The Samba-Bugzilla – Bug 2804
SID missmatch with share perms set from windows
Last modified: 2005-09-29 09:43:58 UTC
Samba is member server of an w2k SP4 AD domain. A share access right is set for
a user from the windows side. Connection to this share from a w2k SP4 wkstation
as a domain user fails wrongly, apparently because the domain user get a local
SID which doesn't match the domain SID of the user that specify the access right.
Created attachment 1277 [details]
log level 10 of the connection
classicus: domain controler, ip 192.168.15.7
rasvoyage: w2k client, ip 192.168.15.204
fileserver: samba server, ip 192.168.15.26
user: ORSAT/demo SID: S-1-5-21-675481893-1142756424-452798024-1185
fileserver:~# net getlocalsid
SID for domain FILESERVER is: S-1-5-21-344095755-2918523801-3831656741
at some point domain is set to FILESERVER and user get a local SID
[2005/06/16 17:40:06, 10] passdb/pdb_get_set.c:pdb_set_domain(644)
pdb_set_domain: setting domain FILESERVER, was
[2005/06/16 17:40:06, 10] passdb/pdb_get_set.c:pdb_set_user_sid(544)
pdb_set_user_sid: setting user sid
[2005/06/16 17:40:06, 10] passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73)
setting user sid S-1-5-21-344095755-2918523801-3831656741-21060 from
idmap uid = 10000-20000 and 21060 is 20000 + 1000 + 2*30 and 10030 is winbind
uid from user
later access right matching that fail
[2005/06/16 17:40:06, 10] lib/util_seaccess.c:se_access_check(234)
se_access_check: requested access 0x00000002, for NT token with 8 entries and
first sid S-1-5-21-344095755-2918523801-3831656741-21060.
[2005/06/16 17:40:06, 3] lib/util_seaccess.c:se_access_check(251)
[2005/06/16 17:40:06, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-344095755-2918523801-3831656741-21060
se_access_check: also S-1-5-21-344095755-2918523801-3831656741-21001
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-675481893-1142756424-452798024-513
se_access_check: also S-1-5-21-675481893-1142756424-452798024-1033
se_access_check: also S-1-5-21-675481893-1142756424-452798024-1020
se_access_check: ACE 0: type 0, flags = 0x00, SID =
S-1-5-21-675481893-1142756424-452798024-1185 mask = 1f01ff, current desired = 2
[2005/06/16 17:40:06, 5] lib/util_seaccess.c:se_access_check(315)
se_access_check: access (2) denied.
Created attachment 1278 [details]
I can reproduce it with smbclient -k but it work fine if i don't use -k.
Actually going to security=domain apppear to be a workaround.
Yes, this is a known issue with running in "security = ads" and we are currently
working on it. It will also have an effect on assigning privileges.
Created attachment 1461 [details]
Use Kerberos PAC to build NT Token
This is fixed in subversion (trunk) and will be part of Samba 3.0.21.
*** Bug 1493 has been marked as a duplicate of this bug. ***