Bug 2804 - SID missmatch with share perms set from windows
Summary: SID missmatch with share perms set from windows
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.14a
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
: 1493 (view as bug list)
Depends on:
Reported: 2005-06-16 12:56 UTC by Marcel de Riedmatten
Modified: 2005-09-29 09:43 UTC (History)
1 user (show)

See Also:

log level 10 of the connection (213.48 KB, text/plain)
2005-06-16 13:23 UTC, Marcel de Riedmatten
no flags Details
smb.conf (1.92 KB, text/plain)
2005-06-16 13:34 UTC, Marcel de Riedmatten
no flags Details
Use Kerberos PAC to build NT Token (59.55 KB, patch)
2005-09-28 03:53 UTC, Guenther Deschner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel de Riedmatten 2005-06-16 12:56:01 UTC
Samba is member server of an w2k SP4 AD domain. A share access right is set for
a user from the windows side. Connection to this share from a w2k SP4 wkstation
as a domain user fails wrongly, apparently because the domain user get a local
SID which doesn't match the domain SID of the user that specify the access right.
Comment 1 Marcel de Riedmatten 2005-06-16 13:23:39 UTC
Created attachment 1277 [details]
log level 10 of the connection


classicus: domain controler, ip
rasvoyage: w2k client, ip
fileserver: samba server, ip

user: ORSAT/demo  SID: S-1-5-21-675481893-1142756424-452798024-1185
		  winbind: ORSAT/demo:x:10030:10000:demo:/home/demo:/bin/bash

fileserver:~# net getlocalsid
SID for domain FILESERVER is: S-1-5-21-344095755-2918523801-3831656741


at some point domain is set to FILESERVER and user get a local SID

[2005/06/16 17:40:06, 10] passdb/pdb_get_set.c:pdb_set_domain(644)
  pdb_set_domain: setting domain FILESERVER, was
[2005/06/16 17:40:06, 10] passdb/pdb_get_set.c:pdb_set_user_sid(544)
  pdb_set_user_sid: setting user sid
[2005/06/16 17:40:06, 10] passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73)
	setting user sid S-1-5-21-344095755-2918523801-3831656741-21060 from
rid 21060

idmap uid = 10000-20000 and 21060 is 20000 + 1000 + 2*30 and  10030  is winbind
uid from user


later access right matching that fail

[2005/06/16 17:40:06, 10] lib/util_seaccess.c:se_access_check(234)
  se_access_check: requested access 0x00000002, for NT token with 8 entries and
first sid S-1-5-21-344095755-2918523801-3831656741-21060.
[2005/06/16 17:40:06, 3] lib/util_seaccess.c:se_access_check(251)
[2005/06/16 17:40:06, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-344095755-2918523801-3831656741-21060
  se_access_check: also S-1-5-21-344095755-2918523801-3831656741-21001
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-675481893-1142756424-452798024-513
  se_access_check: also S-1-5-21-675481893-1142756424-452798024-1033
  se_access_check: also S-1-5-21-675481893-1142756424-452798024-1020
  se_access_check: ACE 0: type 0, flags = 0x00, SID =
S-1-5-21-675481893-1142756424-452798024-1185 mask = 1f01ff, current desired = 2

[2005/06/16 17:40:06, 5] lib/util_seaccess.c:se_access_check(315)
  se_access_check: access (2) denied.
Comment 2 Marcel de Riedmatten 2005-06-16 13:34:04 UTC
Created attachment 1278 [details]
Comment 3 Marcel de Riedmatten 2005-06-19 16:51:45 UTC
I can reproduce it with smbclient -k  but it work fine if i don't use -k.
Actually going to security=domain apppear to be a workaround. 
Comment 4 Guenther Deschner 2005-09-06 03:43:43 UTC
Yes, this is a known issue with running in "security = ads" and we are currently
working on it. It will also have an effect on assigning privileges.
Comment 5 Guenther Deschner 2005-09-28 03:53:21 UTC
Created attachment 1461 [details]
Use Kerberos PAC to build NT Token
Comment 6 Guenther Deschner 2005-09-28 03:55:03 UTC
This is fixed in subversion (trunk) and will be part of Samba 3.0.21.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2005-09-29 07:49:36 UTC
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-09-29 09:43:58 UTC
*** Bug 1493 has been marked as a duplicate of this bug. ***