Bug 4874 - Samba users local domain SID for uknown groups even for foreign users
Summary: Samba users local domain SID for uknown groups even for foreign users
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.23d
Hardware: x64 Linux
: P3 critical
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
Depends on:
Reported: 2007-08-10 18:25 UTC by Luiz Angelo Daros de Luca
Modified: 2007-08-15 15:18 UTC (History)
0 users

See Also:

Use user's domain "Domain user" when primary group is guessed (2.18 KB, patch)
2007-08-14 11:28 UTC, Luiz Angelo Daros de Luca
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Luiz Angelo Daros de Luca 2007-08-10 18:25:21 UTC

Samba avoids to auth an user from a trusted domain for a computer member. It gets this error:

  _net_sam_logon: user TRE-SC\042138400906 has user sid S-1-5-21-917466437-634157975-1849977318-8299
   but group sid S-1-5-21-523112625-507000586-1192791579-513.
  The conflicting domain portions are not supported for NETLOGON calls

User TRE-SC\042138400906 using "usermap script" will be mapped to 
uid=2008(luizluca) gid=257(csit-scd) groups=257(csit-scd),123(suporte),72(swadm),73(swinstall),31323(csit)

As samba avoided it, it cannot perform the login.

Checking the code, it seems that the group sid comes from pdb_get_group_sid(sampw) in


		sampw = server_info->sam_account;

		/* set up pointer indicating user/password failed to be
		 * found */
		usr_info->ptr_user_info = 0;

		user_sid = pdb_get_user_sid(sampw);
		group_sid = pdb_get_group_sid(sampw);

		if ((user_sid == NULL) || (group_sid == NULL)) {
			DEBUG(1, ("_net_sam_logon: User without group or user SID\n"));

		sid_copy(&domain_sid, user_sid);
		sid_split_rid(&domain_sid, &user_rid);

		if (!sid_peek_check_rid(&domain_sid, group_sid, &group_rid)) {
			DEBUG(1, ("_net_sam_logon: user %s\\%s has user sid "
				  "%s\n but group sid %s.\n"
				  "The conflicting domain portions are not "
				  "supported for NETLOGON calls\n", 	    
				  sid_to_string(user_sid_string, user_sid),
				  sid_to_string(group_sid_string, group_sid)));

And pdb_get_group_sid(sampw) function uses global sam sid instead of user's sid

      /* Just set it to the 'Domain Users' RID of 512 which will 
           always resolve to a name */
        sid_copy( gsid, get_global_sam_sid() );
        sid_append_rid( gsid, DOMAIN_GROUP_RID_USERS );
        sampass->group_sid = gsid;
        return sampass->group_sid;

Am I right? 


TRE-SC\042138400906 is a win2k3 user
Client is winxp
server accessed by client is samba (same version) joined to samba domain
Comment 1 Luiz Angelo Daros de Luca 2007-08-14 11:28:30 UTC
Created attachment 2864 [details]
Use user's domain "Domain user" when primary group is guessed

This patch fixes the case when a foreign user's primary group is mapped to a local domain users group.
Comment 2 Luiz Angelo Daros de Luca 2007-08-14 11:34:00 UTC
The patch works but I don't know if it can break something else out there. Can samba survive dealing with a group without gid? 

Anyway, local domain users is of no use for foreign users as samba rejects them.

For local users, the behavior remains the same. 
Comment 3 Gerald (Jerry) Carter (dead mail address) 2007-08-14 11:38:27 UTC
I don't think your analysis is correct.  I definitely don't think 
the patch is correct.  If you are running on a Samba DC, the only
supported way of dealing with trusted users is to run winbindd on 
the DC.  have I misunderstood your setup?
Comment 4 Luiz Angelo Daros de Luca 2007-08-14 12:03:01 UTC
I was using winbind without idmap uid/gid range. I wanted to map foreign Dom Users groups to unix group gid=1000. I reactivated the idmap and solved my problem. 

I'm just not sure why a foreign account should be mapped to local domain user if samba rejects it in sequence.

I will close this as invalid anyway...

Comment 5 Gerald (Jerry) Carter (dead mail address) 2007-08-15 15:09:17 UTC
Couple of comments.  

a) We stopped looking at the stored primaryGroupSID around 3.0.23
   IIRC which means we needed a fallback for unmapped primary groups.

b) After some thinking, you are probably right about the primary 
   group for trusted users.  However, the fallback to the
   local-domain-RID-513 is a last ditch effort.  But I'm very hesitant
   to change the current behavior even though it breaks trusted logons
   on servers not running winbindd.

c) 3.0.25 has muhc more flexibility on how you map SIDs/uids/gids so
   I believe that you can find a suitable workaround rather than changing
   the code.
Comment 6 Luiz Angelo Daros de Luca 2007-08-15 15:18:59 UTC
It seems that the problem is that the first time it looks for samba group, it does not find it and falls to LOCALSID-513. But after some time, it started to work. I found that when winbind cache (in PDC) is set to low time, it works after that time is expired.

    winbind cache time = 10