Bug 608 - Reverse group mapping fails in 3.0.1pre1
Reverse group mapping fails in 3.0.1pre1
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.0
All Linux
: P3 major
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on: 822
Blocks: 807
  Show dependency treegraph
 
Reported: 2003-10-13 05:27 UTC by Daniel Beschorner
Modified: 2005-01-20 11:29 UTC (History)
0 users

See Also:


Attachments
extract of log LSA_LOOKUPSIDS working 3.0.0 (11.26 KB, text/plain)
2003-11-13 03:03 UTC, Daniel Beschorner
no flags Details
extract of log LSA_LOOKUPSIDS fails 3.0.1pre2 (27.75 KB, text/plain)
2003-11-13 03:04 UTC, Daniel Beschorner
no flags Details
extract of log LSA_LOOKUPSIDS fails 3.0.1pre2 (27.75 KB, text/plain)
2003-11-13 03:04 UTC, Daniel Beschorner
no flags Details
add Replicator and RAS Servers built in accounts (810 bytes, patch)
2003-12-01 10:04 UTC, Gerald (Jerry) Carter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Beschorner 2003-10-13 05:27:22 UTC
In 3.0.1pre1 Windows presents only SIDs in backward mapping, no names.
Comment 1 Daniel Beschorner 2003-10-13 11:58:26 UTC
I should mention, we use LDAP and 3.0.0 did it correctly.
Comment 2 Daniel Beschorner 2003-11-09 14:10:22 UTC
in pre2 the same, group accounts resolve to "unknown" in WinNT.
Comment 3 Gerald (Jerry) Carter 2003-11-10 08:22:04 UTC
Can you set me a level 10 debug log (smbd and 
winbindd if you are running wbindd) and you 
smb.conf? Mail me directly if you prefer.
Comment 4 Gerald (Jerry) Carter 2003-11-12 14:52:33 UTC
Did your domain SID change when you upgraded?
run 'net getlocalsid <DOMAINNAME>' on the Samba 
PDC.  Send me that and and complete SID displayed 
in the local Administrators group listing.
Comment 5 Daniel Beschorner 2003-11-13 03:03:59 UTC
Created attachment 250 [details]
extract of log LSA_LOOKUPSIDS working 3.0.0
Comment 6 Daniel Beschorner 2003-11-13 03:04:38 UTC
Created attachment 251 [details]
extract of log LSA_LOOKUPSIDS fails 3.0.1pre2
Comment 7 Daniel Beschorner 2003-11-13 03:04:48 UTC
Created attachment 252 [details]
extract of log LSA_LOOKUPSIDS fails 3.0.1pre2
Comment 8 Daniel Beschorner 2003-11-13 03:12:50 UTC
Domain SID in either case is S-1-5-21-598206826-3982707997-2769875126.

I attached a log extract of the working (3.0.0) and one of the the broken 
scenario (CVS).
Sorry, I created the second attachment twice.
Comment 9 Gerald (Jerry) Carter 2003-11-30 21:10:20 UTC
This loks similar to bug 822
Comment 10 Gerald (Jerry) Carter 2003-12-01 10:03:50 UTC
These logs are not lookuping up the same sid.  The first 
one is looking up the domain admins group and the second 
one is looking up built-in groups.
Comment 11 Gerald (Jerry) Carter 2003-12-01 10:04:42 UTC
Created attachment 289 [details]
add Replicator and RAS Servers built in accounts
Comment 12 Gerald (Jerry) Carter 2003-12-01 10:04:57 UTC
Try this patch
Comment 13 Gerald (Jerry) Carter 2003-12-01 10:36:50 UTC
patch fixes the failure for me:

  rpcclient queso -U% --debuglevel=0 -c 'lookupsids S-1-5-32-553'
  S-1-5-32-553 BUILTIN\RAS Servers (4)

checking it in and marking as fixed.
Comment 14 Daniel Beschorner 2003-12-09 15:15:15 UTC
No, I think it's identical to Aurélien Degrémont's SID bug from the mailing 
list.
I wonder if the patch will fix it, but I'll try tomorrow.
Comment 15 Daniel Beschorner 2003-12-09 15:28:24 UTC
I think the fix was neither in 3.0.0 nor 3.0.1pre, but it worked with the older 
one.
The second log looks indeed wrong, as Aurélien mentioned, Windows maybe 
requested other SIDs than the displayed.
I will look to get a better log.
Comment 16 Daniel Beschorner 2003-12-11 06:16:34 UTC
verified in 3.0.1rc2, it works, thanks!