[Samba] Security token SIDs does not contain the right SID for users in username map

tizo tizone at gmail.com
Thu Oct 28 13:07:56 UTC 2021


We have a Samba installation up and running as a file server. It's security
parameter is ADS and all the AD users have corresponding Unix users;
particularly Unix users are FreeIPA users, so the host is configured as a
FreeIPA client too. We are using winbind with tdb backend for the mapping
between users (as we are migrating from an old version of the server, and
we already have the file with mappings). Besides, for the users that have
different usernames in AD and Unix (FreeIPA), we have a file for the
"username map" Samba parameter (the same that was in the old installation).

Everything works right for users that have the same username in AD and in
Unix. However, if the user has different usernames (ie: he has a line in
username map file), Windows ACLs are not honoured for him. That is, if a
directory has been given write permissions for the user by an AD
administrator, the user cannot write in it anyway.

We investigated a little further, and we found in the logs that the
security token SIDs for the user with the same username, contain his SID
from the AD domain, whereas the security token SIDs for the user with
different usernames, not. In fact, we have made the same test with other
users with and without the same usernames, and the results were the same.

More details:

AD domain: XXX

User with the same username:
Username: mduffour
Unix UID: 2228
AD SID: S-X-X-X-X-X-X-2314

  Security token SIDs (16):
    SID[  0]: S-X-X-X-X-X-X-2314
    SID[  1]: S-X-X-X-X-X-X-513
    SID[  2]: S-X-X-X-X-X-X-2271
    SID[  3]: S-X-X-X-X-X-X-1157
    SID[  4]: S-1-18-1
    SID[  5]: S-X-X-X-X-X-X-1559
    SID[  6]: S-1-1-0
    SID[  7]: S-1-5-2
    SID[  8]: S-1-5-11
    SID[  9]: S-1-5-32-545
    SID[ 10]: S-1-22-1-2228
    SID[ 11]: S-1-22-2-2005
    SID[ 12]: S-1-22-2-700000003
    SID[ 13]: S-1-22-2-700000004
    SID[ 14]: S-1-22-2-700000005
    SID[ 15]: S-1-22-2-700000001
   Privileges (0x               0):
   Rights (0x               0):

User with different username:
AD username: andres
Unix username: jghigliazza
Unix UID: 2000
AD SID: S-X-X-X-X-X-X-1176
Line in username map file:
jghigliazza = XXX\andres

  Security token SIDs (9):
    SID[  0]: S-1-22-1-2000
    SID[  1]: S-X-X-X-X-X-X-1157
    SID[  2]: S-1-22-2-2005
    SID[  3]: S-1-1-0
    SID[  4]: S-1-5-2
    SID[  5]: S-1-5-11
    SID[  6]: S-1-22-2-700000003
    SID[  7]: S-1-22-2-700000004
    SID[  8]: S-1-22-2-700000005
   Privileges (0x               0):
   Rights (0x               0):

OS: Rocky Linux release 8.4 (Green Obsidian)
Samba version: 4.13.3 (packaged in Rocky Linux)

smb.conf

[global]
dedicated keytab file = /etc/samba/krb5.keytab
disable spoolss = Yes
kerberos method = secrets and keytab
load printers = No
log file = /var/log/samba/log.%m
max log size = 50
printcap name = /dev/null
realm = XXX.YYY.ZZ
security = ADS
server string = Samba Server Version %v
username map = /etc/samba/mapeousuarios
winbind refresh tickets = Yes
workgroup = XXX
idmap config fnr : backend = tdb
idmap config fnr : range = 1200-669000000
idmap config * : range = 700000000-710000000
idmap config * : backend = tdb
map acl inherit = Yes
printing = bsd
vfs objects = acl_xattr


[Demo]
path = /srv/samba/Demo/
read only = No
acl_xattr:ignore system acl = yes

Thanks very much. Any help is appreciated.


More information about the samba mailing list