[Samba] Security token SIDs does not contain the right SID for users in username map

Rowland Penny rpenny at samba.org
Thu Oct 28 13:26:59 UTC 2021 

On Thu, 2021-10-28 at 10:07 -0300, tizo via samba wrote:
> We have a Samba installation up and running as a file server. It's
> security
> parameter is ADS and all the AD users have corresponding Unix users;
> particularly Unix users are FreeIPA users, so the host is configured
> as a
> FreeIPA client too. We are using winbind with tdb backend for the
> mapping
> between users (as we are migrating from an old version of the server,
> and
> we already have the file with mappings). Besides, for the users that
> have
> different usernames in AD and Unix (FreeIPA), we have a file for the
> "username map" Samba parameter (the same that was in the old
> installation).
> 
> Everything works right for users that have the same username in AD
> and in
> Unix. However, if the user has different usernames (ie: he has a line
> in
> username map file), Windows ACLs are not honoured for him. That is,
> if a
> directory has been given write permissions for the user by an AD
> administrator, the user cannot write in it anyway.
> 
> We investigated a little further, and we found in the logs that the
> security token SIDs for the user with the same username, contain his
> SID
> from the AD domain, whereas the security token SIDs for the user with
> different usernames, not. In fact, we have made the same test with
> other
> users with and without the same usernames, and the results were the
> same.
> 
> More details:
> 
> AD domain: XXX
> 
> User with the same username:
> Username: mduffour
> Unix UID: 2228
> AD SID: S-X-X-X-X-X-X-2314
> 
>   Security token SIDs (16):
>     SID[  0]: S-X-X-X-X-X-X-2314
>     SID[  1]: S-X-X-X-X-X-X-513
>     SID[  2]: S-X-X-X-X-X-X-2271
>     SID[  3]: S-X-X-X-X-X-X-1157
>     SID[  4]: S-1-18-1
>     SID[  5]: S-X-X-X-X-X-X-1559
>     SID[  6]: S-1-1-0
>     SID[  7]: S-1-5-2
>     SID[  8]: S-1-5-11
>     SID[  9]: S-1-5-32-545
>     SID[ 10]: S-1-22-1-2228
>     SID[ 11]: S-1-22-2-2005
>     SID[ 12]: S-1-22-2-700000003
>     SID[ 13]: S-1-22-2-700000004
>     SID[ 14]: S-1-22-2-700000005
>     SID[ 15]: S-1-22-2-700000001
>    Privileges (0x               0):
>    Rights (0x               0):
> 
> User with different username:
> AD username: andres
> Unix username: jghigliazza
> Unix UID: 2000
> AD SID: S-X-X-X-X-X-X-1176
> Line in username map file:
> jghigliazza = XXX\andres
> 
>   Security token SIDs (9):
>     SID[  0]: S-1-22-1-2000
>     SID[  1]: S-X-X-X-X-X-X-1157
>     SID[  2]: S-1-22-2-2005
>     SID[  3]: S-1-1-0
>     SID[  4]: S-1-5-2
>     SID[  5]: S-1-5-11
>     SID[  6]: S-1-22-2-700000003
>     SID[  7]: S-1-22-2-700000004
>     SID[  8]: S-1-22-2-700000005
>    Privileges (0x               0):
>    Rights (0x               0):
> 
> OS: Rocky Linux release 8.4 (Green Obsidian)
> Samba version: 4.13.3 (packaged in Rocky Linux)
> 
> smb.conf
> 
> [global]
> dedicated keytab file = /etc/samba/krb5.keytab
> disable spoolss = Yes
> kerberos method = secrets and keytab
> load printers = No
> log file = /var/log/samba/log.%m
> max log size = 50
> printcap name = /dev/null
> realm = XXX.YYY.ZZ
> security = ADS
> server string = Samba Server Version %v
> username map = /etc/samba/mapeousuarios
> winbind refresh tickets = Yes
> workgroup = XXX
> idmap config fnr : backend = tdb

No, that is, in my opinion, totally wrong, you cannot use 'tdb' for the
'DOMAIN' backend, you need to use the 'rid', 'autorid' or 'ad' backend.
You also do not map the users in the user.map, you just make the AD
users into Unix users by using using the correct winbind backend.
 
Rowland

More information about the samba mailing list