[Samba] RID to SID Bug? Share ACL Access Denied

Aden, Steve saden at itscommunications.com
Fri Mar 26 20:24:26 GMT 2004 

Hello,
	I have been trying to work through an Access Denied problem and
have found that the user rid is not getting mapped properly. I have yet
to figure out where the assigned rid is coming from, but I know is that
is incorrect. In the log (level 10) for the connecting computer, I see:

"pdb_set_user_sid_from_rid:
 setting user sid S-1-5-21-74637098-2648309090-13861XXXXX-21006 from rid
21006"

There are two problems here. One the rid should be 1586 as verified with
rpcclient. Also the remainder of the sid does not match the W2K ADS
domain the samba server has been joined to. Instead it is the SID of the
domain for the samba server as verified with "net getlocalsid":
SID for domain SAMBASERVER is: S-1-5-21-74637098-2648309090-13861XXXXX

"net ads status" shows the SID for the SAMBASERVER:
distinguishedName: CN=sambaserver,CN=Computers,DC=domain,DC=com
objectSid: S-1-5-21-1202660629-1292428093-18016XXXXX-1588

The Winbind log shows the correct lookup of the user and sid from the
W2K ADS domain. Since the sid doesn't actually represent the user, the
share acl's do not match and causes denial to the share. Tdbdump of the
winbindd_idmap.tdb shows the user's UID and actual SID. The UID matches
what is listed using "getent passwd".

The commands wbinfo, getent, smbclient -k all work. I can kinit a user
and access Windows shares from the Samba server, but users cannot
connect to the Samba server by name from a Windows client. They can
access by ip address, but as I understand it, that method does not use
kerberos.

This is 3.0.2a-1 on Redhat 9.0 with security = ADS.

I have searched the Samba list archives and read man pages and the
HOWTO, but haven't been able find an answer to why this is happening.
Any help would be greatly appreciated.


Thank you,
Steve Aden

Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS

More information about the samba mailing list