[Samba] Re: Samba 3.0.0 - LDAP Authetication trouble

Bart Bekker bartro at go.ro
Thu Nov 13 13:02:16 GMT 2003 

Finally I was able to browse my [bart] home share from windows. But
trying to change anything to the files resulted in an error and in the
samba log appeared:
---
[2003/11/13 12:05:10, 5] rpc_parse/parse_prs.c:prs_uint32s(861)
                      0064 sub_auths : 00000015 03f528bd 261676f7
45c6efd9 00000201
[2003/11/13 12:05:10, 3] smbd/error.c:error_packet(113)
  error packet at smbd/nttrans.c(1707) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED
[2003/11/13 12:05:10, 5] lib/util.c:show_msg(456)
---
Also other shares, both on a acl enabled and non-acl filesystem give the
same error.

So I decided to try to change the ldap data concerning uid and gid for
user bart in ldap, since I figured that during my desperate
(andtherefore not always by causal explanation) search for a solution I
messed something up there. I removed user bart from ldap, and added
again with smbldap-useradd.pl -a bart.
In the ldap entries is now the following information:
idunumber = 1007 (equal to unix uid), 
SambaSID = domainSID + after the dash 3014,
gidnumber = 513 (equal to unix gid),
SambaPrimaryGroupSID= domainSID + after the dash 2027.

If I look from windows now, the owner of a share (that is bart in unix)
is \\linux\sys (linux being the samba server hostname), it used to say
\\linux\bart when my sambaSID was the domain SID + 1007 after the dash
and, and my home share with name bart dissappeared, and the homes share
is not accessible.
 
>From the samba log I caught this:

---
  NT user token: (NULL)
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2003/11/13 13:57:28, 2] lib/smbldap.c:smbldap_search_suffix(1066)
  smbldap_search_suffix: searching
for:[(&(sambaSID=S-1-5-21-66398397-639006455-1170665433-501)(objectclass=sambaSamAccount))]
[2003/11/13 13:57:28, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1099)
  ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-66398397-639006455-1170665433-501] count=0
---
and
---
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_nt_user_token(491)
  NT user token of user S-1-5-21-66398397-639006455-1170665433-501
  contains 7 SIDs
  SID[  0]: S-1-5-21-66398397-639006455-1170665433-501
  SID[  1]: S-1-5-21-66398397-639006455-1170665433-514
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-32-546
  SID[  5]: S-1-5-21-66398397-639006455-1170665433-132067
  SID[  6]: S-1-5-21-66398397-639006455-1170665433-132069
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 65534
  Primary group is 65533 and contains 3 supplementary groups
  Group[  0]: 65533
  Group[  1]: 65533
  Group[  2]: 65534
---
I have no uid 501 anywhere specified.

I have the feeling that I am lost somewhere between LDAP
authentification (this works, but not when I use sid's as proposed by
Adrew Bartlett - see below and above) and unix authentication (even when
LDAP authenticates my user, I can not change anything in the share, just
read access).

Where can I find information about how to populate the LDAP-directory?
Or an example of a working configuration?

 Bart.

On Thu, 2003-11-13 at 01:16, Andrew Bartlett wrote:
> On Thu, 2003-11-13 at 03:11, Carl Weiss wrote:
> > Ok if all your users have the same SID xxx-3000 they are not incrementing
> > correctly in the add user script. I had this same problem when I wasn't
> > correctly authenticating to the LDAP server I was in fact using the
> > /etc/passwd file, and then using the same test user accounts that I had on
> > the box, i.e. cweiss in ldap and cweiss in /etc/passwd.
> > 
> > To further test change all your SID's manually with an graphical editor like
> > GQ.  I'm guessing you don't have too many because it's a test install.  Also
> > make sure to change the SID's of any computers you added.
> > 
> > When I initially found this problem I created a new function in the adduser
> > script to find the highest UID and increment by one.  The user sid is
> > calculated by UID+RID*2 
> 
> UID*2 + 1000 
> 
> GID*2 + 1001
> 
> is the traditional algorithm.  Use it if possible.

More information about the samba mailing list