[Samba] complete newbie sid problems

Graham Seaman G.Seaman at lse.ac.uk
Fri Dec 19 17:23:47 GMT 2008


I'm trying to set up samba with ldap authorization on a windows network. 
I have samba running on one linux host, and openldap on another. I have 
used smbldap-tools to populate my directory and used smbldap-useradd to 
create an initial testuser on the samba host. I can ssh in to the samba 
host as the testuser ok, and get in to the testuser directory (ie. there 
are no permission problems). But if I try to do `smbclient 
//DOMAIN/testuser -U testuser` I get 'tree connect failed: 
NT_STATUS_ACCESS_DENIED'. Looking at the samba log, I see:

[2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) 
init_sam_from_ldap: Entry found for user: testuser
[2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162) 
init_group_from_ldap: Entry found for group: 513
[2008/12/19 17:08:30, 0] passdb/passdb.c:lookup_global_sam_name(596)  
User testuser with invalid SID 
S-1-5-21-1306896613-1613859276-828620297-3000 in passdb
[2008/12/19 17:08:30, 2] smbd/service.c:make_connection_snum(616)  user 
'testuser' (from session setup) not permitted to access this share 

net getlocalsid on the samba host gives:
SID for domain DOMAIN is: S-1-5-21-1306896613-1613859276-828620297

which matches the 'invalid SID' above. Looking in the ldap directory, I 
see the uidNumber for testuser is 1000. The smbldap-tools documentation 
say the algorithm to go from uid to sid is sid = 2 * uid + 1000, which 
also matches the 'invalid SID'.

Any suggestions for what to do from here?


More information about the samba mailing list