[Samba] SID problems?
Andrew Nash
nashcom at btinternet.com
Sun Feb 19 22:03:28 GMT 2006
Ive upgraded from Samba 2 to version 3, and am having some problems. I think theyre related to SIDs, which Ive not really been aware of before!
Currently I only have the Samba server which is acting as PDC for Win XP Pro machines. My smb.conf looks like:
-------------------------------------------
[global]
netbios name = scofp1
workgroup = SCODOMAIN
server string = Samba Server PDC
hosts allow = 192.0.0. 127.
load printers = yes
printing = lp
log file = /usr/lib/samba/var/log.%m
max log size = 50
security = user
encrypt passwords = yes
smb passwd file = /etc/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = yes
os level = 64
domain master = yes
preferred master = yes
domain logons = yes
logon drive = G:
logon script = %U.bat
time server = yes
wins support = yes
dns proxy = no
disable spoolss = yes
keepalive = 0
;;;client schannel = No
;;;winbind enum users = No
;;;winbind enum groups = No
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
[netlogon]
comment = On-the-fly creation of login script
root preexec = /home/netlogon/loginscript.pl %U %M %m
root postexec = /home/netlogon/logoutscript.pl %U %M %m
path = /home/netlogon
guest ok = no
read only = no
locking = no
[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
valid users = @office root supremo
printable = yes
create mask = 0700
print command = lp -c -T raw -o nobanner -d%p %s; rm %s
printer admin = @office
[logs]
comment = Daily Log Reader share for members of Unix 'adm-logs' group
path = /logs
valid users = @adm-logs root supremo
writeable = no
public = no
--------------------------
and so on
..
Apart from removing domain admin group and adding the keep alive = 0 line, the smb.conf is the same that I was running in Samba 2. Also, Im still using the smbpasswd program (not using LDAP etc).
Ive run the net groupmap command with various parameters, and Ive finally got the output of net groupmap list to be:
System Operators (S-1-5-32-549) -> -1
Account Operators (S-1-5-21-3090875634-363489748-967283420-548) -> d-ops
Administrators (S-1-5-21-3090875634-363489748-967283420-544) -> d-admin
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Replicators (S-1-5-21-3090875634-363489748-967283420-552) -> d-ops
Domain Controllers (S-1-5-21-3090875634-363489748-967283420-515) -> xp-name
System Operators (S-1-5-21-3090875634-363489748-967283420-549) -> d-ops
Users (S-1-5-21-3090875634-363489748-967283420-545) -> d-user
Domain Policy Admins (S-1-5-21-3090875634-363489748-967283420-520) -> nobody
Domain Computers (S-1-5-21-3090875634-363489748-967283420-516) -> xp-name
Domain Admins (S-1-5-21-3090875634-363489748-967283420-512) -> d-admin
Power Users (S-1-5-32-547) -> -1
Domain Certificate Admins (S-1-5-21-3090875634-363489748-967283420-517) -> nobody
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Guests (S-1-5-21-3090875634-363489748-967283420-546) -> nobody
Print Operators (S-1-5-21-3090875634-363489748-967283420-550) -> d-ops
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3090875634-363489748-967283420-513) -> d-user
Domain Schema Admins (S-1-5-21-3090875634-363489748-967283420-518) -> nobody
Power Users (S-1-5-21-3090875634-363489748-967283420-547) -> d-user
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
Backup Operators (S-1-5-21-3090875634-363489748-967283420-551) -> d-ops
Domain Guests (S-1-5-21-3090875634-363489748-967283420-514) -> nobody
Domain Enterprise Admins (S-1-5-21-3090875634-363489748-967283420-519) -> nobody
-------------------------------------------
Youll see that some groups have SIDs related to the domain, and also to what I presume is a default internal config. Im not sure how to get rid of the latter (eg Users (S-1-5-32-545) -> -1)
Ive added users corra, mae, and margaret to the Unix groups d-ops, d-admin, and d-user, and have also changed their Unix logon group to be d-user. This has stopped an error message about their primary group not being a Windows NT group. Im not getting any error messages in their Samba log files now, and log.smbd is clean at the minute too).
----------------------------------
Ive tried running net usersidlist and that returns Could not get the user/sid list.
I see a list of users when I type net user.
I can see users logged in by typing net status sessions.
The main problem Im experiencing is that, although users can access shares on the server (all that seems to be working fine), they are unable to access shares on another Windows XP PC. The only way they can do this is to use the Windows net use command and give it the username and password of the user who owns the share. For example, Margaret can not print to or view the printer properties of the printer that is shared by Mae (on PC XPPC038) unless she types:
net use \\xppc038\hplj4plus /user:scodomain\mae <Maes password> /persistent:yes
Obviously, sending plain text passwords isnt a solution!
Ive added some access rights to Maes printer (including granting SCODOMAIN/Margaret full rights, and also adding groups like Domain Admins etc.
Im a bit out of my depth now, and would really appreciate some help with this!
More information about the samba
mailing list