FW: [Samba] RID to SID Bug? Share ACL Access Denied

Aden, Steve saden at itscommunications.com
Tue Mar 30 20:06:41 GMT 2004

	Is this problem related to this bug?
Bugzilla Bug 1165  
   Samba ADS Kerberos login doesnt resolve correct groups when smbd is
su'ing to the uid 

Anyone? Please respond. I am desperate to get this working.

Thank you,

-----Original Message-----
From: Aden, Steve 
Sent: Friday, March 26, 2004 3:24 PM
To: samba at lists.samba.org
Subject: [Samba] RID to SID Bug? Share ACL Access Denied

	I have been trying to work through an Access Denied problem and
have found that the user rid is not getting mapped properly. I have yet
to figure out where the assigned rid is coming from, but I know is that
is incorrect. In the log (level 10) for the connecting computer, I see:

 setting user sid S-1-5-21-74637098-2648309090-13861XXXXX-21006 from rid

There are two problems here. One the rid should be 1586 as verified with
rpcclient. Also the remainder of the sid does not match the W2K ADS
domain the samba server has been joined to. Instead it is the SID of the
domain for the samba server as verified with "net getlocalsid":
SID for domain SAMBASERVER is: S-1-5-21-74637098-2648309090-13861XXXXX

"net ads status" shows the SID for the SAMBASERVER:
distinguishedName: CN=sambaserver,CN=Computers,DC=domain,DC=com
objectSid: S-1-5-21-1202660629-1292428093-18016XXXXX-1588

The Winbind log shows the correct lookup of the user and sid from the
W2K ADS domain. Since the sid doesn't actually represent the user, the
share acl's do not match and causes denial to the share. Tdbdump of the
winbindd_idmap.tdb shows the user's UID and actual SID. The UID matches
what is listed using "getent passwd".

The commands wbinfo, getent, smbclient -k all work. I can kinit a user
and access Windows shares from the Samba server, but users cannot
connect to the Samba server by name from a Windows client. They can
access by ip address, but as I understand it, that method does not use

This is 3.0.2a-1 on Redhat 9.0 with security = ADS.

I have searched the Samba list archives and read man pages and the
HOWTO, but haven't been able find an answer to why this is happening.
Any help would be greatly appreciated.

Thank you,
Steve Aden

Privileged/Confidential Information may be contained in this message. If
you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not copy or deliver
this message to anyone. In such case, you should destroy this message
and kindly notify the sender by reply email. Opinions, conclusions and
other information contained in this message that do not relate to
official business shall be understood as neither given nor endorsed by
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BF08d9f679.00000001.mml

More information about the samba mailing list