When an account is specified without a domain name in lsarlookupnames Samba always uses global_myname() as the domain. There are two cases when this does not match Win2k/NT behavior. On a Samba domain member server the RPC returns STATUS_NONE_MAPPED if the account does not exist on the server. If the same RPC is made to a Win2k server that is a member of the same domain it first tries to find the account in the local SAM and if that fails it tries again with the domain set to whatever domain it is a member of. When this call is made to an NT DC the DC always uses its own domain name if no domain is specified. This has caused problems for us when using the robocopy tool from the Windows reskit because it fails to lookup the SID to use when copying acls from a Win2k member server to a Samba member server. I made the following changes to work around the problems: 1. Modified lib/util_sid.c:split_domain_name. It now sets domain to lp_workgroup instead of global_myname if lp_domainlogons is true. 2. Modified rpc_server/srv_lsa_nt.c:init_lsa_rid2s. If the first call to lookup_name fails, lp_server_role is DOMAIN_MEMBER, and the domain was not specified it now retries the lookup_name with domain set to the domain the server is a member of.
Here is output from rpcclient that shows the differences. The id jpjanosi is only an account on the domain controller, the account adminsrv is an account on both the domain controller and the NT DC. rpcclient connected to Windows NT DC: rpcclient $> lookupnames jpjanosi lsa_io_sec_qos: length c does not match size 8 jpjanosi S-1-5-21-212947539-1368211815-1555891258-4727 (User: 1) rpcclient $> lookupnames adminsrv lsa_io_sec_qos: length c does not match size 8 adminsrv S-1-5-21-212947539-1368211815-1555891258-500 (User: 1) rpcclient $> quit rpcclient connected to Win2k member server: rpcclient $> lookupnames jpjanosi lsa_io_sec_qos: length c does not match size 8 jpjanosi S-1-5-21-212947539-1368211815-1555891258-4727 (User: 1) rpcclient $> lookupnames adminsrv lsa_io_sec_qos: length c does not match size 8 adminsrv S-1-5-21-1572940715-1285103615-1519199959-500 (User: 1) rpcclient connected to Samba 3.0.3pre2 member server rpcclient $> lookupnames adminsrv lsa_io_sec_qos: length c does not match size 8 result was NT_STATUS_NONE_MAPPED rpcclient $> lookupnames jpjanosi lsa_io_sec_qos: length c does not match size 8 result was NT_STATUS_NONE_MAPPED
I made a mistake in my last comment. The account adminsrv exists on both the domain controller and the win2k member server.
Checked in a fix supplied by John with minor formatting changes. Nice work John! srv_lsa_nt.c and util_sid.c were updated in svn, rev 91 for 3.0, rev 92 for trunk.
originally reported against 3.0.3pre1. Moving back to version to 3.0.2a to remove preX and rcX versions.
originally reported against 3.0.3pre2. Moving back to version to 3.0.2a to remove preX and rcX versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.