Bug 1248 - lsa_lookup_names RPC doesn't match Win2k behavior
Summary: lsa_lookup_names RPC doesn't match Win2k behavior
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.2a
Hardware: All All
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-04-06 12:09 UTC by John Janosik
Modified: 2005-08-24 10:25 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Janosik 2004-04-06 12:09:30 UTC
When an account is specified without a domain name in lsarlookupnames Samba
always uses global_myname() as the domain.  There are two cases when this does
not match Win2k/NT behavior.

On a Samba domain member server the RPC returns STATUS_NONE_MAPPED if the
account does not exist on the server.  If the same RPC is made to a Win2k server
that is a member of the same domain it first tries to find the account in the
local SAM and if that fails it tries again with the domain set to whatever
domain it is a member of.

When this call is made to an NT DC the DC always uses its own domain name if no
domain is specified.

This has caused problems for us when using the robocopy tool from the Windows
reskit because it fails to lookup the SID to use when copying acls from a Win2k
member server to a Samba member server.

I made the following changes to work around the problems:

1.  Modified lib/util_sid.c:split_domain_name.  It now sets domain to
lp_workgroup instead of global_myname if lp_domainlogons is true.

2.  Modified rpc_server/srv_lsa_nt.c:init_lsa_rid2s.  If the first call to
lookup_name fails, lp_server_role is DOMAIN_MEMBER, and the domain was not
specified it now retries the lookup_name with domain set to the domain the
server is a member of.
Comment 1 John Janosik 2004-04-06 14:08:34 UTC
Here is output from rpcclient that shows the differences.  The id jpjanosi is
only an account on the domain controller, the account adminsrv is an account on
both the domain controller and the NT DC.

rpcclient connected to Windows NT DC:

rpcclient $> lookupnames jpjanosi
lsa_io_sec_qos: length c does not match size 8
jpjanosi S-1-5-21-212947539-1368211815-1555891258-4727 (User: 1)
rpcclient $> lookupnames adminsrv
lsa_io_sec_qos: length c does not match size 8
adminsrv S-1-5-21-212947539-1368211815-1555891258-500 (User: 1)
rpcclient $> quit

rpcclient connected to Win2k member server:

rpcclient $> lookupnames jpjanosi
lsa_io_sec_qos: length c does not match size 8
jpjanosi S-1-5-21-212947539-1368211815-1555891258-4727 (User: 1)
rpcclient $> lookupnames adminsrv
lsa_io_sec_qos: length c does not match size 8
adminsrv S-1-5-21-1572940715-1285103615-1519199959-500 (User: 1)


rpcclient connected to Samba 3.0.3pre2 member server

rpcclient $> lookupnames adminsrv
lsa_io_sec_qos: length c does not match size 8
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupnames jpjanosi
lsa_io_sec_qos: length c does not match size 8
result was NT_STATUS_NONE_MAPPED

Comment 2 John Janosik 2004-04-06 14:09:55 UTC
I made a mistake in my last comment.  The account adminsrv exists on both the
domain controller and the win2k member server.
Comment 3 Jim McDonough 2004-04-06 15:08:24 UTC
Checked in a fix supplied by John with minor formatting changes.  Nice work John!

srv_lsa_nt.c and util_sid.c were updated in svn, rev 91 for 3.0, rev 92 for trunk.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-02-07 07:39:56 UTC
originally reported against 3.0.3pre1.  Moving back to version to 3.0.2a
to remove preX and rcX versions.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-02-07 07:42:17 UTC
originally reported against 3.0.3pre2.  Moving back to version to 3.0.2a
to remove preX and rcX versions.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:25:37 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.