[Samba] windows SID are unknown for a samba member server?
Alexander Lazarevich
alazarev at itg.uiuc.edu
Thu Aug 31 17:03:30 GMT 2006
More info:
In additon, samba logs indicate the problem with this message:
[2006/08/31 11:08:06, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2797)
Returning domain sid for domain DUDESDOMAIN ->
S-1-5-21-744321777-3942209422-1033525612
That SID is not DUDESDOMAIN\dudeman SID. That SID must be created by samba
when it can't resolve the SID for the DUDESMAN domain. It is very odd that
it *says* it's getting that SID from the DUDESDOMAIN, but I assure you the
SID is not correct.
Thanks,
Alex
On Thu, 31 Aug 2006, Alexander Lazarevich wrote:
> We run samba on at least two of our linux servers. Both smb.conf's are domain
> members of an NT4 windows server, so all security information is gathered
> from the NT4 domain controller. We have a problem on one of the samba servers
> whereby samba is unable to recognize the account SID for a domain user. This
> is a new problem, only on newer versions of samba.
>
> The problem manifests itself on the windows clients as such:
> - let's say our domain is DUDESDOMAIN
> - let's say the username is dudeman
> - thus, permissions on files used to be "dudeman (DUDESDOMAIN\dudeman)"
> - but now, only on newer versions of samba, permissions are now showing up
> as: "dudeman (Unix User\dudeman)", and the older permission object is
> showing up as an "Account Unknown (SID#)"
>
> I'm not sure there are any other symptoms of this problem, windows machines
> work okay. However, just today we discovered that WinZip files complain about
> bad permissions on all .zip files, and I'm wondering if this is another
> symptom. Either way, samba should be able to resolve the SID the the
> DUDESDOMAIN domain, like it used to just fine.
>
> The older server is RHEL3-AS x86 running samba-3.0.9-1.3E.10 RPM from RedHat.
> This server is working fine, the permissions are correct on all files as
> "dudeman (DUDESDOMAIN\dudeman)".
>
> The new server is RHEL4-AS x64 running a compiled samba-3.0.23a.
>
> I have verified that the older samba server does NOT have this problem at
> all. The newer samba server has the problem on all files.
>
> Any ideas? I'm looking through the smb.conf to find the answer, thought it
> might be related to the "windbind use default domain", but no matter what I
> set that to, the behavior is the same.
>
> Anyone else see this problem, know the solution?
>
> Here is a snippit from our global smb.conf on the newer samba server, the
> smb.conf on the older server is exactly the same, except for minor changes in
> hostnames and such:
>
> [global]
> server string = Samba File Server
> interfaces = xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
> wins server = xxx.xxx.xxx.xxx
> domain master = no
> preferred master = no
> netbios name = samba-hostname
> announce version = 1.0
> load printers = no
> password level = 8
> security = server
> password server = IP-of-NT4-PDC
> workgroup = DUDESDOMAIN
> encrypt passwords = yes
> large readwrite = no
> hosts allow = xxx.xxx.xxx.xxx
> log file = /var/log/samba/hostname-samba.log
> log level = 2
> max log size = 0
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
> # idmap uid = 16777216-33554431
> # idmap gid = 16777216-33554431
> template shell = /bin/false
> # winbind use default domain = no
>
> testparm on smb.conf is fine:
>
> [root at zeus lib]# testparm
> Load smb config files from /usr/local/encap/samba-3.0.23a/lib/smb.conf
> Processing section "[homes]"
> Processing section "[staff]"
> Processing section "[users]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
>
> Like I said before, samba has worked fine until a recent upgrade, I'm not
> sure when these permissions issues first started showing up though.
>
> Thanks,
>
> Alex
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list