[Samba] Could not peek rid out of sid

Steve Thompson smt at vgersoft.com
Tue Mar 27 16:46:34 GMT 2007

New samba deployment; samba 3.0.24 w/ldapsam, em64t (Dell 2900), CentOS 
4.4, using nss_ldap with LDAP master and two slaves (OpenLDAP 2.3.32), one 
Samba PDC (on LDAP master) and two Samba BDC's (on each of the LDAP 
slaves); no Windows servers; one Linux domain member server (first of 
several). All four Samba servers use the same LDAP parameters. testparm 
checks out. All accounts are in LDAP; no other source except for the stock 
/etc/passwd entries. LDAP is fully functional; nss_ldap is properly 
configured (I believe). Everything seems to work properly in the Unix 
space, and in the Windows space with the exception of roaming profiles; I 
can join Windows machines to the domain, log in, map shares, etc, with no 
issues. In the DIT I have, for each user, the following:

   sambaHomePath: \\<server.domain.org>\<username>
   sambaProfilePath: \\<server.domain.org>\profiles\<username>

where "server.domain.org" is the fully-qualified hostname of the DMS box 
(which resolves to two IP's from DNS, forwards and backwards, as do the 
PDC and BDC's). When logging in to a Windows XP box, I get the complaint 
that the roaming profile cannot be downloaded because it is not owned by 
the user that is logging in (it is, and all permissions are correct), and 
in the samba log file there is a successful connection to the profiles 
share followed by:

   Could not peek rid out of sid <correct-SID-value> (twice)
   User <username> with invalid SID <same-SID-value> in passdb (3 times)

followed by a successful connection to the home directory share, which is 
fully useable from the Windows client at this point.

If I replace the "server.domain.org" in LDAP's sambaProfilePath with the 
FQDN of the PDC (not changing sambaHomePath), the roaming profile can be 
successfully downloaded (which is how it was initially created).

Rather than including all my configuration files, I'd just appreciate it 
if someone can give me a clue as to where to look next. It's evidently a 
problem with the DMS setup, although the DMS works well for everything 
else Samba-related (only roaming profiles do not work).


More information about the samba mailing list