Bug 3350 - NT Authority\Network service group (sid) reported to Windows 2000 client
Summary: NT Authority\Network service group (sid) reported to Windows 2000 client
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.14a
Hardware: x86 Linux
: P3 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2005-12-22 05:49 UTC by Jonas Helgi Palsson (dead mail address)
Modified: 2020-12-20 20:56 UTC (History)
4 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Jonas Helgi Palsson (dead mail address) 2005-12-22 05:49:14 UTC
The group "NT Authority\Network service" does not exists in Windows 2000, it was introduced in Windows XP and 2003 server. The SID for the group is S-1-5-20.
In Samba this is defined in ./source/passdb/util_sam_sid.c

The problem is that a program, in Windows 2000 asking for that group, should not get an answear. But when asking a the Samba PDC it does get an answear.

The showstopper is that Microsoft Systems Management Server 2003 (SMS) can not install the advanced client onto a Windows 2000 PC.

When using PsTools (http://www.sysinternals.com/Files/PsTools.zip) one can resolve sid on a Windows 2000 PC, using 
'psgetsid S-1-5-20' and 
'psgetsid "network service" '

There should not be an match there, but it does resolve with Samba as PDC.

if the ./source/passdb/util_sam_sid.c is edited and line nr 66 (3.0.21):
        { 20, SID_NAME_WKN_GRP, "Network Service"},
is commented out it behaves correctly with that particular sid. And SMS advanced  client can be installed. But that is not fixing the real problem :-)

More data and information can be provied upon request.

System: SLES 9 SP2 running on x86 with OpenLDAP passdb backend.
Clients: Windows 2000 and XP

Comment 1 Volker Lendecke 2005-12-22 05:55:57 UTC
Right now I'm heavily re-working that exact part of Samba for 3.0.22 or 3.0.23. If you have the chance, could you try the current trunk/ version of Samba? Be aware that this is far away from production code, and that particular aspect has heavily changed.

Alternatively, could you attach a full sniff of what Windows does *not* reply to but Samba does? Is it the LsaLookupSids call?

BTW, if Windows 2003 does reply, does your program function correctly against that one and how?


Comment 2 Jonas Helgi Palsson (dead mail address) 2005-12-22 06:28:42 UTC
We dont have time until after Xmas to try some new code. But we will then :-)

Sniffing done by ethereal can be found here:

Sniffing in test enviroment against Samba, and whole different net against Windows 2003 AD server.

And yes, the advanced client of SMS does install in the AD network :-)
Comment 3 Volker Lendecke 2005-12-22 06:45:41 UTC
It's really funny how things happen at the same time. I just recently found out that the 'level' parameter in lookupnames does have meaning, how you send me sniffs that prove the same. Thanks for the sniffs. No need to test so far, I did not yet touch that aspect.

This is not an immediate thing, and as you have a workaround you might be able to live with the current behaviour, right?

If I don't post anything here til then, ping me end of January again about what I found out and maybe already coded up.


Comment 4 Jonas Helgi Palsson (dead mail address) 2005-12-22 06:53:19 UTC
If commenting out this one line does not break anything then we can live with that for awhile... But getting a fix into the stable tree, that would be backported by SuSE into their release of Samba, would make us very happy ;-)

Comment 5 Volker Lendecke 2005-12-22 06:55:36 UTC
I don't see how commenting out that one line should break anything.

Comment 6 Stefan Metzmacher 2017-03-09 10:34:50 UTC
(In reply to Volker Lendecke from comment #3)

Volker, do you remember the difference you discovered?
I guess it will be important for our work on trusts...
Comment 7 Björn Jacke 2020-12-20 20:56:39 UTC
Metze, Volker ? Should we close this or is this bug reminding you to do something here?