[Samba] Winbind Kerberos Problem? - Getting Wrong User SID

Aden, Steve saden at itscommunications.com
Thu Mar 11 20:48:03 GMT 2004

I am having trouble getting users connected to shares after setting ACL
permissions on the share (removing the Everyone group and adding
specific users). I have no problem with wbinfo, getent, or net join
commands. I can also kinit a user and use smbclient -k to connect to
windows shares from the samba server. I have removed ncsd from the
system to make sure it can't run. BTW, the user can connect if the share
is access via the IP address of the samba server which forces the
authentication back to NTLM (?) rather than using kerberos.

Any help would be greatly appreciated. I cannot figure out where the
incorrect sid is coming from or why this is happening.

Thank you,
Steve Aden

Samba 3.0.2a on Fedora Core1 (exact same problem running Samba on RH9)
joined as a domain member.
Windows 2000 (Service Pack 4) ADS

Turning up the logging to 10, I see the following in the log:

[2004/03/11 14:14:50, 10] lib/util_seaccess.c:se_access_check(234)
  se_access_check: requested access 0x00000002, for NT token with 7
first sid S-1-5-21-74637098-2648309090-1386157172-21006.
[2004/03/11 14:14:50, 3] lib/util_seaccess.c:se_access_check(251)
[2004/03/11 14:14:50, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is
<-----wrong sid
  se_access_check: also S-1-5-21-74637098-2648309090-xxxxxxxxxx-21001
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-1202660629-1292428093-xxxxxxxxxx-513
  se_access_check: also S-1-5-32-545
  se_access_check: ACE 0: type 0, flags = 0x00, SID =
8093-xxxxxxxxxx-512 mask = 1f01ff, current desired = 2
  se_access_check: ACE 1: type 0, flags = 0x00, SID =
8093-xxxxxxxxxx-1586 mask = 1301bf, current desired = 2
[2004/03/11 14:14:50, 5] lib/util_seaccess.c:se_access_check(315)
  se_access_check: access (2) denied.

The problem here is that the user sid does not match the actual sid of
the user and displayed on the workstation the user is logged into. This
is verified with the Microsoft reskit command "whoami /all". Above the
user sid being checked ends with 21006. The actual sid ends with 1586.
The sid list for the share near the end actually contains the sid ending
in 1586, but obviously doesn't match the incorrect sid of the user.

wbinfo -s S-1-5-21-74637098-2648309090-xxxxxxxxxx-21006  "Could not
lookup sid"
wbinfo -s S-1-5-21-1202660629-1292428093-xxxxxxxxxx-512  =
DOMAIN_testgirl (This is correct)

I notice some other strange things that may be related.
Running getent passwd | grep -i mysambaserver I get
Running getent passwd | grep -i mywindowsserver I get

I don't know why these would be different. Joining the samba server to
ADS appears to append HOST/ to the name? Also my other computer names
have a $ at the end of the name. Also, most of the log files are being
created under their IP addresses, instead of the computer name.

        log level                 = 10 passdb:10 auth:10 winbind:10
        adminusers                = "DOMAIN_myaccount"
        addsharecommand           =
        deletesharecommand        =
        maxlogsize                = 50
        winsserver                = 172.16.X.X
        idmapuid                  = 10000-20000
        dnsproxy                  = yes
        realm                     = DOMAIN.COM
        winbind enum groups         = yes
        logfile                   = /var/log/samba/log.%m
        socketoptions             = TCP_NODELAY SO_RCVBUF=8192
        workgroup                 = DOMAIN
        netbios name              = MYSAMBASERVER
        changesharecommand        =
        winbindseparator          = _
        serverstring              = Samba 3 Server
        encryptpasswords          = yes
        security                  = ADS
        winbind enum users          = yes
        idmapgid                  = 10000-20000

## Section - [testgirl$]
        comment                   =
        path                      = /shares/testgirl

  default_realm = DOMAIN.COM
  default_etypes = des-cbc-crc des-cbc-md5
  default_etypes_des = des-cbc-crc des-cbc-md5
  default_tgs_enctypes = des-cbc-crc des-cbc-md5
  default_tkt_enctypes = des-cbc-crc des-cbc-md5
  kdc_req_checksum_type = 2
  dns_lookup_realm = false
  dns_lookup_kdc = true
  forwardable = true
  proxiable = true
  checksum_type = 2
  ccache_type = 1

  kdc = myw2kadsserver.domain.com:88
  admin_server = myw2kadsserver.domain.com:749
  default_domain = domain.com

  .domain.com = DOMAIN.COM
  domain.com = DOMAIN.COM

  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false

Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS

More information about the samba mailing list