[Samba] complete newbie sid problems
Graham Seaman
G.Seaman at lse.ac.uk
Mon Jan 5 12:26:33 GMT 2009
This seems to be fixed now.
I had two sambaDomain records. One had the correct base SID, the other
had an incorrect one. Although the user SID was correct, the group SID
was not, as it was being generated from the incorrect sambaDomain
record. It was unfortunate that the error message said it was the user
sid that was incorrect, when it was actually the group sid. To further
confuse things the user ldap entry has a value sambaPrimaryGroupSID
which was correct, but appears not to be used. I only found the invalid
group SID being generated by using pbedit -Lv user, following a hint on
another list.
Graham
Rob Shinn wrote:
> Do you have a complete sambaDomain record in your LDAP and is it at
> the root level of the LDAP structure?
>
> On 12/19/08, Graham Seaman <G.Seaman at lse.ac.uk> wrote:
>
>> Hi,
>>
>> I'm trying to set up samba with ldap authorization on a windows network.
>> I have samba running on one linux host, and openldap on another. I have
>> used smbldap-tools to populate my directory and used smbldap-useradd to
>> create an initial testuser on the samba host. I can ssh in to the samba
>> host as the testuser ok, and get in to the testuser directory (ie. there
>> are no permission problems). But if I try to do `smbclient
>> //DOMAIN/testuser -U testuser` I get 'tree connect failed:
>> NT_STATUS_ACCESS_DENIED'. Looking at the samba log, I see:
>>
>>
>> [2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
>> init_sam_from_ldap: Entry found for user: testuser
>> [2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162)
>> init_group_from_ldap: Entry found for group: 513
>> [2008/12/19 17:08:30, 0] passdb/passdb.c:lookup_global_sam_name(596)
>> User testuser with invalid SID
>> S-1-5-21-1306896613-1613859276-828620297-3000 in passdb
>> [2008/12/19 17:08:30, 2] smbd/service.c:make_connection_snum(616) user
>> 'testuser' (from session setup) not permitted to access this share
>> (testuser)
>>
>> net getlocalsid on the samba host gives:
>> SID for domain DOMAIN is: S-1-5-21-1306896613-1613859276-828620297
>>
>> which matches the 'invalid SID' above. Looking in the ldap directory, I
>> see the uidNumber for testuser is 1000. The smbldap-tools documentation
>> say the algorithm to go from uid to sid is sid = 2 * uid + 1000, which
>> also matches the 'invalid SID'.
>>
>> Any suggestions for what to do from here?
>>
>> Thanks
>> Graham
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>
>>
>
>
More information about the samba
mailing list