
We investigated a little further, and we found in the logs that the
security token SIDs for the user with the same username, contain his SID
from the AD domain, whereas the security token SIDs for the user with
different usernames, not. In fact, we have made the same test with other
users with and without the same usernames, and the results were the same.
More details:
AD domain: XXX
User with the same username:
Username: mduffour
Unix UID: 2228
AD SID: S-X-X-X-X-X-X-2314
Security token SIDs (16):
SID[ 0]: S-X-X-X-X-X-X-2314
SID[ 1]: S-X-X-X-X-X-X-513
SID[ 2]: S-X-X-X-X-X-X-2271
SID[ 3]: S-X-X-X-X-X-X-1157
SID[ 4]: S-1-18-1
SID[ 5]: S-X-X-X-X-X-X-1559
SID[ 6]: S-1-1-0
SID[ 7]: S-1-5-2
SID[ 8]: S-1-5-11
SID[ 9]: S-1-5-32-545
SID[ 10]: S-1-22-1-2228
SID[ 11]: S-1-22-2-2005
SID[ 12]: S-1-22-2-700000003
SID[ 13]: S-1-22-2-700000004
SID[ 14]: S-1-22-2-700000005
SID[ 15]: S-1-22-2-700000001
Privileges (0x 0):
Rights (0x 0):
User with different username:
AD username: andres
Unix username: jghigliazza
Unix UID: 2000
AD SID: S-X-X-X-X-X-X-1176
Line in username map file:
jghigliazza = XXX\andres
Security token SIDs (9):
SID[ 0]: S-1-22-1-2000
SID[ 1]: S-X-X-X-X-X-X-1157
SID[ 2]: S-1-22-2-2005
SID[ 3]: S-1-1-0
SID[ 4]: S-1-5-2
SID[ 5]: S-1-5-11
SID[ 6]: S-1-22-2-700000003
SID[ 7]: S-1-22-2-700000004
SID[ 8]: S-1-22-2-700000005
Privileges (0x 0):
Rights (0x 0):
OS: Rocky Linux release 8.4 (Green Obsidian)
Samba version: 4.13.3 (packaged in Rocky Linux)
smb.conf
[global]
dedicated keytab file = /etc/samba/krb5.keytab
disable spoolss = Yes
kerberos method = secrets and keytab
load printers = No
log file = /var/log/samba/log.%m
max log size = 50
printcap name = /dev/null
realm = XXX.YYY.ZZ
security = ADS
server string = Samba Server Version %v
username map = /etc/samba/mapeousuarios
winbind refresh tickets = Yes
workgroup = XXX
idmap config fnr : backend = tdb
idmap config fnr : range = 1200-669000000
idmap config * : range = 700000000-710000000
idmap config * : backend = tdb
map acl inherit = Yes
printing = bsd
vfs objects = acl_xattr
[Demo]
path = /srv/samba/Demo/
read only = No
acl_xattr:ignore system acl = yes
Thanks very much. Any help is appreciated.
More information about the samba
mailing list