[Samba] Samba/LDAP share issue -- user with invalid SID

Alex McKenzie alex at chem.umass.edu
Thu May 6 14:36:02 MDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

  While I've seen this referred to a lot of places, I haven't yet found
a posted solution that works for me.  Testing has been done from a Mac
running OSX 10.5.8 Here's what I have so far:  if anyone can give me a
next step to test, I'd appreciate it.  If anyone can give me a complete
solution, I'd appreciate it even more. 8-)

1) An LDAP server "mv", running Ubuntu 8.04 LTS.  Samba is not installed.

2) A group file server "sl1", running Ubuntu 8.04 LTS.  LDAP is not
installed.

3) Users can successfully authenticate to sl1 against LDAP when
connecting via SSH.  If their user directory exists (they have logged in
via ssh) they can connect to their home directory through samba by
connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal
network), so I know samba is successfully connecting to the LDAP server.
 Traffic between the file server and the LDAP server is encrypted, as
confirmed with tcpdump.

4) When attempting to access a group share, the connection is refused,
and the following shows up in the samba logs:  the share has users
amckenzie and suzanne.

[2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
  User spalmer with invalid SID
S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb
[2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
  User amckenzie with invalid SID
S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb

5) All connections, successful or not, cause the following messages in
the samba logs on sl1:

[2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792)
  create_builtin_administrators: Failed to create Administrators
[2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758)
  create_builtin_users: Failed to create Users
[2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718)
  Share 'IPC$' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.

6) On sl1, net getdomainsid returns the following:

SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981

7) Users have both user and group SIDs in the form
"S-1-5-21-4167008922-1292391803-4044586981-[unique number]", which is
generated according to the rules the smbldap tools use.

8) testparm on sl1 returns the following:

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[itadmins]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
	workgroup = CHEMBMB
	server string = %h server (Samba, Ubuntu)
	map to guest = Bad User
	obey pam restrictions = Yes
	passdb backend = ldapsam:ldaps://multivac.chem.umass.edu
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	syslog = 255
	log file = /var/log/samba/log.%m
	max log size = 1000
	dns proxy = No
	ldap admin dn = cn=admin,dc=cns
	ldap group suffix = ou=Chemistry groups
	ldap suffix = ou=Chemistry,dc=cns
	ldap ssl = no
	ldap user suffix = ou=Chemistry users
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	invalid users = root

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[itadmins]
	comment = Shared directory for the IT group
	path = /home/itadmins
	valid users = spalmer, amckenzie
	read only = No
	create mask = 0665
	directory mask = 0775



Any advice would be appreciated -- I'm well beyond my understanding of
samba at the moment, and my understanding of samba is well beyond what
it was 48 hours ago.  At the moment neither server is mission critical,
so tests that take them temporarily off-line are possible.  By early
next week things will be authenticating against the LDAP server (we've
got no choice -- the old LDAP server is failing fast), so I won't be
able to take it down for testing.

Thanks in advance,
  Alex McKenzie
  alex at chem.umass.edu


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvjKDIACgkQWFYfIucpZ2OKUQCeLuwQhp1dybJfktYHh3GX375o
eGEAnip1TnApBIi/HqZar0zInN9DrmEO
=hq2A
-----END PGP SIGNATURE-----

More information about the samba mailing list