[Samba] SID problems?

Andrew Nash nashcom at btinternet.com
Sun Feb 19 22:03:28 GMT 2006

  I’ve upgraded from Samba 2 to version 3, and am having some problems.  I think they’re related to SIDs, which I’ve not really been aware of before!
  Currently I only have the Samba server which is acting as PDC for Win XP Pro machines.  My smb.conf looks like:
  netbios name = scofp1
  workgroup = SCODOMAIN
  server string = Samba Server PDC
  hosts allow = 192.0.0.  127.
  load printers = yes
  printing = lp
  log file = /usr/lib/samba/var/log.%m
  max log size = 50
  security = user
  encrypt passwords = yes
  smb passwd file = /etc/smbpasswd
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  local master = yes
  os level = 64 
  domain master = yes 
  preferred master = yes
  domain logons = yes
  logon drive = G:
  logon script = %U.bat
  time server = yes
  wins support = yes
  dns proxy = no 
  disable spoolss = yes
  keepalive = 0
  ;;;client schannel = No
  ;;;winbind enum users = No
  ;;;winbind enum groups = No
  #============================ Share Definitions ==============================
     comment = Home Directories
     browseable = no
     writable = yes
  comment = On-the-fly creation of login script
  root preexec = /home/netlogon/loginscript.pl %U %M %m
  root postexec = /home/netlogon/logoutscript.pl %U %M %m
  path = /home/netlogon
  guest ok = no
  read only = no
  locking = no
     comment = All Printers
     path = /var/spool/samba
     browseable = yes
     valid users = @office root supremo
     printable = yes
     create mask = 0700
     print command = lp -c -T raw -o nobanner -d%p %s; rm %s
     printer admin = @office
  comment = Daily Log Reader share for members of Unix 'adm-logs' group
  path = /logs
  valid users = @adm-logs root supremo
  writeable = no
  public = no
  and so on
  Apart from removing ‘domain admin group’ and adding the ‘keep alive = 0’ line, the smb.conf is the same that I was running in Samba 2.  Also, I’m still using the smbpasswd program (not using LDAP etc).
  I’ve run the net groupmap command with various parameters, and I’ve finally got the output of ‘net groupmap list’ to be:
  System Operators (S-1-5-32-549) -> -1
  Account Operators (S-1-5-21-3090875634-363489748-967283420-548) -> d-ops
  Administrators (S-1-5-21-3090875634-363489748-967283420-544) -> d-admin
  Replicators (S-1-5-32-552) -> -1
  Guests (S-1-5-32-546) -> -1
  Replicators (S-1-5-21-3090875634-363489748-967283420-552) -> d-ops
  Domain Controllers (S-1-5-21-3090875634-363489748-967283420-515) -> xp-name
  System Operators (S-1-5-21-3090875634-363489748-967283420-549) -> d-ops
  Users (S-1-5-21-3090875634-363489748-967283420-545) -> d-user
  Domain Policy Admins (S-1-5-21-3090875634-363489748-967283420-520) -> nobody
  Domain Computers (S-1-5-21-3090875634-363489748-967283420-516) -> xp-name
  Domain Admins (S-1-5-21-3090875634-363489748-967283420-512) -> d-admin
  Power Users (S-1-5-32-547) -> -1
  Domain Certificate Admins (S-1-5-21-3090875634-363489748-967283420-517) -> nobody
  Print Operators (S-1-5-32-550) -> -1
  Administrators (S-1-5-32-544) -> -1
  Guests (S-1-5-21-3090875634-363489748-967283420-546) -> nobody
  Print Operators (S-1-5-21-3090875634-363489748-967283420-550) -> d-ops
  Account Operators (S-1-5-32-548) -> -1
  Domain Users (S-1-5-21-3090875634-363489748-967283420-513) -> d-user
  Domain Schema Admins (S-1-5-21-3090875634-363489748-967283420-518) -> nobody
  Power Users (S-1-5-21-3090875634-363489748-967283420-547) -> d-user
  Backup Operators (S-1-5-32-551) -> -1
  Users (S-1-5-32-545) -> -1
  Backup Operators (S-1-5-21-3090875634-363489748-967283420-551) -> d-ops
  Domain Guests (S-1-5-21-3090875634-363489748-967283420-514) -> nobody
  Domain Enterprise Admins (S-1-5-21-3090875634-363489748-967283420-519) -> nobody
  You’ll see that some groups have SIDs related to the domain, and also to what I presume is a default ‘internal’ config.  I’m not sure how to get rid of the latter (eg Users (S-1-5-32-545) -> -1)
  I’ve  added users corra, mae, and margaret to the Unix groups d-ops, d-admin, and d-user, and have also changed their Unix logon group to be d-user.  This has stopped an error message about their primary group not being a Windows NT group.  I’m not getting any error messages in their Samba log files now, and log.smbd is clean at the minute too).
  I’ve tried running ‘net usersidlist’ and that returns ‘Could not get the user/sid list’.  
  I see a list of users when I type ‘net user’.
  I can see users logged in by typing ‘net status sessions’.
  The main problem I’m experiencing is that, although users can access shares on the server (all that seems to be working fine), they are unable to access shares on another Windows XP PC.  The only way they can do this is to use the Windows “net use” command and give it the username and password of the user who owns the share.  For example, Margaret can not print to or view the printer properties of the printer that is shared by Mae (on PC XPPC038) unless she types:
  “net use \\xppc038\hplj4plus /user:scodomain\mae <Mae’s password> /persistent:yes”
  Obviously, sending plain text passwords isn’t a solution!
  I’ve added some access rights to Mae’s printer (including granting SCODOMAIN/Margaret full rights, and also adding groups like Domain Admins etc.
  I’m a bit out of my depth now, and would really appreciate some help with this!

More information about the samba mailing list