[Samba] 4.15.5: Lot's of errors from smbd_audit about "check_account: Failed to convert SID..."

Rowland Penny rpenny at samba.org
Sat Feb 19 18:26:59 UTC 2022 

On Sat, 2022-02-19 at 19:59 +0300, Michael Tokarev wrote:
> 18.02.2022 16:07, Rowland Penny via samba wrote:
> []
> > I thought I had explained why you cannot have a local user and a
> > domain
> > user with the same name, but here goes, lets try again.
> 
> Nope you did not.
> 
> > If you do have a user in /etc/passwd and AD with the same name,
> > then
> > depending on how /etc/nsswitch is configured, locally one will be
> > used
> > and one will be ignored. Samba will always attempt to use the one
> > from
> > AD, but if the AD user is unknown to the OS, you will get 'denied'
> > errors. Even if the same username is used locally and in AD, they
> > willbe different users.
> 
> Samba *deliberately* (or due to a bug) makes the "two" users
> (one listed in /etc/passwd and one listed in AD) to be different,
> and only when doing uid->SID mapping. And the question why it
> does that is not answered.

It is NOT a bug!
Unix identifies users by ID numbers 0-65535
Windows identifies users by a SID 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-
zzzzzzzzzz-rrrr'

Where 'xxxxxxxxxx', 'yyyyyyyyyy' and 'zzzzzzzzzz' are groups of random
numbers which along with the starting 'S-1-5-21' identify the domain
and the 'rrrr' is the RID (which normal starts at 1000) and this
identifies the user, group or computer etc.

Samba AD uses the SID and as you can see, this is nothing like a Unix
ID.
You can have a user called rowland in /etc/passwd with the ID '1000'
and a user in AD called rowland with the SID 'S-1-5-21-1234567890-
0987654321-1234567890-1000'. These two users, even though they have the
same username, are most definitely not the same user. Windows will not
know who the Unix user 'rowland' is and Unix will not know who the
Windows user 'rowland' is, this is where winbind comes in. The
'autorid' and 'rid' idmap backends will calculate the Windows users
Unix ID from the RID and the DOMAIN low range you set in smb.conf . The
'ad' idmap backend will use the uidNumber you set in the Windows users
object in AD, provided it is inside the DOMAIN range you set in
smb.conf .

Provided smb.conf and possibly AD, are set up correctly, you could end
up with a Unix user 'rowland' with the ID '1000' and a Windows Unix
user 'rowland' with the ID '11000' (using the rid idmap backend.

Which user is used locally will depend on how you set up
/etc/nsswitch.conf, if the passwd line is similar to this:
passwd:         compat winbind

/etc/passwd will be checked before winbind and the local Unix user will
be used and the AD user will be ignored.
If the line looks like this:
passwd:         winbind compat

The AD user will be used and the local Unix user will be ignored.

Winbind will do something similar but normally tends to use the user
from AD, but this user will be unknown to the OS if 'compat' (which
could be 'files') comes before winbind. 

If you use winbind, the AD user becomes a Unix user, so you do not need
the local Unix user, there is no point.

Now can you see why you cannot have a local Unix user with the same
name as a Windows user.

Rowland

More information about the samba mailing list