Hello Samba avoids to auth an user from a trusted domain for a computer member. It gets this error: rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(1004) _net_sam_logon: user TRE-SC\042138400906 has user sid S-1-5-21-917466437-634157975-1849977318-8299 but group sid S-1-5-21-523112625-507000586-1192791579-513. The conflicting domain portions are not supported for NETLOGON calls User TRE-SC\042138400906 using "usermap script" will be mapped to uid=2008(luizluca) gid=257(csit-scd) groups=257(csit-scd),123(suporte),72(swadm),73(swinstall),31323(csit) As samba avoided it, it cannot perform the login. Checking the code, it seems that the group sid comes from pdb_get_group_sid(sampw) in :rpc_server/srv_netlog_nt.c:_net_sam_logon_internal:986 sampw = server_info->sam_account; /* set up pointer indicating user/password failed to be * found */ usr_info->ptr_user_info = 0; user_sid = pdb_get_user_sid(sampw); group_sid = pdb_get_group_sid(sampw); if ((user_sid == NULL) || (group_sid == NULL)) { DEBUG(1, ("_net_sam_logon: User without group or user SID\n")); return NT_STATUS_UNSUCCESSFUL; } sid_copy(&domain_sid, user_sid); sid_split_rid(&domain_sid, &user_rid); if (!sid_peek_check_rid(&domain_sid, group_sid, &group_rid)) { DEBUG(1, ("_net_sam_logon: user %s\\%s has user sid " "%s\n but group sid %s.\n" "The conflicting domain portions are not " "supported for NETLOGON calls\n", pdb_get_domain(sampw), pdb_get_username(sampw), sid_to_string(user_sid_string, user_sid), sid_to_string(group_sid_string, group_sid))); return NT_STATUS_UNSUCCESSFUL; } And pdb_get_group_sid(sampw) function uses global sam sid instead of user's sid /* Just set it to the 'Domain Users' RID of 512 which will always resolve to a name */ sid_copy( gsid, get_global_sam_sid() ); sid_append_rid( gsid, DOMAIN_GROUP_RID_USERS ); sampass->group_sid = gsid; return sampass->group_sid; } Am I right? Info: TRE-SC\042138400906 is a win2k3 user Client is winxp server accessed by client is samba (same version) joined to samba domain
Created attachment 2864 [details] Use user's domain "Domain user" when primary group is guessed This patch fixes the case when a foreign user's primary group is mapped to a local domain users group.
The patch works but I don't know if it can break something else out there. Can samba survive dealing with a group without gid? Anyway, local domain users is of no use for foreign users as samba rejects them. For local users, the behavior remains the same.
I don't think your analysis is correct. I definitely don't think the patch is correct. If you are running on a Samba DC, the only supported way of dealing with trusted users is to run winbindd on the DC. have I misunderstood your setup?
I was using winbind without idmap uid/gid range. I wanted to map foreign Dom Users groups to unix group gid=1000. I reactivated the idmap and solved my problem. I'm just not sure why a foreign account should be mapped to local domain user if samba rejects it in sequence. I will close this as invalid anyway...
Couple of comments. a) We stopped looking at the stored primaryGroupSID around 3.0.23 IIRC which means we needed a fallback for unmapped primary groups. b) After some thinking, you are probably right about the primary group for trusted users. However, the fallback to the local-domain-RID-513 is a last ditch effort. But I'm very hesitant to change the current behavior even though it breaks trusted logons on servers not running winbindd. c) 3.0.25 has muhc more flexibility on how you map SIDs/uids/gids so I believe that you can find a suitable workaround rather than changing the code.
It seems that the problem is that the first time it looks for samba group, it does not find it and falls to LOCALSID-513. But after some time, it started to work. I found that when winbind cache (in PDC) is set to low time, it works after that time is expired. winbind cache time = 10