[Samba] Sluething

Moondance Foxmarnick calabash at earthlink.net
Tue Nov 21 04:48:44 GMT 2006

My Samba Server had a wild time this weekend thanks to alleged power
fluctuations. I'm using Samba 3.x on Fedora 4. My server sits on an APC UPS
that remains in good health. When I arrived this Monday I found that my
MicroTik Router was still up. My Win XP pro AV server was off and my
Fedora/SAMBA box was also off. (all boxes have their own 15min UPS)
The Win XP pro was brought up w/out difficulty.
The Fedora/SAMBA box after thinking a long time would only bring up Grub.
The rescue CD could not mount /dev/sda1. 3 sips of Whisky later (not really,
but it communicates how I felt.. I'm still wet behind the ears..) something
I did in the shell (trying to remount perhaps), or blind happy luck caused
the system to boot as normal. No file corruption or anomalies that I can
Here comes the sleuthing.
Some people in our school's community experienced power outages (not
exceeding 8 min) on Saturday, the 18th. Nobody called us from campus to
report any outages. Nobody called Maintenance either. My router in my office
across the street from the campus and on the same grid as my servers was
locked up. This led me to believe that my server room also experienced some
form of outage or surge. So I began to troll through the log files.
I discovered a faculty member had logged on successfully in the morning on
Saturday. By 2:00 pm, when he came back, he could not log in. My SAMBA
server was "up" enough to log this attempt, but "down" enough that it could
not resolve the login attempt to a username.. 
  se_access_check: user sid is S-1-5-21-1656605845-1192728522-1085763284-501
  se_access_check: also S-1-5-21-1656605845-1192728522-1085763284-1199
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546 
free_pipe_context: destroying talloc pool of size 820
The above happened repeatedly (I'm on loglevel 3) for a min. And then
claimed Successful Loggout.. but never resolved the SID
Then we come to Saturday.
Syslog stops recording activity @ 3:41am in the morning
Syslog restarts @ 4:04 am in the morning 
SAMBA still cannot resolve sid(s) into usernames at this point.
Oddly, the computer just next to the server room had attempted logins just
before my server received a shutdown signal.
I have a SID. How do I translate that into the user who was in the room 3
min before shutdown?

More information about the samba mailing list