[Samba] 4.15.5: Lot's of errors from smbd_audit about "check_account: Failed to convert SID..."
Michael Tokarev
mjt at tls.msk.ru
Sat Feb 19 18:45:35 UTC 2022
19.02.2022 21:26, Rowland Penny via samba wrote:
..
>> Samba *deliberately* (or due to a bug) makes the "two" users
>> (one listed in /etc/passwd and one listed in AD) to be different,
>> and only when doing uid->SID mapping. And the question why it
>> does that is not answered.
>
> It is NOT a bug!
> Unix identifies users by ID numbers 0-65535
> Windows identifies users by a SID 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-
> zzzzzzzzzz-rrrr'
>
> Where 'xxxxxxxxxx', 'yyyyyyyyyy' and 'zzzzzzzzzz' are groups of random
> numbers which along with the starting 'S-1-5-21' identify the domain
> and the 'rrrr' is the RID (which normal starts at 1000) and this
> identifies the user, group or computer etc.
>
> Samba AD uses the SID and as you can see, this is nothing like a Unix ID.
> You can have a user called rowland in /etc/passwd with the ID '1000'
> and a user in AD called rowland with the SID 'S-1-5-21-1234567890-
> 0987654321-1234567890-1000'. These two users, even though they have the
> same username, are most definitely not the same user. Windows will not
> know who the Unix user 'rowland' is and Unix will not know who the
> Windows user 'rowland' is, this is where winbind comes in. The
> 'autorid' and 'rid' idmap backends will calculate the Windows users
> Unix ID from the RID and the DOMAIN low range you set in smb.conf . The
> 'ad' idmap backend will use the uidNumber you set in the Windows users
> object in AD, provided it is inside the DOMAIN range you set in
> smb.conf .
>
> Provided smb.conf and possibly AD, are set up correctly, you could end
> up with a Unix user 'rowland' with the ID '1000' and a Windows Unix
> user 'rowland' with the ID '11000' (using the rid idmap backend.
I *especially* set things up so that both local and AD user named 'rowland'
end up with the ID 1000. For unix it is the same user. But samba makes them
different. Or, actually, *sometimes* different, depending on the order of
calls (name 2 sid or uid 2 sid) and cache expiration times. This is why
I continue to say it is a bug.
/mjt
More information about the samba
mailing list