[Samba] Account Unknown for users with Samba 3.0.11/14
James.Cort at u4eatech.com
James.Cort at u4eatech.com
Fri Jan 6 13:21:17 GMT 2006
Quoting William Jojo <jojowil at hvcc.edu>:
>
> ----- Original Message -----
> From: <James.Cort at u4eatech.com>
> To: <samba at lists.samba.org>
> Sent: Friday, January 06, 2006 4:48 AM
> Subject: Re: [Samba] Account Unknown for users with Samba 3.0.11/14
>
>
>> Quoting James.Cort at u4eatech.com:
>>
>> > The issue is that when I click "Properties... Security" in Windows on
>> > something shared on the samba server, all the groups come up OK but
>> > users are displayed as (for example) "Account Unknown
>> > {S-1-5-21-4012146134-3166284455-2856603714-3038)".
>> >
>> > I've checked, and that account SID is correct. However, I'd expect it
>> > to eventually resolve to a username - it doesn't.
>>
>
> Well, I'll bet you don't have a group mapping on the groups in question. Any
> group that has no group mapping will show up as a local group in the
> security tab. If there were a group maping it should show up as a group in a
> trusted domain, unless there are no trusts, then it shows a SID value.
Not sure I follow you. Perhaps I didn't explain things clearly enough.
The server is a fileserver - there is no domain involved. Full ACL
support is compiled in and actively used.
The groups show up OK in the security tab - they resolve to local
groups on the fileserver itself, and are displayed in Windows as:
backups (CRONUS\backups)
u4ea-us (CRONUS\u4ea-us)
There's no Windows <-> Unix group mapping, insofar as the samba server
is let to work out the groups itself from the SID without the aid of
entries in the LDAP database, which it seems to do OK. I imagine it's
working out the group algorithmically from the SID it's presented.
>> Further investigation has shown that the LDAP server is queried for
>> Group SIDs, but not for User SIDs.
> Yep, that's correct for the Group SID, it's gathering information on the
> group value of the filesystem object is my guess.
> The user SID should have already been retrieved and stored in the security
> context if that is the owner of the fs object. I'm assuming here that
> extended ACL's are not involved.
> If the SID for the user is not the SID for the DC, you will get unknown user
> since LDAP holds the sambaSID and sambaPrimaryGroupSID for each user. In the
I could understand this if Windows was logging on to a domain - AIUI
essentially the scenario you describe would have the same username on
domain controller and fileserver, but SIDs wouldn't be synchronised.
However, the Windows box isn't logging onto a domain.
> smbpasswd world, a users SID value is the servers since that info is not
> stored in smbpasswd and the RID is algorithmically calculated (uid * 2 +
> 1000, by default).
The SID Windows displays is:
S-1-5-21-4012146134-3166284455-2856603714-3038
$ ldapsearch -D"cn=manager,dc=u4eatech,dc=com" -b "dc=u4eatech,dc=com"
-h localhost -W -v -x
# jamesc, People, u4eatech.com
dn: uid=jamesc,ou=People,dc=u4eatech,dc=com
uid: jamesc
sambaSID: S-1-5-21-4012146134-3166284455-2856603714-3038
sambaPrimaryGroupSID: S-1-5-21-4012146134-3166284455-2856603714-3001
displayName: James Cort,,,
sambaPwdMustChange: 2147483647
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaAcctFlags: [U ]
uidNumber: 1019
loginShell: /bin/bash
gidNumber: 1000
homeDirectory: /home/jamesc
gecos: James Cort
cn: James Cort
objectClass: account
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: top
objectClass: u4eaPerson
mail: james.cort at u4eatech.com
sambaPwdCanChange: 1134664550
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXX
sambaPwdLastSet: 1134664550
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXX
> The problem may not be the SID. It could be the RID. Is it possible the
> owner of the file is a *number*? This would indicate a uid for a
> non-existent user. This would fall to algorithmic calculation and possible
> no entry in the LDAP database yielding your situation.
No, the owner of the file is jamesc, with unix uid 1019.
> Another area that may not be so obvious - is the user in /etc/passwd and
> LDAP? This would be horrible especially if the user has two different uid
> values.
Yes, though with the same UID values in each. How is that a problem, though?
> And the obvious...do you have config and system information? How are uid
> values gathered by the system? Same LDAP database? That's important to find
> out..
Gentoo Linux, the config is:
- Users authenticate via LDAP on both Linux and Samba.
- LDAP server runs locally, slaved from a master elsewhere.
- There's only 1 LDAP database, everything lives in there.
There's similar breakage on another Samba server, which is getting its
authentication from the master LDAP server used mentioned above. I'm
pretty sure it *used* to work; the only possible thing I can think of
which may have broken things is that there was an upgrade to OpenLDAP
some time ago from 2.1.x to 2.2.28.
I've got everything to hand, I'm just not quite sure what is needed.
smb.conf:
[global]
workgroup = u4eatech
netbios name = cronus
server string = Cronus Samba Server %v
log file = /var/log/samba3/log.%m
max log size = 0
log level = 10
map to guest = bad user
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
passdb backend = ldapsam:ldap://ldap-usa.u4eatech.com
domain logons = no
os level = 33
preferred master = no
local master = no
domain master = no
ldap suffix = dc=u4eatech,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap admin dn = cn=smbadmin,dc=u4eatech,dc=com
ldap ssl = no
ldap passwd sync = Yes
Dos charset = 850
Unix charset = ISO8859-1
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
# You can enable VFS recycle bin on a per share basis:
# Uncomment the next 2 lines (make sure you create a
# .recycle folder in the base of the share and ensure
# all users will have write access to it. See
# examples/VFS/recycle/REAME in the samba docs for details
; vfs object = /usr/lib/samba/vfs/recycle.so
##### other directories
# Copied from thor
[public]
path = /home/sambash
public = yes
only guest = yes
writable = yes
browsable = yes
printable = no
[www]
path = /home/www/localhost
public = yes
only guest = yes
writable = yes
browsable = yes
printable = no
[backups]
path = /home
public = no
writable = no
browsable = no
printable = no
valid users = @backups
[fremont]
path = /home/fremont
browseable = yes
writable = yes
slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/authldap.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/u4eatech.schema
password-hash {md5}
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 768
access to dn="dc=u4eatech,dc=com"
attrs=userPassword,gecos,description,loginShell,sambaLMPassword,sambaNTPassword,shadowLastChange,
by dn="cn=manager,dc=u4eatech,dc=com" write
by dn="cn=smbadmin,dc=u4eatech,dc=com" write
by self write
by * auth
access to dn="ou=AddressBook,dc=u4eatech,dc=com"
by anonymous read
by anonymous search
access to dn.regex="cn=([^,]+),ou=AddressBook,(dc=[^,]+(,dc=[^,]+)*)$"
by dn.exact,expand="cn=$1,ou=People,dc=u4eatech,dc=com" write
by dn.exact,expand="uid=ann,ou=People,dc=u4eatech,dc=com" write
by dn.exact,expand="uid=jamesc,ou=People,dc=u4eatech,dc=com" write
by self write
by anonymous read
by anonymous search
by users read
by users search
by * none
access to dn="ou=Hosts,dc=u4eatech,dc=com"
attrs=userPassword,gecos,description,loginShell,sambaLMPassword,sambaNTPassword,shadowLastChange,
by dn="cn=manager,dc=u4eatech,dc=com" write
by dn="cn=smbadmin,dc=u4eatech,dc=com" write
by self write
by * auth
access to dn="ou=Group,dc=u4eatech,dc=com"
attrs=userPassword,gecos,description,loginShell,sambaLMPassword,sambaNTPassword,shadowLastChange,
by dn="cn=manager,dc=u4eatech,dc=com" write
by dn="cn=smbadmin,dc=u4eatech,dc=com" write
by self write
by * auth
access to dn="ou=People,dc=u4eatech,dc=com"
attrs=userPassword,gecos,description,loginShell,sambaLMPassword,sambaNTPassword,shadowLastChange,
by dn="cn=manager,dc=u4eatech,dc=com" write
by dn="cn=smbadmin,dc=u4eatech,dc=com" write
by self write
by * auth
access to attrs=userPassword
by dn="cn=manager,dc=u4eatech,dc=com" write
by dn="cn=smbadmin,dc=u4eatech,dc=com" write
by dn="cn=ldapauth,dc=u4eatech,dc=com" auth
by anonymous auth
by self write
by * none
access to attrs=shadowLastChange
by dn="cn=manager,dc=u4eatech,dc=com" write
by dn="cn=ldapauth,dc=u4eatech,dc=com" auth
by anonymous auth
by self write
by * none
access to *
by dn="cn=manager,dc=u4eatech,dc=com" write
by dn="cn=smbadmin,dc=u4eatech,dc=com" write
by users read
by anonymous auth
by * none
allow bind_v2
database bdb
checkpoint 128 15
suffix "dc=u4eatech,dc=com"
rootdn "cn=manager,dc=u4eatech,dc=com"
rootpw "{MD5}I7xzA0VQ2M9VShh51IqgKg=="
directory /home/openldap
index objectClass eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid,mail,givenname eq,subinitial
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default eq
index cn,sn pres,eq,sub
updatedn "cn=manager,dc=u4eatech,dc=com"
updateref ldaps://cygnus_new.u4eatech.com
Output from slapcat (User account details removed to save space):
dn: dc=u4eatech,dc=com
structuralObjectClass: organization
entryUUID: a55ad09e-d8c0-1029-9940-e4463843c907
creatorsName: cn=manager,dc=u4eatech,dc=com
createTimestamp: 20051024095943Z
objectClass: top
objectClass: organization
objectClass: dcObject
dc: u4eatech
o: u4eatech
entryCSN: 20051130101617Z#000001#00#000000
modifiersName: cn=manager,dc=u4eatech,dc=com
modifyTimestamp: 20051130101617Z
dn: ou=Hosts,dc=u4eatech,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 5d070554-d804-1029-8aae-fe352ed0f43a
creatorsName: cn=manager,dc=u4eatech,dc=com
modifiersName: cn=manager,dc=u4eatech,dc=com
createTimestamp: 20051023113157Z
modifyTimestamp: 20051023113157Z
entryCSN: 20051023113157Z#000001#00#000000
dn: ou=Rpc,dc=u4eatech,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 5d15488a-d804-1029-8aaf-fe352ed0f43a
creatorsName: cn=manager,dc=u4eatech,dc=com
modifiersName: cn=manager,dc=u4eatech,dc=com
createTimestamp: 20051023113157Z
modifyTimestamp: 20051023113157Z
entryCSN: 20051023113157Z#000002#00#000000
dn: ou=Services,dc=u4eatech,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 5d185fca-d804-1029-8ab0-fe352ed0f43a
creatorsName: cn=manager,dc=u4eatech,dc=com
modifiersName: cn=manager,dc=u4eatech,dc=com
createTimestamp: 20051023113157Z
modifyTimestamp: 20051023113157Z
entryCSN: 20051023113157Z#000003#00#000000
dn: ou=Mounts,dc=u4eatech,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 5d1b70d4-d804-1029-8ab1-fe352ed0f43a
creatorsName: cn=manager,dc=u4eatech,dc=com
modifiersName: cn=manager,dc=u4eatech,dc=com
createTimestamp: 20051023113157Z
modifyTimestamp: 20051023113157Z
entryCSN: 20051023113157Z#000004#00#000000
dn: ou=Networks,dc=u4eatech,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 5d1e830a-d804-1029-8ab2-fe352ed0f43a
creatorsName: cn=manager,dc=u4eatech,dc=com
modifiersName: cn=manager,dc=u4eatech,dc=com
createTimestamp: 20051023113157Z
modifyTimestamp: 20051023113157Z
entryCSN: 20051023113157Z#000005#00#000000
dn: ou=People,dc=u4eatech,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 5d219b1c-d804-1029-8ab3-fe352ed0f43a
creatorsName: cn=manager,dc=u4eatech,dc=com
modifiersName: cn=manager,dc=u4eatech,dc=com
createTimestamp: 20051023113157Z
modifyTimestamp: 20051023113157Z
entryCSN: 20051023113157Z#000006#00#000000
dn: ou=Group,dc=u4eatech,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 5d24ad20-d804-1029-8ab4-fe352ed0f43a
creatorsName: cn=manager,dc=u4eatech,dc=com
modifiersName: cn=manager,dc=u4eatech,dc=com
createTimestamp: 20051023113157Z
modifyTimestamp: 20051023113157Z
entryCSN: 20051023113157Z#000007#00#000000
dn: ou=Netgroup,dc=u4eatech,dc=com
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 5d27bf60-d804-1029-8ab5-fe352ed0f43a
creatorsName: cn=manager,dc=u4eatech,dc=com
modifiersName: cn=manager,dc=u4eatech,dc=com
createTimestamp: 20051023113157Z
modifyTimestamp: 20051023113157Z
entryCSN: 20051023113157Z#000008#00#000000
dn: ou=Protocols,dc=u4eatech,dc=com
ou: Protocols
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 5d2ad696-d804-1029-8ab6-fe352ed0f43a
creatorsName: cn=manager,dc=u4eatech,dc=com
modifiersName: cn=manager,dc=u4eatech,dc=com
createTimestamp: 20051023113157Z
modifyTimestamp: 20051023113157Z
entryCSN: 20051023113157Z#000009#00#000000
dn: ou=Aliases,dc=u4eatech,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 5d2de8d6-d804-1029-8ab7-fe352ed0f43a
creatorsName: cn=manager,dc=u4eatech,dc=com
modifiersName: cn=manager,dc=u4eatech,dc=com
createTimestamp: 20051023113157Z
modifyTimestamp: 20051023113157Z
entryCSN: 20051023113157Z#00000a#00#000000
More information about the samba
mailing list