[Samba] Samba/LDAP share issue -- user with invalid SID

Tue May 18 07:18:37 MDT 2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tms3 at tms3.com wrote:
> SNIP
>>> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
>>> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
>>>
>>> 7) Users have both user and group SIDs in the form
>>> "S-1-5-21-4167008922-1292391803-4044586981-[unique number]", which is
>>> generated according to the rules the smbldap tools use.
> 
> You have two different domains. And the users are in CHEMBMB and the
> server is a member of SL1.  Why not join SL1 to CHEMBMB?

How do I get the server to join CHEMBMB?  I spent about two hours trying
to get the two SIDs to be the same, with no success.  I assumed that was
part of the issue, but I finally gave up on making it work.  I assume
I'd use "net setlocalsid", which shows the following:

root at sl1:~# net getdomainsid
SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
root at sl1:~# net setlocalsid S-1-5-21-4167008922-1292391803-4044586981
root at schnelllab1:~# net getdomainsid
SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981

If there's something else I should be doing, I'd love to know what it is!

- -Alex

>>>
>>>
>>> 8) testparm on sl1 returns the following:
>>>
>>> Load smb config files from /etc/samba/smb.conf
>>> Processing section "[homes]"
>>> Processing section "[itadmins]"
>>> Loaded services file OK.
>>> Server role: ROLE_STANDALONE
>>> Press enter to see a dump of your service definitions
>>>
>>> [global]
>>> workgroup = CHEMBMB
>>> server string = %h server (Samba, Ubuntu)
>>> map to guest = Bad User
>>> obey pam restrictions = Yes
>>> passdb backend = ldapsam:ldaps://multivac.chem.umass.edu
>>> pam password change = Yes
>>> passwd program = /usr/bin/passwd %u
>>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>> unix password sync = Yes
>>> syslog = 255
>>> log file = /var/log/samba/log.%m
>>> max log size = 1000
>>> dns proxy = No
>>> ldap admin dn = cn=admin,dc=cns
>>> ldap group suffix = ou=Chemistry groups
>>> ldap suffix = ou=Chemistry,dc=cns
>>> ldap ssl = no
>>> ldap user suffix = ou=Chemistry users
>>> usershare allow guests = Yes
>>> panic action = /usr/share/samba/panic-action %d
>>> invalid users = root
>>>
>>> [homes]
>>> comment = Home Directories
>>> read only = No
>>> browseable = No
>>>
>>> [itadmins]
>>> comment = Shared directory for the IT group
>>> path = /home/itadmins
>>> valid users = spalmer, amckenzie
>>> read only = No
>>> create mask = 0665
>>> directory mask = 0775
>>>
>>>
>>>
>>> Any advice would be appreciated -- I'm well beyond my understanding of
>>> samba at the moment, and my understanding of samba is well beyond what
>>> it was 48 hours ago. At the moment neither server is mission critical,
>>> so tests that take them temporarily off-line are possible. By early
>>> next week things will be authenticating against the LDAP server (we've
>>> got no choice -- the old LDAP server is failing fast), so I won't be
>>> able to take it down for testing.
>>>
>>> Thanks in advance,
>>> Alex McKenzie
>>> alex at chem.umass.edu
>>>
>>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.8 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr
>> zwCfbXwvHr50j7vZZTuSJxLels7Izv8=
>> =58HV
>> -----END PGP SIGNATURE-----
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvyk6wACgkQWFYfIucpZ2NCiQCfWaicXsuhA6P01Pbw9xeanUql
dqEAn2Z31M+dqjlIKG5uciscBsTB9Rl0
=LAsj
-----END PGP SIGNATURE-----