[Samba] Missing sids for domain administrator?

Hi,

I'm working on bug https://bugzilla.samba.org/show_bug.cgi?id=6592 and
something that has apparently changed in my setup is preventing me from
testing the final stages of the fix. I have a machine running Samba
server and joined to the domain, and am accessing that from the W2K3
domain server logged, logged into the latter as the domain
administrator. But the problem is that in its access checks smbd is not
getting the sid for the Administrators group (S-1-5-32-544).

In an email that I sent back in July
(http://lists.samba.org/archive/samba/2009-July/149285.html) I included
my samba log file, and at that point I was getting the S-1-5-32-544 sid,
but something has changed since then and now I am not. My question is
does anyone have any idea of what may have changed that would cause
that?

Here is an extract from the log in that email:

Checking password for unmapped user [SD80]\[Administrator]@[IANSERVER]
with the new password interface
check_ntlm_password: mapped user is:
[SD80]\[Administrator]@[IANSERVER]
check_ntlm_password: winbind authentication for user [Administrator]
succeeded
check_ntlm_password: authentication for user [Administrator]
->[Administrator] -> [SD80+administrator] succeeded
se_access_check: user sid is
S-1-5-21-4023909512-3739307249-2032274589-500
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512
se_access_check: also S-1-5-32-545
se_access_check: also S-1-5-32-544
se_access_check: also S-1-22-1-601
se_access_check: also S-1-22-2-604
se_access_check: also S-1-22-2-607
se_access_check: also S-1-22-2-608
se_access_check: also S-1-22-2-609
se_access_check: also S-1-22-2-610
se_access_check: also S-1-22-2-603
se_access_check: also S-1-22-2-602

And here is what I am seeing now:

check_ntlm_password: Checking password for unmapped user
[SD80]\[Administrator]@[IANSERVER] with the new password interface
check_ntlm_password: mapped user is:
[SD80]\[Administrator]@[IANSERVER]
check_ntlm_password: winbind authentication for user [Administrator]
succeeded
check_ntlm_password: authentication for user [Administrator] ->
[Administrator] -> [SD80+administrator] succeeded
se_access_check: user sid is
S-1-5-21-4023909512-3739307249-2032274589-500
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518
se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512

The missing sids are for the Users and Administrators group, plus those
"S-2-22-2" sids, whatever they are.

Thanks
Ian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

> -----Original Message-----
> From: samba-bounces.DeleteThis@lists.samba.org On Behalf Of Ian Puleston
> Sent: Thursday, October 29, 2009 11:22 AM
>
> I'm working on bug https://bugzilla.samba.org/show_bug.cgi?id=6592 and
> something that has apparently changed in my setup is preventing me
from
> testing the final stages of the fix. I have a machine running Samba
> server and joined to the domain, and am accessing that from the W2K3
> domain server, logged into the latter as the domain
> administrator. But the problem is that in its access checks smbd is
not
> getting the sid for the Administrators group (S-1-5-32-544).
>
> Back in July I was getting the S-1-5-32-544 sid,
> but something has changed since then and now I am not.

The samba log from back in July:
> se_access_check: user sid is
> S-1-5-21-4023909512-3739307249-2032274589-500
> se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513
> se_access_check: also S-1-1-0
> se_access_check: also S-1-5-2
> se_access_check: also S-1-5-11
> se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520
> se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519
> se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518
> se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512
> se_access_check: also S-1-5-32-545
> se_access_check: also S-1-5-32-544
> se_access_check: also S-1-22-1-601
> se_access_check: also S-1-22-2-604
> se_access_check: also S-1-22-2-607
> se_access_check: also S-1-22-2-608
> se_access_check: also S-1-22-2-609
> se_access_check: also S-1-22-2-610
> se_access_check: also S-1-22-2-603
> se_access_check: also S-1-22-2-602
>
> The missing sids are for the Users and Administrators group, plus
those
> "S-2-22-2" sids, whatever they are.

A bit more information I've managed to glean. I'm working on Fedora 10
which has Samba 3.2.15 installed, but the version I was building and
testing with was 3.2.4. Having now downloaded and built 3.2.15 I am now
seeing those "S-2-22-[12]" sids, but still not the sids for the
Administrators and Users groups.

But if I run the Fedora version of smbd 3.2.15 then I see the
S-1-5-32-545 sid too, but still not S-1-5-32-544. If I run the version
of 3.2.15 that I built I see neither. To build it I used "./configure
--with-ads", are there maybe some other options I should have used that
may explain that difference?

And I still need to find why I don't see sid S-1-5-32-544 with any
version?

Ian

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba