[Samba] Samba 3.5 to 3.6
Jacky Carimalo
jacky.carimalo at univ-nantes.fr
Tue Feb 5 06:59:48 MST 2013
Reading :
http://wiki.samba.org/index.php/Samba_3.6_Features_added/changed
it seems there are options not to check having consistant SIDs.
Otherwise, I used the solution with :
net setlocalsid
and it worked for me.
Jacky
-------------------------------------------
Here, the details of what I did :
BEFORE :
j-carimalo at j-carimalo-desktop:~$ smbclient //172.18.220.10/test -U
j-carimalo
Enter j-carimalo's password:
session setup failed: NT_STATUS_UNSUCCESSFUL
--------------------------------------------------------------------------------------------------------
root at doctoriale:/var/log/samba# vi log.j-carimalo-desktop
[2013/02/04 18:39:53.255226, 3]
passdb/lookup_sid.c:1754(get_primary_group_sid)
Forcing Primary Group to 'Domain Users' for j-carimalo
[2013/02/04 18:39:53.255402, 1] auth/server_info.c:386(samu_to_SamInfo3)
The primary group domain
sid(S-1-5-21-2904347395-2486898077-706273725-513) does not match the
domain sid(S-1-5-21-1927198471-1056857077-4159082931) for
j-carimalo(S-1-5-21-1927198471-1056857077-4159082931-14228)
[2013/02/04 18:39:53.255479, 0] auth/check_samsec.c:491(check_sam_security)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
[2013/02/04 18:39:53.255684, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [j-carimalo] ->
[j-carimalo] FAILED with error NT_STATUS_UNSUCCESSFUL
[2013/02/04 18:39:53.255731, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
NT_STATUS_UNSUCCESSFUL
[2013/02/04 18:39:53.256517, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
--------------------------------------------------------------------------------------------------------
root at doctoriale:/etc/samba# net getlocalsid
smbldap_search_domain_info: Adding domain info for DOCTO failed with
NT_STATUS_UNSUCCESSFUL
SID for domain DOCTO is: S-1-5-21-2904347395-2486898077-706273725
root at doctoriale:/etc/samba# net getdomainsid
smbldap_search_domain_info: Adding domain info for DOCTO failed with
NT_STATUS_UNSUCCESSFUL
SID for local machine DOCTO is: S-1-5-21-2904347395-2486898077-706273725
SID for domain DOCTO is: S-1-5-21-2904347395-2486898077-706273725
--------------------------------------------------------------------------------------------------------
root at doctoriale:/etc/samba# pdbedit -v j-carimalo
WARNING: The "enable privileges" option is deprecated
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MSH))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_domain_info: Got no domain info entries for domain
add_new_domain_info: Adding new domain
add_new_domain_info: failed to add domain dn=
sambaDomainName=MSH,dc=univ-nantes,dc=fr with: Referral
unknown
smbldap_search_domain_info: Adding domain info for MSH failed with
NT_STATUS_UNSUCCESSFUL
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate
new users/groups, and will risk BDCs having inconsistant SIDs
init_sam_from_ldap: Entry found for user: j-carimalo
Unix username: j-carimalo
NT username: j-carimalo
Account Flags: [UX ]
User SID: S-1-5-21-1927198471-1056857077-4159082931-14228
Primary Group SID: S-1-5-21-2942490213-4119275230-1086943613-513
Full Name: Jacky CARIMALO
Home Directory: \\HOMESRV\j-carimalo
HomeDir Drive: Z:
Logon Script:
Profile Path: \\docto\j-carimalo\profile
Domain: DOCTO
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: sam., 30 juin 2012 11:19:31 CEST
Password can change: sam., 30 juin 2012 11:19:31 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
--------------------------------------------------------------------------------------------------------
ACTION :
root at doctoriale:/etc/samba# net setlocalsid
S-1-5-21-1927198471-1056857077-4159082931
--------------------------------------------------------------------------------------------------------
AFTER :
root at doctoriale:/etc/samba# net getlocalsid
smbldap_search_domain_info: Adding domain info for DOCTO failed with
NT_STATUS_UNSUCCESSFUL
SID for domain DOCTO is: S-1-5-21-1927198471-1056857077-4159082931
root at doctoriale:/etc/samba# net getdomainsid
smbldap_search_domain_info: Adding domain info for DOCTO failed with
NT_STATUS_UNSUCCESSFUL
SID for local machine DOCTO is: S-1-5-21-1927198471-1056857077-4159082931
SID for domain DOCTO is: S-1-5-21-1927198471-1056857077-4159082931
--------------------------------------------------------------------------------------------------------
root at doctoriale:/etc/samba# /etc/init.d/smbd stop
root at doctoriale:/etc/samba# /etc/init.d/smbd start
--------------------------------------------------------------------------------------------------------
j-carimalo at j-carimalo-desktop:~$ smbclient //172.18.220.10/test -U
j-carimalo
Enter j-carimalo's password:
Domain=[DOCTO] OS=[Unix] Server=[Samba 3.6.6]
smb: \> mkdir toto
smb: \> ls
. D 0 Mon Feb 4 18:42:35 2013
.. D 0 Fri Feb 1 08:42:40 2013
toto D 0 Mon Feb 4 18:42:35 2013
46932 blocks of size 2097152. 44454 blocks available
smb: \> quit
j-carimalo at j-carimalo-desktop:~$
--------------------------------------------------------------------------------------------------------
root at doctoriale:/etc/samba# pdbedit -v j-carimalo
WARNING: The "enable privileges" option is deprecated
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=DOCTO))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_domain_info: Got no domain info entries for domain
add_new_domain_info: Adding new domain
add_new_domain_info: failed to add domain dn=
sambaDomainName=DOCTO,dc=univ-nantes,dc=fr with: Insufficient access
no write access to entry
smbldap_search_domain_info: Adding domain info for DOCTO failed with
NT_STATUS_UNSUCCESSFUL
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate
new users/groups, and will risk BDCs having inconsistent SIDs
init_sam_from_ldap: Entry found for user: j-carimalo
Forcing Primary Group to 'Domain Users' for j-carimalo
Unix username: j-carimalo
NT username: j-carimalo
Account Flags: [UX ]
User SID: S-1-5-21-1927198471-1056857077-4159082931-14228
Primary Group SID: S-1-5-21-1927198471-1056857077-4159082931-513
Full Name: Jacky CARIMALO
Home Directory: \\HOMESRV\j-carimalo
HomeDir Drive: Z:
Logon Script:
Profile Path: \\docto\j-carimalo\profile
Domain: DOCTO
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: sam., 30 juin 2012 11:19:31 CEST
Password can change: sam., 30 juin 2012 11:19:31 CEST
Password must change: mar., 19 janv. 2038 04:14:07 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
On 02/23/2012 11:38 AM, marco.schaerfke at proteomics.com wrote:
> [2012/02/23 09:32:21.669389, 1] auth/server_info.c:391(samu_to_SamInfo3)
> The primary group domain
> sid(S-1-5-21-463168302-511420122-2937072671-513) does not match the
> domain sid(S-1-5-21-706331994-863180292-319919955) for
> mos(S-1-5-21-706331994-863180292-319919955-5019)
> [2012/02/23 09:32:21.669528, 0]
auth/check_samsec.c:491(check_sam_security)
> check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_UNSUCCESSFUL'
The entries for the domain and the users/groups are inconsistent.
Newer Samba versions added some more consistency checks.
So the primary group has domain SID
S-1-5-21-463168302-511420122-2937072671
while user "mos" has domain SID of
S-1-5-21-706331994-863180292-319919955
The domain SIDs need to be in sync to pass the semantical checks in Samba.
Cheers,
Christian
More information about the samba
mailing list