[Samba] Samba/LDAP share issue -- user with invalid SID

Alex McKenzie alex at chem.umass.edu
Tue May 18 09:14:57 MDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This fixed it!

For the record, since I suspect this all gets archived and is
searchable:  here's the output of testparm.


root at sl1:/etc/samba# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[itadmins]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
	workgroup = CHEMBMB
	server string = %h server (Samba, Ubuntu)
	map to guest = Bad User
	obey pam restrictions = Yes
	passdb backend = ldapsam:ldaps://mv.chem.umass.edu
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	domain logons = Yes
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	ldap admin dn = cn=admin,dc=cns
	ldap group suffix = ou=Chemistry groups
	ldap suffix = ou=Chemistry,dc=cns
	ldap ssl = no
	ldap user suffix = ou=Chemistry users
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	invalid users = root

[homes]
	comment = Home Directories
	read only = No
	browseable = No
	valid users = %S

[itadmins]
	comment = Shared directory for the IT group
	path = /home/itadmins
	valid users = amckenzie, jmaher, spalmer, bmbchem
	read only = No
	create mask = 0665
	directory mask = 0775
	browseable = No


net getdomainsid returns:
SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981



This is a standalone server providing file sharing, but not acting as a
domain login controller:  if I ever want that, I'll be building a
different server for it.

Thanks to tms3 for the instructions:  I'd been spinning my wheels for
two weeks before his (her?) advice!

- -Alex McKenzie

tms3 at tms3.com wrote:
> 
> 
> SNIP
>> I do have smbldap tools installed and, as far as I can tell, set up.
>>
>> net join CHEMBMB -U Administrator returns "cannot join as standalone
>> machine".
> 
> DUHHH!!!!! I'm sorry I'm a moron.  OK, change that to
> 
>          preferred master = Yes
>         domain logons =Yes
>         domain master = Yes   <---if this is the only DC in CHEMBMB.  If
> you have another samba server os PDC in CHEMBMB then set that to "no"
>>
>>
>> The LDAP structure may be the issue... I don't think computer accounts
>> were ever set up on the current server (the last server was done by the
>> guy who used to do my job, who left basically no documentation), because
>> I wasn't aware they were necessary for this. We're not planning to use
>> Samba/LDAP for windows authentication (only Mac, which doesn't require
>> any sort of machine account, and linux, which also doesn't require a
>> machine account), and if we do decide to do windows auth with Samba, it
>> won't be using SL1.
>>
>> SL1 is only a file server -- it's for a small research group, and there
>> will eventually be a bunch of them, possibly as many as 30-40. The
>> system that LDAP runs on will eventually become a PDC, if necessary, but
>> for now samba isn't even installed. If that's the issue, I'll feel
>> stupid, but grateful that someone pointed me in the right direction.
>> Let me know what to try next... as I said initially, I'm quite out of my
>> depth.
>>
>> I haven't been testing with a Windows machine, and I did something to
>> completely break SL1 yesterday, so I can't test it right now. (I
>> changed something in smb.conf, and now samba won't start -- I need to
>> figure out what that is before I go any further.)
>>
>> - -Alex
>>
>> tms3 at tms3.com wrote:
>>>
>>>
>>>
>>>
>>>> How do I get the server to join CHEMBMB?
>>>
>>> I may have been hasty, but I don't have a proper domain to check at the
>>> moment. However:
>>>
>>>
>>> Do you have smbldap-tools installed and set up on sl1?
>>>
>>> Did you ever issue
>>>
>>> net join CHEMBMB -U Administrator
>>>
>>> from sl1?
>>>
>>> Check your ldap structure. You should have a computer with an LDIF that
>>> looks like this:
>>>
>>> dn: uid=zaphod$, ou=computers, dc=mydomain,dc=com
>>> sambaPrimaryGroupSID: S-1-5-21-1498823292-3530380933-788562438-515
>>> sambaDomainName: MYDOMAIN
>>> displayName: zaphod$
>>> objectClass: posixAccount
>>> objectClass: account
>>> objectClass: sambaSamAccount
>>> sambaLogonTime: 0
>>> uid: zaphod$
>>> uidNumber: 41328
>>> cn: zaphod$
>>> sambaLogoffTime: 2147483647
>>> sambaPwdLastSet: 1267756286
>>> sambaAcctFlags: [S ]
>>> loginShell: /bin/false
>>> gidNumber: 553
>>> sambaPwdMustChange: 2147483647
>>> sambaNTPassword: 3509E1ED1B7398134D9D429474E47386
>>> sambaPwdCanChange: 0
>>> sambaSID: S-1-5-21-1498823292-3530380933-788562438-83656
>>> gecos: Computer
>>> description: Computer
>>> homeDirectory: /dev/null
>>> sambaKickoffTime: 2147483647
>>>
>>> ALSO, I assume you are using some kind of Windows work station for the
>>> users, so what error does Windows display when the users log in?
>>>
>>> Cheers,
>>>
>>> TMS III
>>>> I spent about two hours trying
>>>> to get the two SIDs to be the same, with no success. I assumed that was
>>>> part of the issue, but I finally gave up on making it work. I assume
>>>> I'd use "net setlocalsid", which shows the following:
>>>>
>>>> root at sl1:~# net getdomainsid
>>>> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
>>>> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
>>>> root at sl1:~# net setlocalsid S-1-5-21-4167008922-1292391803-4044586981
>>>> root at schnelllab1:~# net getdomainsid
>>>> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
>>>> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
>>>>
>>>> If there's something else I should be doing, I'd love to know what
>>>> it is!
>>>>
>>>> - -Alex
>>>>
>>>>
>>>>
>>>>
>>>>>>>
>>>>>>>
>>>>>>> 8) testparm on sl1 returns the following:
>>>>>>>
>>>>>>> Load smb config files from /etc/samba/smb.conf
>>>>>>> Processing section "[homes]"
>>>>>>> Processing section "[itadmins]"
>>>>>>> Loaded services file OK.
>>>>>>> Server role: ROLE_STANDALONE
>>>>>>> Press enter to see a dump of your service definitions
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = CHEMBMB
>>>>>>> server string = %h server (Samba, Ubuntu)
>>>>>>> map to guest = Bad User
>>>>>>> obey pam restrictions = Yes
>>>>>>> passdb backend = ldapsam:ldaps://mv.chem.umass.edu
>>>>>>> pam password change = Yes
>>>>>>> passwd program = /usr/bin/passwd %u
>>>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>>>>> unix password sync = Yes
>>>>>>> syslog = 255
>>>>>>> log file = /var/log/samba/log.%m
>>>>>>> max log size = 1000
>>>>>>> dns proxy = No
>>>>>>> ldap admin dn = cn=admin,dc=cns
>>>>>>> ldap group suffix = ou=Chemistry groups
>>>>>>> ldap suffix = ou=Chemistry,dc=cns
>>>>>>> ldap ssl = no
>>>>>>> ldap user suffix = ou=Chemistry users
>>>>>>> usershare allow guests = Yes
>>>>>>> panic action = /usr/share/samba/panic-action %d
>>>>>>> invalid users = root
>>>>>>>
>>>>>>> [homes]
>>>>>>> comment = Home Directories
>>>>>>> read only = No
>>>>>>> browseable = No
>>>>>>>
>>>>>>> [itadmins]
>>>>>>> comment = Shared directory for the IT group
>>>>>>> path = /home/itadmins
>>>>>>> valid users = spalmer, amckenzie
>>>>>>> read only = No
>>>>>>> create mask = 0665
>>>>>>> directory mask = 0775
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Any advice would be appreciated -- I'm well beyond my
>>>>>>> understanding of
>>>>>>> samba at the moment, and my understanding of samba is well beyond
>>>>>>> what
>>>>>>> it was 48 hours ago. At the moment neither server is mission
>>>>>>> critical,
>>>>>>> so tests that take them temporarily off-line are possible. By early
>>>>>>> next week things will be authenticating against the LDAP server
>>>>>>> (we've
>>>>>>> got no choice -- the old LDAP server is failing fast), so I won't be
>>>>>>> able to take it down for testing.
>>>>>>>
>>>>>>> Thanks in advance,
>>>>>>> Alex McKenzie
>>>>>>> alex at chem.umass.edu
>>>>>>>
>>>>>>>
>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v1.4.8 (Darwin)
>>>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>>>
>>>>>> iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr
>>>>>> zwCfbXwvHr50j7vZZTuSJxLels7Izv8=
>>>>>> =58HV
>>>>>> -----END PGP SIGNATURE-----
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.8 (Darwin)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>
>>>> iEYEARECAAYFAkvyk6wACgkQWFYfIucpZ2NCiQCfWaicXsuhA6P01Pbw9xeanUql
>>>> dqEAn2Z31M+dqjlIKG5uciscBsTB9Rl0
>>>> =LAsj
>>>> -----END PGP SIGNATURE-----
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.8 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAkvynSgACgkQWFYfIucpZ2OuBACfQSFJevBKOozQW10vET9q08yK
>> DKQAnRXbDj34yLU6ctBzWPIEEIiLiOgX
>> =Z8VF
>> -----END PGP SIGNATURE-----
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvyrvAACgkQWFYfIucpZ2OzuwCfTmDflTO1srMh5lOEd9jz/p8b
xSwAnRA3AjDxPKck45zIQhlpagQklgmt
=7Z7C
-----END PGP SIGNATURE-----

More information about the samba mailing list