[Samba] Samba 3.0.2a - kerberos problem : not the same SIDs !
Christian HAESSIG
christian.haessig at ircad.u-strasbg.fr
Tue Mar 16 17:44:20 GMT 2004
Hello list,
I ran into a very strange problem with samba 3.0.2a and kerberos on a debian
stable OS, member of a Windows 2000 AD domain.
First of all, sory for the length of this mail, but the explanation is not
simple, and the configuration files hare huge.
The problem is the following :
I have configured the samba server to share printers. The printers are all
well shared, and can be accessed by people. But some people cannot connect
to these printers.
So, I checked the samba log. Here is a bit of the log which interest us :
[2004/03/16 17:23:35, 3]
rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(447)
Setting printer type=\\printsrv2\HP_2100_Extension
[2004/03/16 17:23:35, 3] lib/util_seaccess.c:se_access_check(251)
[2004/03/16 17:23:35, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is
S-1-5-21-1971762055-1354219083-452636680-21098
se_access_check: also S-1-5-21-1971762055-1354219083-452636680-21001
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-861567501-1844237615-1417001333-513
se_access_check: also S-1-5-21-861567501-1844237615-1417001333-1436
[2004/03/16 17:23:35, 3]
rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex(1764)
access DENIED for printer open
The HP_2100_Extension is a shared printer, and printsrv2 is the samba
server.
I ran the command
rpcclient -U <user> printsrv2
to get lookupsids S-1-5-21-1971762055-1354219083-452636680-21098
The result is :
lsa_io_sec_qos: length c does not match size 8
S-1-5-21-1971762055-1354219083-452636680-21098 PRINTSRV2\D_IRCAD+<AD user>
(1)
D_IRCAD is the netbios name of our Win2000 domain, and <AD user> is an AD
user which should have access to the printer.
Here comes my first question : why is the name prefixed with the netbios
samba server name ?
I connected to the AD domain controller (through rpcclient) to get the SID
of the <AD user>, and I got :
<AD user> S-1-5-21-861567501-1844237615-1417001333-1548 (User: 1)
which is NOT the same SID than the one found on the print server !
So, here comes the second question :
why does some SIDs differ between the samba server and the AD controller ?
Thanks in advance !
Here you will find my configuration :
- samba 3.0.2a
- libkrb53 (1.2.4-5woody4)
- libkrb5-dev (1.2.4-5woody4)
- /etc/krb5.conf :
[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log
[libdefaults]
ticket_lifetime = 24000
default_realm = IRCAD.FR
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
IRCAD.FR = {
kdc = ircadsrv.ircad.fr:88
default_domain = ircad.fr
}
[domain_realm]
.ircad.fr = IRCAD.FR
ircad.fr = IRCAD.FR
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
- /etc/samba/smb.conf :
[global]
workgroup = D_IRCAD
netbios name = PRINTSRV2
client use spnego = yes
server string = %h server (Samba %v)
wins support = no
wins server = 192.168.0.1
dns proxy = no
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog = 0
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
security = ads
password server = IRCADSRV
realm = IRCAD.FR
encrypt passwords = yes
passdb backend = tdbsam guest
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
load printers = yes
printing = cups
printcap name = cups
printer admin = @ntadmin,root,d_ircad+chaessig
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[homes]
comment = Home Directories
# browseable = no
[smblog]
comment = samba page log result
browsable = no
writable = no
path = /var/log/smblog
public = no
guest ok = no
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
public = yes
writable = no
guest ok = yes
printer admin = root, d_ircad+chaessig, @ntadmin
create mode = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
browseable = yes
read only = no
guest ok = yes
write list = root, d_ircad+chaessig, @ntadmin
Christian Haessig
IRCAD/EITS
Tel : +33. (0)3.88.11.90.76
Fax : +33. (0)3.88.11.90.99
mailto:christian.haessig at ircad.u-strasbg.fr
More information about the samba
mailing list