Bug 15817 - If a NetBIOS name used within a week is reused, an incorrect owner is returned.
Summary: If a NetBIOS name used within a week is reused, an incorrect owner is returned.
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.20.2
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-02-27 00:35 UTC by h_chiba_mxr
Modified: 2025-02-27 00:35 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description h_chiba_mxr 2025-02-27 00:35:07 UTC 
I suspect this behavior comes from a bug. If the behavior is as designed, I'd like to know the background of the design. 
- Bug information
Version: 4.20.2
When a shared guest account is enabled and a NetBIOS name that was used within the past week is reassigned, the owner of the guest account becomes Account Unknown (S-1-5-21-*-501), and WRITE returns ACCESS_DENIED. (For example, this issue occurs when the NetBIOS name is changed from "AAAA" to "BBBB" and then back to "AAAA" again.) 
This behavior seems to be caused by the idmap cache.  

Changing the NetBIOS name leads to a modification of the local SID.
This results in the following cache updates:
* The cache entries corresponding to the updated local SID are added, specifically: "IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501" "IDMAP/UID2SID/65534"
* The previous cache entry "IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501" remains in gencache.tdb.
--
* Before 
# net getlocalsid
SID for domain AAAA is: S-1-5-21-4103205838-3119001155-2670119449
# net cache list |grep IDMAP
Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501         Timeout: Fri Feb  7 06:18:40 2025       Value: 65534:U
Key: IDMAP/UID2SID/65534         Timeout: Fri Feb  7 06:42:24 2025       Value: S-1-5-21-4103205838-3119001155-2670119449-501 

* After  
# net getlocalsid
SID for domain BBBB is: S-1-5-21-1007219585-1734150146-233539565
# net cache list |grep IDMAP
Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501         Timeout: Fri Feb  7 06:18:40 2025       Value: 65534:U
Key: IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501  Timeout: Fri Feb  7 06:42:24 2025       Value: 65534:U
Key: IDMAP/UID2SID/65534         Timeout: Fri Feb  7 06:42:24 2025       Value: S-1-5-21-1007219585-1734150146-233539565-501
-- 

If the NetBIOS name corresponding to this previous local SID is reassigned, "IDMAP/UID2SID/65534" (nobody) is not updated, and the owner is returned as the guest account SID that differs from the current local SID.
--
# net getlocalsid
SID for domain AAAA is: S-1-5-21-4103205838-3119001155-2670119449
# net cache list |grep IDMAP
Key: IDMAP/SID2XID/S-1-5-21-4103205838-3119001155-2670119449-501         Timeout: Fri Feb  7 06:18:40 2025       Value: 65534:U
Key: IDMAP/SID2XID/S-1-5-21-1007219585-1734150146-233539565-501  Timeout: Fri Feb  7 06:42:24 2025       Value: 65534:U
Key: IDMAP/UID2SID/65534         Timeout: Fri Feb  7 06:42:24 2025       Value: S-1-5-21-1007219585-1734150146-233539565-501
---