[Samba] Re: SID problem with working samba

toni tonign at xtec.net
Wed Jan 23 19:17:46 GMT 2008


hi,

El Wed, 23 Jan 2008 07:54:57 -0500
Jamrock <news_jamrock at yahoo.com> ha escrit:

> "toni" <tonign at xtec.net> wrote in message
> news:20080122212228.5b9c62cb at gamma...
> > hello,
> >
> > i have 1 PDC and 1 BDC using smbldap, and now i'm adding a server
> > (as a domain member, not BDC) that will have shares to be mounted
> > by the clients.
> >
> > this server also uses smbldap and, at this moment, the service is
> > working almost normally.
> >
> > the problem seems to be the typical SID problem, but my new samba
> > reports to have the same SID that the PDC and BDC have, and users
> > can log into the domain and map shares. however, when mapping
> > shares log file prints these lines:
> 
>  I would not expect you to need smbldap on a member server.
> Typically, member servers authenticate against a pdc or bdc.  They do
> not authenticate locally.

i'm getting a correct behaviour with a passdb backend ldapsam, but also
a 40-60 seconds timeout when connecting to shares and the following
lines in the log file:

[2008/01/23 18:43:27, 0, effective(0, 0), real(0, 0)]
passdb/passdb.c:lookup_global_sam_name(596)
  User USER with invalid SID
S-1-5-21-3094878921-2476751602-3662942323-12534 in passdb


i've read the documentation, chapter 7 as you suggested, and i've
removed the ldap* configuration options and added the option
"winbind trusted domains only = yes"

with this new configuration, the 'invalid SID' lines are not shown but
i'm getting the annoying timeout when connecting to shares. also, now,
"pdbedit -L USER" can't find users and "smbclient -L -U USER%passwd" do
a timeout after 20 seconds (this is the same as before)

now, my smb.conf contains:

[global]
    netbios name = SERVERNAME
    workgroup = DOMAIN
    security = domain
    local master = no
    password server = *
    winbind trusted domains only = yes
    mangling method = hash2
    encrypt passwords = yes
    ; wins is the PDC
    wins server = 10.0.2.1


> One option is to load ldap on the server.  Load Samba so it can
> configure against ldap.
>
> You can then configure the machine to use the ldap on the pdc for
> authentication.

this server has also a ldap server to resolve system users (via
nsswitch), and the contents are replicated from a master ldap in the
PDC (i think this is what you are proposing, isn't it?)

> 
> Chapter 7 of Samba by Example shows a few options re: setting up a
> member server to authenticate against a pdc.
> 

thanks for your help


More information about the samba mailing list