[Samba] Still Samba 3.0.0 - LDAP Authetication trouble

Bart Bekker bartro at go.ro
Thu Nov 13 12:16:24 GMT 2003 

Well, I was finally able to browse my home directory, but unable to make
any changes to the permissions nor files. In the samba log appeared 

[2003/11/13 12:05:10, 3] smbd/error.c:error_packet(113)
  error packet at smbd/nttrans.c(1707) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED

when trying to make changes.
At level unix I have all the appropriate rights in the share. Also other
shares both on ACl and non ACl, even with force user = root, refused any
modification to the contents.  

So I played a bit with the by Adrew Bartlett UID and GID's, since I
figured I messed something up while trying (desperately and therefore
not always with a causal approach) to fix things. Removed and added user
bart (unix uid/ldap uidnumber=1007, Samba SID = domainSID and after -
3014, unix primary group id/ldap gidnumber=513, sambaprimarygroupsid =
domainSID and after the - 2027) and now if I look at the acl permissions
from my windows box I see as owner /linux/sys instead of Bart, which is
what I get if I use sambaSID = 1007 (=unix uid) for a share, but my home
(bart) folder dissappeared from the browser, and the homes share is
inaccessable.

>From the samba log this cought my attention:

---
[2003/11/13 13:57:28, 5] auth/auth_util.c:make_user_info_map(216)
  make_user_info_map: Mapping user []\[] from workstation [BART-WS]
[2003/11/13 13:57:28, 5] auth/auth_util.c:make_user_info(132)
  attempting to make a user_info for  ()
[2003/11/13 13:57:28, 5] auth/auth_util.c:make_user_info(142)
  making strings for 's user_info struct
[2003/11/13 13:57:28, 5] auth/auth_util.c:make_user_info(184)
  making blobs for 's user_info struct
[2003/11/13 13:57:28, 3] auth/auth.c:check_ntlm_password(216)
  check_ntlm_password:  Checking password for unmapped user
[]\[]@[BART-WS] with the new password interface
[2003/11/13 13:57:28, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  mapped user is: [LINUX]\[]@[BART-WS]
[2003/11/13 13:57:28, 5] lib/util.c:dump_data(1825)
  [000] 0F 78 DD 51 6C B2 79 8D                           .xÝQl²y.
[2003/11/13 13:57:28, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/11/13 13:57:28, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/11/13 13:57:28, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2003/11/13 13:57:28, 2] lib/smbldap.c:smbldap_search_suffix(1066)
  smbldap_search_suffix: searching
for:[(&(sambaSID=S-1-5-21-66398397-639006455-1170665433-501)(objectclass=sambaSamAccount))]
[2003/11/13 13:57:28, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1099)
  ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-66398397-639006455-1170665433-501] count=0
[2003/11/13 13:57:28, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/11/13 13:57:28, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/11/13 13:57:28, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/11/13 13:57:28, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2003/11/13 13:57:28, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 65534
  Primary group is 65533 and contains 3 supplementary groups
  Group[  0]: 65533
  Group[  1]: 65533
  Group[  2]: 65534
[2003/11/13 13:57:28, 3] smbd/sec_ctx.c:push_sec_ctx(256)
--
and:

---
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_nt_user_token(491)
  NT user token of user S-1-5-21-66398397-639006455-1170665433-501
  contains 7 SIDs
  SID[  0]: S-1-5-21-66398397-639006455-1170665433-501
  SID[  1]: S-1-5-21-66398397-639006455-1170665433-514
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-32-546
  SID[  5]: S-1-5-21-66398397-639006455-1170665433-132067
  SID[  6]: S-1-5-21-66398397-639006455-1170665433-132069
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 65534
  Primary group is 65533 and contains 3 supplementary groups
  Group[  0]: 65533
  Group[  1]: 65533
  Group[  2]: 65534
---

Nowhere I have specified nor a user neither a group 501.

Where can I find more information about how I have to populate these
ldap records?

 Bart.

On Thu, 2003-11-13 at 01:16, Andrew Bartlett wrote:
> On Thu, 2003-11-13 at 03:11, Carl Weiss wrote:
> > Ok if all your users have the same SID xxx-3000 they are not incrementing
> > correctly in the add user script. I had this same problem when I wasn't
> > correctly authenticating to the LDAP server I was in fact using the
> > /etc/passwd file, and then using the same test user accounts that I had on
> > the box, i.e. cweiss in ldap and cweiss in /etc/passwd.
> > 
> > To further test change all your SID's manually with an graphical editor like
> > GQ.  I'm guessing you don't have too many because it's a test install.  Also
> > make sure to change the SID's of any computers you added.
> > 
> > When I initially found this problem I created a new function in the adduser
> > script to find the highest UID and increment by one.  The user sid is
> > calculated by UID+RID*2 
> 
> UID*2 + 1000 
> 
> GID*2 + 1001
> 
> is the traditional algorithm.  Use it if possible.

More information about the samba mailing list