Samba is member server of an w2k SP4 AD domain. A share access right is set for a user from the windows side. Connection to this share from a w2k SP4 wkstation as a domain user fails wrongly, apparently because the domain user get a local SID which doesn't match the domain SID of the user that specify the access right.
Created attachment 1277 [details] log level 10 of the connection Situation: classicus: domain controler, ip 192.168.15.7 rasvoyage: w2k client, ip 192.168.15.204 fileserver: samba server, ip 192.168.15.26 user: ORSAT/demo SID: S-1-5-21-675481893-1142756424-452798024-1185 winbind: ORSAT/demo:x:10030:10000:demo:/home/demo:/bin/bash fileserver:~# net getlocalsid SID for domain FILESERVER is: S-1-5-21-344095755-2918523801-3831656741 ------ at some point domain is set to FILESERVER and user get a local SID [2005/06/16 17:40:06, 10] passdb/pdb_get_set.c:pdb_set_domain(644) pdb_set_domain: setting domain FILESERVER, was [2005/06/16 17:40:06, 10] passdb/pdb_get_set.c:pdb_set_user_sid(544) pdb_set_user_sid: setting user sid S-1-5-21-344095755-2918523801-3831656741-21060 [2005/06/16 17:40:06, 10] passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73) pdb_set_user_sid_from_rid: setting user sid S-1-5-21-344095755-2918523801-3831656741-21060 from rid 21060 idmap uid = 10000-20000 and 21060 is 20000 + 1000 + 2*30 and 10030 is winbind uid from user ------ later access right matching that fail [2005/06/16 17:40:06, 10] lib/util_seaccess.c:se_access_check(234) se_access_check: requested access 0x00000002, for NT token with 8 entries and first sid S-1-5-21-344095755-2918523801-3831656741-21060. [2005/06/16 17:40:06, 3] lib/util_seaccess.c:se_access_check(251) [2005/06/16 17:40:06, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-344095755-2918523801-3831656741-21060 se_access_check: also S-1-5-21-344095755-2918523801-3831656741-21001 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-675481893-1142756424-452798024-513 se_access_check: also S-1-5-21-675481893-1142756424-452798024-1033 se_access_check: also S-1-5-21-675481893-1142756424-452798024-1020 se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-5-21-675481893-1142756424-452798024-1185 mask = 1f01ff, current desired = 2 [2005/06/16 17:40:06, 5] lib/util_seaccess.c:se_access_check(315) se_access_check: access (2) denied.
Created attachment 1278 [details] smb.conf
I can reproduce it with smbclient -k but it work fine if i don't use -k. Actually going to security=domain apppear to be a workaround.
Yes, this is a known issue with running in "security = ads" and we are currently working on it. It will also have an effect on assigning privileges.
Created attachment 1461 [details] Use Kerberos PAC to build NT Token
This is fixed in subversion (trunk) and will be part of Samba 3.0.21.
closing
*** Bug 1493 has been marked as a duplicate of this bug. ***