The group "NT Authority\Network service" does not exists in Windows 2000, it was introduced in Windows XP and 2003 server. The SID for the group is S-1-5-20. In Samba this is defined in ./source/passdb/util_sam_sid.c The problem is that a program, in Windows 2000 asking for that group, should not get an answear. But when asking a the Samba PDC it does get an answear. The showstopper is that Microsoft Systems Management Server 2003 (SMS) can not install the advanced client onto a Windows 2000 PC. When using PsTools (http://www.sysinternals.com/Files/PsTools.zip) one can resolve sid on a Windows 2000 PC, using 'psgetsid S-1-5-20' and 'psgetsid "network service" ' There should not be an match there, but it does resolve with Samba as PDC. if the ./source/passdb/util_sam_sid.c is edited and line nr 66 (3.0.21): { 20, SID_NAME_WKN_GRP, "Network Service"}, is commented out it behaves correctly with that particular sid. And SMS advanced client can be installed. But that is not fixing the real problem :-) More data and information can be provied upon request. System: SLES 9 SP2 running on x86 with OpenLDAP passdb backend. Clients: Windows 2000 and XP regards Jonas
Right now I'm heavily re-working that exact part of Samba for 3.0.22 or 3.0.23. If you have the chance, could you try the current trunk/ version of Samba? Be aware that this is far away from production code, and that particular aspect has heavily changed. Alternatively, could you attach a full sniff of what Windows does *not* reply to but Samba does? Is it the LsaLookupSids call? BTW, if Windows 2003 does reply, does your program function correctly against that one and how? Thanks, Volker
We dont have time until after Xmas to try some new code. But we will then :-) Sniffing done by ethereal can be found here: http://www.gs.bergen.hl.no/samba/ Sniffing in test enviroment against Samba, and whole different net against Windows 2003 AD server. And yes, the advanced client of SMS does install in the AD network :-)
It's really funny how things happen at the same time. I just recently found out that the 'level' parameter in lookupnames does have meaning, how you send me sniffs that prove the same. Thanks for the sniffs. No need to test so far, I did not yet touch that aspect. This is not an immediate thing, and as you have a workaround you might be able to live with the current behaviour, right? If I don't post anything here til then, ping me end of January again about what I found out and maybe already coded up. Thanks, Volker
If commenting out this one line does not break anything then we can live with that for awhile... But getting a fix into the stable tree, that would be backported by SuSE into their release of Samba, would make us very happy ;-) Regards Jonas
I don't see how commenting out that one line should break anything. Volker
(In reply to Volker Lendecke from comment #3) Volker, do you remember the difference you discovered? I guess it will be important for our work on trusts...
Metze, Volker ? Should we close this or is this bug reminding you to do something here?