[Samba] permissions problems

Dale Schroeder dale at BriannasSaladDressing.com
Tue Jul 7 13:38:40 GMT 2009


Any chance there could be a duplicate user?
getent passwd|grep /user/ would narrow the list down.


Jonathon Doran wrote:
> I am obviously confused about something, and feel like I am chasing 
> ghosts.  Any help or clarification would be appreciated.
> When a user logs in we get messages about corrupt recycle bins.  
> Setting the logging to level 2 for that client, we have errors like:
> open_directory:  unable to create user/Desktop.  Error was 
> OK, the folder already exists in the profile.  Why try to create it?
> I can use smbclient and connect to the profile share as the user, and 
> I have no trouble reading or writing files.  The root account can 
> access the raw folders without any problem.  I expected that the 
> existing profile would be read and used.  And it sort of is, since a 
> folder on the desktop is preserved across sessions.
> When I up the logging to 4, I see messages like
> get_privileges: No privileges assigned to SID 
> [S-1-5-21-1786355187-4025355074-2784741737-501]
> Hmm.  That RID doesn't look correct.  This user is in two groups, 
> Domain Users (513) and a local lab group (3011).  Slapcat does not 
> show that SID, nor does "net groupmap list".  I looked this up, and it 
> appears to be a guest account.  OK, maybe not a problem.  As you might 
> be able to tell, the slightest thing sets me off.
> The login continues with accesses using user nobody (uid=99,gid=99), 
> and the
> user is authenticated.
> I saw this in the log:
> [2009/07/06 16:33:33,  4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1613)
>   ldapsam_getsampwsid: Unable to locate SID 
> [S-1-5-21-1786355187-4025355074-2784741737-513] count=0
> [2009/07/06 16:33:34,  2] passdb/pdb_ldap.c:init_group_from_ldap(2348)
>   init_group_from_ldap: Entry found for group: 513
> RID 513 is in the group map.  "getent group Domain\ Users" returns a 
> bunch of names.  So maybe _this_ isn't an error either.
> Then I see:
> [2009/07/06 16:33:34,  3] lib/privileges.c:get_privileges(63)
>   get_privileges: No privileges assigned to SID 
> [S-1-5-21-1786355187-4025355074-2784741737-3110]
> [2009/07/06 16:33:34,  3] lib/privileges.c:get_privileges(63)
>   get_privileges: No privileges assigned to SID 
> [S-1-5-21-1786355187-4025355074-2784741737-513]
> (the two groups which this user should be a member).
> A bit further down:
>  ldapsam_getgroup: Did not find group, filter was 
> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11))
> That SID does not show up in the group map, and I have no idea where 
> it comes from.  All of my SIDS seem to start with S-1-5-21.  So that 
> looks bad.  But...
>   init_group_from_ldap: Entry found for group: 1005
> Well, that is good.  Group 1005 is the group with RID 3011, in case 
> that was
> confusing.  A VUID is registered later.  And a connection is
> made to the profdata service (uid=1055, gid = 513).
> The user's main group is 1005, but the user is not showing up in group 
> 513.  By that I mean that "getent group Domain\ Users" shows a list of 
> users, but does not include this user.  Nor does "groups user".  
> Sounds like a big problem.  But slapcat shows the user in the group, 
> and LdapAdmin shows the user in the group.  /etc/nsswitch.conf has 
> "group:  compat ldap". I have rebooted the system, and this problem 
> persists.  Removing the user from "Domain Users" in LdapAdmin, and 
> then readding them did nothing.  Although slapcat did reflect the 
> removal.
> I'm guessing that this is at the root of most of my problems.  Where 
> in the world is getent getting its information, if not from LDAP?

More information about the samba mailing list