[Samba] complete newbie sid problems

Graham Seaman G.Seaman at lse.ac.uk
Tue Dec 23 09:53:36 GMT 2008 

Rob Shinn wrote:
> Do you have a complete sambaDomain record in your LDAP and is it at
> the root level of the LDAP structure?
>
>   
I have a sambaDomain record, whether it is complete, I don't know:

version: 1
dn: sambaDomainName=DHCP02,dc=theirorg,dc=ac,dc=uk
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
gidNumber: 1000
sambaDomainName: DHCP02
sambaSID: S-1-5-21-1306896613-1613859276-828620297
uidNumber: 1001

Graham

> On 12/19/08, Graham Seaman <G.Seaman at lse.ac.uk> wrote:
>   
>> Hi,
>>
>> I'm trying to set up samba with ldap authorization on a windows network.
>> I have samba running on one linux host, and openldap on another. I have
>> used smbldap-tools to populate my directory and used smbldap-useradd to
>> create an initial testuser on the samba host. I can ssh in to the samba
>> host as the testuser ok, and get in to the testuser directory (ie. there
>> are no permission problems). But if I try to do `smbclient
>> //DOMAIN/testuser -U testuser` I get 'tree connect failed:
>> NT_STATUS_ACCESS_DENIED'. Looking at the samba log, I see:
>>
>>
>> [2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
>> init_sam_from_ldap: Entry found for user: testuser
>> [2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162)
>> init_group_from_ldap: Entry found for group: 513
>> [2008/12/19 17:08:30, 0] passdb/passdb.c:lookup_global_sam_name(596)
>> User testuser with invalid SID
>> S-1-5-21-1306896613-1613859276-828620297-3000 in passdb
>> [2008/12/19 17:08:30, 2] smbd/service.c:make_connection_snum(616)  user
>> 'testuser' (from session setup) not permitted to access this share
>> (testuser)
>>
>> net getlocalsid on the samba host gives:
>> SID for domain DOMAIN is: S-1-5-21-1306896613-1613859276-828620297
>>
>> which matches the 'invalid SID' above. Looking in the ldap directory, I
>> see the uidNumber for testuser is 1000. The smbldap-tools documentation
>> say the algorithm to go from uid to sid is sid = 2 * uid + 1000, which
>> also matches the 'invalid SID'.
>>
>> Any suggestions for what to do from here?
>>
>> Thanks
>> Graham
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>>     
>
>

More information about the samba mailing list