[Samba] permissions problems

Jonathon Doran jon at doransw.com
Mon Jul 6 22:33:36 GMT 2009 

I am obviously confused about something, and feel like I am chasing  
ghosts.  Any help or clarification would be appreciated.

When a user logs in we get messages about corrupt recycle bins.   
Setting the logging to level 2 for that client, we have errors like:

open_directory:  unable to create user/Desktop.  Error was  
NT_STATUS_OBJECT_NAME_COLLISION.

OK, the folder already exists in the profile.  Why try to create it?

I can use smbclient and connect to the profile share as the user, and  
I have no trouble reading or writing files.  The root account can  
access the raw folders without any problem.  I expected that the  
existing profile would be read and used.  And it sort of is, since a  
folder on the desktop is preserved across sessions.

When I up the logging to 4, I see messages like

get_privileges: No privileges assigned to SID  
[S-1-5-21-1786355187-4025355074-2784741737-501]

Hmm.  That RID doesn't look correct.  This user is in two groups,  
Domain Users (513) and a local lab group (3011).  Slapcat does not  
show that SID, nor does "net groupmap list".  I looked this up, and it  
appears to be a guest account.  OK, maybe not a problem.  As you might  
be able to tell, the slightest thing sets me off.

The login continues with accesses using user nobody (uid=99,gid=99), and the
user is authenticated.

I saw this in the log:
[2009/07/06 16:33:33,  4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1613)
   ldapsam_getsampwsid: Unable to locate SID  
[S-1-5-21-1786355187-4025355074-2784741737-513] count=0
[2009/07/06 16:33:34,  2] passdb/pdb_ldap.c:init_group_from_ldap(2348)
   init_group_from_ldap: Entry found for group: 513

RID 513 is in the group map.  "getent group Domain\ Users" returns a  
bunch of names.  So maybe _this_ isn't an error either.

Then I see:
[2009/07/06 16:33:34,  3] lib/privileges.c:get_privileges(63)
   get_privileges: No privileges assigned to SID  
[S-1-5-21-1786355187-4025355074-2784741737-3110]
[2009/07/06 16:33:34,  3] lib/privileges.c:get_privileges(63)
   get_privileges: No privileges assigned to SID  
[S-1-5-21-1786355187-4025355074-2784741737-513]

(the two groups which this user should be a member).

A bit further down:
  ldapsam_getgroup: Did not find group, filter was  
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11))

That SID does not show up in the group map, and I have no idea where  
it comes from.  All of my SIDS seem to start with S-1-5-21.  So that  
looks bad.  But...

   init_group_from_ldap: Entry found for group: 1005

Well, that is good.  Group 1005 is the group with RID 3011, in case that was
confusing.  A VUID is registered later.  And a connection is
made to the profdata service (uid=1055, gid = 513).

The user's main group is 1005, but the user is not showing up in group  
513.  By that I mean that "getent group Domain\ Users" shows a list of  
users, but does not include this user.  Nor does "groups user".   
Sounds like a big problem.  But slapcat shows the user in the group,  
and LdapAdmin shows the user in the group.  /etc/nsswitch.conf has  
"group:  compat ldap". I have rebooted the system, and this problem  
persists.  Removing the user from "Domain Users" in LdapAdmin, and  
then readding them did nothing.  Although slapcat did reflect the  
removal.

I'm guessing that this is at the root of most of my problems.  Where  
in the world is getent getting its information, if not from LDAP?

More information about the samba mailing list