[Samba] Something weird about pdbedit.

Wed Mar 11 13:51:25 GMT 2009

Am Mittwoch, 11. März 2009 13:30 schrieb BOURIAUD:
> On Wednesday 11 February 2009 10:39:10 BOURIAUD wrote:
> > Hi !
> > I'm running a samba domain controler under rhel 5. It's version
> > 3.0.33-3.7.el5.
> > I've also installed a ldap server to store users and groups and so
> > on. When I try a pdbedit -v david, I get the following :
> >
> > Unix username:        david
> > NT username:          david
> > Account Flags:        [U          ]
> > User SID:             S-1-5-21-215069222-2822928016-2390355089-1016
> > Finding user david
> > Trying _Get_Pwnam(), username as lowercase is david
> > Get_Pwnam_internals did find user [david]!
> > smbldap_search_ext: base => [ou=Groups,ou=ia27,dc=ac-rouen,dc=fr],
> > filter => [(&(objectClass=sambaGroupMapping)(gidNumber=666))],
> > scope => [2] init_group_from_ldap: Entry found for group: 666
> > lookup_global_sam_rid: looking up RID 666.
> > smbldap_search_ext: base => [ou=ia27,dc=ac-rouen,dc=fr], filter =>
> > [(&(sambaSID=S-1-5-21-215069222-2822928016-2390355089-666)
> > (objectclass=sambaSamAccount))], scope => [2]
> > ldapsam_getsampwsid: Unable to locate SID
> > [S-1-5-21-215069222-2822928016-2390355089-666] count=0
> > smbldap_search_ext: base => [ou=Groups,ou=ia27,dc=ac-rouen,dc=fr],
> > filter => [(&(objectClass=sambaGroupMapping)
> > (sambaSID=S-1-5-21-215069222-2822928016-2390355089-666))], scope =>
> > [2] init_group_from_ldap: Entry found for group: 666
> > lookup_rids: CDTI:2
> > Primary Group SID:    S-1-5-21-215069222-2822928016-2390355089-666
> > Full Name:            david
> >
> > The weird thing is ldapsam_getsampwsid: Unable to locate SID
> >
> > I think I made a mistake when creating both unix groups and samba
> > groups. Here is how the unix group is defined :
> >
> > dn: cn=cdti,ou=Group,BASEDN
> > objectClass: posixGroup
> > objectClass: top
> > cn: cdti
> > userPassword: {crypt}x
> > gidNumber: 666
> >
> > Here is how the samba group is defined :
> >
> > dn: cn=CDTI,ou=Groups,BASEDN
> > objectClass: top
> > objectClass: posixGroup
> > objectClass: sambaGroupMapping
> > cn: CDTI
> > description::
> > Q2VudHJlIGTDqXBhcnRlbWVudGFsIGRlIHRyYWl0ZW1lbnQgZGUgbCdpbmZvcm
> > 1hdGlvbg== sambaGroupType: 2
> > memberUid: david
> > gidNumber: 666
> > sambaSID: S-1-5-21-215069222-2822928016-2390355089-666
> >
> > And here is what the user's definition :
> >
> > dn: uid=david,ou=SambaUsers,BASEDN
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: inetOrgPerson
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: sambaSamAccount
> > cn: david
> > sn: david
> > givenName: david
> > uid: david
> > uidNumber: 1016
> > homeDirectory: /smbhome/users/david/samba
> > loginShell: /bin/bash
> > gecos: System User
> > sambaLogonTime: 0
> > sambaLogoffTime: 2147483647
> > sambaKickoffTime: 2147483647
> > sambaPwdCanChange: 0
> > sambaPwdMustChange: 2147483647
> > displayName: david
> > sambaLogonScript: logon.bat
> > sambaProfilePath: \\DOMAIN_SERVER\profiles\david
> > sambaHomePath: \\DOMAIN_SERVER\david
> > sambaHomeDrive: P:
> > sambaLMPassword: PLOP
> > sambaNTPassword: PLOP
> > sambaPasswordHistory:
> > 000000000000000000000000000000000000000000000000000000 0000000000
> > sambaPwdLastSet: 1228486572
> > userPassword: {SSHA}PLOP
> > sambaAcctFlags: [U          ]
> > sambaSID: S-1-5-21-215069222-2822928016-2390355089-1016
> > gidNumber: 666
> > sambaPrimaryGroupSID: S-1-5-21-215069222-2822928016-2390355089-666
> >
> >
> > Of course, I've obfuscated what I found that has not point with my
> > problem !
> >
> > I think that the problem comes from the groups, both the unix one
> > and the samba one, but I don't know how to fix it.
> > If anyone could tell me what I could to to correct this, that would
> > be great ! I hope I've given enough informations, but if you think
> > I should give more, fell free to ask. I'd really like to get rid of
> > this anoying message. Thanks in advance !
>
> UP ! Noone to help me with that ?
First things first: Read the f... manual

- you should not have 2 groups with the same gidNumber
- sambaLMPassword & sambaNTPassword do not hold the password in ascii, 
both must contain password hashes

Go back, and take some time to read the docs

-- 

Gruss
	Harry Jede