[Samba] complete newbie sid problems

Graham Seaman G.Seaman at lse.ac.uk
Mon Jan 5 12:26:33 GMT 2009

This seems to be fixed now.

I had two sambaDomain records. One had the correct base SID, the other 
had an incorrect one. Although the user SID was correct, the group SID 
was not, as it was being generated from the incorrect sambaDomain 
record. It was unfortunate that the error message said it was the user 
sid that was incorrect, when it was actually the group sid. To further 
confuse things the user ldap entry has a value sambaPrimaryGroupSID 
which was correct, but appears not to be used. I only found the invalid 
group SID being generated by using pbedit -Lv user, following a hint on 
another list.


Rob Shinn wrote:
> Do you have a complete sambaDomain record in your LDAP and is it at
> the root level of the LDAP structure?
> On 12/19/08, Graham Seaman <G.Seaman at lse.ac.uk> wrote:
>> Hi,
>> I'm trying to set up samba with ldap authorization on a windows network.
>> I have samba running on one linux host, and openldap on another. I have
>> used smbldap-tools to populate my directory and used smbldap-useradd to
>> create an initial testuser on the samba host. I can ssh in to the samba
>> host as the testuser ok, and get in to the testuser directory (ie. there
>> are no permission problems). But if I try to do `smbclient
>> //DOMAIN/testuser -U testuser` I get 'tree connect failed:
>> NT_STATUS_ACCESS_DENIED'. Looking at the samba log, I see:
>> [2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
>> init_sam_from_ldap: Entry found for user: testuser
>> [2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162)
>> init_group_from_ldap: Entry found for group: 513
>> [2008/12/19 17:08:30, 0] passdb/passdb.c:lookup_global_sam_name(596)
>> User testuser with invalid SID
>> S-1-5-21-1306896613-1613859276-828620297-3000 in passdb
>> [2008/12/19 17:08:30, 2] smbd/service.c:make_connection_snum(616)  user
>> 'testuser' (from session setup) not permitted to access this share
>> (testuser)
>> net getlocalsid on the samba host gives:
>> SID for domain DOMAIN is: S-1-5-21-1306896613-1613859276-828620297
>> which matches the 'invalid SID' above. Looking in the ldap directory, I
>> see the uidNumber for testuser is 1000. The smbldap-tools documentation
>> say the algorithm to go from uid to sid is sid = 2 * uid + 1000, which
>> also matches the 'invalid SID'.
>> Any suggestions for what to do from here?
>> Thanks
>> Graham
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list