[Samba] 4.15.5: Lot's of errors from smbd_audit about "check_account: Failed to convert SID..."

Rowland Penny rpenny at samba.org
Sat Feb 19 19:06:47 UTC 2022 

On Sat, 2022-02-19 at 21:45 +0300, Michael Tokarev wrote:
> 19.02.2022 21:26, Rowland Penny via samba wrote:
> ..
> > > Samba *deliberately* (or due to a bug) makes the "two" users
> > > (one listed in /etc/passwd and one listed in AD) to be different,
> > > and only when doing uid->SID mapping. And the question why it
> > > does that is not answered.
> > 
> > It is NOT a bug!
> > Unix identifies users by ID numbers 0-65535
> > Windows identifies users by a SID 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-
> > zzzzzzzzzz-rrrr'
> > 
> > Where 'xxxxxxxxxx', 'yyyyyyyyyy' and 'zzzzzzzzzz' are groups of
> > random
> > numbers which along with the starting 'S-1-5-21' identify the
> > domain
> > and the 'rrrr' is the RID (which normal starts at 1000) and this
> > identifies the user, group or computer etc.
> > 
> > Samba AD uses the SID and as you can see, this is nothing like a
> > Unix ID.
> > You can have a user called rowland in /etc/passwd with the ID
> > '1000'
> > and a user in AD called rowland with the SID 'S-1-5-21-1234567890-
> > 0987654321-1234567890-1000'. These two users, even though they have
> > the
> > same username, are most definitely not the same user. Windows will
> > not
> > know who the Unix user 'rowland' is and Unix will not know who the
> > Windows user 'rowland' is, this is where winbind comes in. The
> > 'autorid' and 'rid' idmap backends will calculate the Windows users
> > Unix ID from the RID and the DOMAIN low range you set in smb.conf .
> > The
> > 'ad' idmap backend will use the uidNumber you set in the Windows
> > users
> > object in AD, provided it is inside the DOMAIN range you set in
> > smb.conf .
> > 
> > Provided smb.conf and possibly AD, are set up correctly, you could
> > end
> > up with a Unix user 'rowland' with the ID '1000' and a Windows Unix
> > user 'rowland' with the ID '11000' (using the rid idmap backend.
> 
> I *especially* set things up so that both local and AD user named
> 'rowland'
> end up with the ID 1000. For unix it is the same user. But samba
> makes them
> different.  Or, actually, *sometimes* different, depending on the
> order of
> calls (name 2 sid or uid 2 sid) and cache expiration times.

There is absolutely no point in doing this, yes it might appear to
work, but I wouldn't like to rely on it. Just use the user in AD and
you will not get problems. 

At one time, you needed to have users in the domain and in /etc/passwd,
this was in the NT4-style domain days, but with AD, you do not need
users anywhere but in AD. The whole idea behind AD is that it is just
one point of maintenance (all be it this one place can be multiple
DC's, but one database), your way is using multiple points of
maintenance and multiple databases. With AD you just change the users
password in one place, with your way, you will have to change the users
password in AD and on every computer the user connects to, this is just
an example.

>   This is why
> I continue to say it is a bug.

You do not seem to be understanding me, so I will say it louder:

THIS IS NOT A BUG!
IT IS THE WAY AD WORKS!

Rowland

More information about the samba mailing list