[Samba] If a NetBIOS name used within a week is reused, an incorrect owner is returned.

CHIBA HIROSHI(千葉 洋) h_chiba_mxr at nec.com
Wed Mar 12 08:19:29 UTC 2025 

Hi,

 

I suspect this behavior comes from a bug. If the behavior is as designed,
I'd like to know the background of the design. 

- Bug information

Version: 4.20.2

When a shared guest account is enabled and a NetBIOS name that was used
within the past week is reassigned, the owner of the guest account becomes
Account Unknown (S-1-5-21-*-501), and WRITE returns ACCESS_DENIED. (For
example, this issue occurs when the NetBIOS name is changed from "AAAA" to
"BBBB" and then back to "AAAA" again.) 

This behavior seems to be caused by the idmap cache.  

 

Changing the NetBIOS name leads to a modification of the local SID.

This results in the following cache updates:

* The cache entries corresponding to the updated local SID are added,
specifically: "IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501"
"IDMAP/UID2SID/65534"

* The previous cache entry
"IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501" remains in
gencache.tdb.

--

* Before 

# net getlocalsid

SID for domain AAAA is: S-1-5-21-4103205838-3119001155-2670119449

# net cache list |grep IDMAP

Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501
Timeout: Fri Feb  7 06:18:40 2025       Value: 65534:U

Key: IDMAP/UID2SID/65534         Timeout: Fri Feb  7 06:42:24 2025
Value: S-1-5-21-4103205838-3119001155-2670119449-501 

 

* After  

# net getlocalsid

SID for domain BBBB is: S-1-5-21-1007219585-1734150146-233539565

# net cache list |grep IDMAP

Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501
Timeout: Fri Feb  7 06:18:40 2025       Value: 65534:U

Key: IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501  Timeout:
Fri Feb  7 06:42:24 2025       Value: 65534:U

Key: IDMAP/UID2SID/65534         Timeout: Fri Feb  7 06:42:24 2025
Value: S-1-5-21-1007219585-1734150146-233539565-501

-- 

 

If the NetBIOS name corresponding to this previous local SID is reassigned,
"IDMAP/UID2SID/65534" (nobody) is not updated, and the owner is returned as
the guest account SID that differs from the current local SID.

--

# net getlocalsid

SID for domain AAAA is: S-1-5-21-4103205838-3119001155-2670119449

# net cache list |grep IDMAP

Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501
Timeout: Fri Feb  7 06:18:40 2025       Value: 65534:U

Key: IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501  Timeout:
Fri Feb  7 06:42:24 2025       Value: 65534:U

Key: IDMAP/UID2SID/65534         Timeout: Fri Feb  7 06:42:24 2025
Value: S-1-5-21-1007219585-1734150146-233539565-501

--- 

 

Best regards,

Hiroshi Chiba

More information about the samba mailing list