Bug 278121 - SIDs are not translated on Windows
SIDs are not translated on Windows
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: samba (Show other bugs)
ia64 Linux
medium Severity urgent
: ---
: ---
Assigned To: Samba Maint Team
Depends On:
  Show dependency treegraph
Reported: 2007-09-05 05:34 EDT by Johan Dahl
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-05 17:33:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
smb.conf (2.24 KB, application/octet-stream)
2007-09-05 05:34 EDT, Johan Dahl
no flags Details
/var/log/samba/smbd.log at loglevel 10 (gzipped) (237.31 KB, application/x-gzip)
2007-09-05 16:02 EDT, Johan Dahl
no flags Details

  None (edit)
Description Johan Dahl 2007-09-05 05:34:41 EDT
Description of problem:
If I select a file or folder on a samba share and selects "Properties", and then
"Security" will the SIDS not be translated to usernames.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Log in to Windows computer
2. Rightclick on file on samba share
3. Select Properties
4. Select Security
5. Watch SIDs not getting translated to usernames
Actual results:
No transled SIDs

Expected results:
SIDs translated to usernames

Additional info:

samba is running with openldap as backend. On two other servers running RHEL and
samba-3.0.9-1.3E.13.2 is this working.
Comment 1 Johan Dahl 2007-09-05 05:34:41 EDT
Created attachment 187201 [details]
Comment 2 Simo Sorce 2007-09-05 09:18:00 EDT
Can you reproduce this at will?
if so, can you raise loge level to 10 and send me a log file containing the
captured logs of the moment you try to display SIDs?

Please make sure to either raise the log only for the connected test system smbd
or off hours, as level 10 logs are extremely verbose and will noticeably slow
down your server. Also make sure you increase the permitted log size to avoid
overwriting the log too fast.

Comment 3 Johan Dahl 2007-09-05 15:58:46 EDT
I changed log level to 10. Saved. Ran testparm. In windows I selected a file
modify_all.csv. Selected properties. Selected Security. Closed the window.
Changed loglevel to 1. Ran testparm. 
Comment 4 Johan Dahl 2007-09-05 16:02:25 EDT
Created attachment 187951 [details]
/var/log/samba/smbd.log at loglevel 10 (gzipped)
Comment 5 Simo Sorce 2007-09-05 16:33:40 EDT
Johan it seem your server is misconfigured.
I just noticed that in smb.conf "security" is set to "password" which is not a
valid value for security.
This makes the server effectively just a standalone server. I think you want
instead join the server to the PDC, if you have one (the comments imply the
existence of a BDC?).

Also there seem to be some mismatch between the SIDs as seen in ldap, and the
machine SID the server uses.

Can you post the output of net getlocalsid and make sure it matches what you
have configured in your smbldap tools configuration?
Comment 6 Johan Dahl 2007-09-05 17:11:26 EDT
 I have several servers

staff, RHEL3 which is also PDC
staff2, RHEL4, which is BDC (will replace staff in the near future). This is the
server which doesn't translate SIDs.
student, RHEL3 which is BDC

They all have samba with openldap as backend. staff is LDAP master with staff2
and  student acting as slaves.

All 3 have accounts in the domain. However the sids in the domain is not the
same as the sids I get with net getlocalsid


net getlocalsid

SID for domain STAFF is: S-1-5-21-136859684-1428773301-1694261885

dn: uid=staff$,ou=People,dc=sol,dc=lu,dc=se
sambaSID: S-1-5-21-3586379953-3555147696-39335545-3106


net getlocalsid

SID for domain STAFF2 is: S-1-5-21-3644677782-1265879894-3010064441


dn: uid=staff2$,ou=People,dc=sol,dc=lu,dc=se
sambaSID: S-1-5-21-3586379953-3555147696-39335545-4926


net getlocalsid
SID for domain STUDENT is: S-1-5-21-4226488258-4052872194-2219043442

dn: uid=student$,ou=People,dc=sol,dc=lu,dc=se
sambaSID: S-1-5-21-3586379953-3555147696-39335545-3108

Should I set the localsid so it matches the value in the LDAP? I guess the
localsids was generated before the server joined the domain. But should joining
a domain change the local sid?
Comment 7 Simo Sorce 2007-09-05 17:31:57 EDT
A normal member server retain his own SID and just inherit another SAM (the
account database) with its SID from the PDC.
A BDC instead is a special case, you must set the SID to be identical to the one
the PDC has.

Also to be a BDC you need:
security = user
domain master = no
domain logons = yes

Technically speaking a samba BDC does not need to be joined to the domain as it
shares the SAM (via ldap) with the PDC.

SID-to-name lookups seem to be failing because the server fails to resolve the
SID either via winbindd or locally.

Comment 8 Simo Sorce 2007-09-05 17:33:46 EDT
I am closing this as a misconfiguration issue.
Please, re-open if the issue persist after you have fixed the configuration.

Note You need to log in before you can comment on or make changes to this bug.