[Samba] Samba/LDAP share issue -- user with invalid SID
Alex McKenzie
alex at chem.umass.edu
Mon May 17 12:39:44 MDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So no one has any guesses on this? I've found nothing new, so any help
at all would be appreciated...
- -Alex
Alex McKenzie wrote:
> Greetings,
>
> While I've seen this referred to a lot of places, I haven't yet found
> a posted solution that works for me. Testing has been done from a Mac
> running OSX 10.5.8 Here's what I have so far: if anyone can give me a
> next step to test, I'd appreciate it. If anyone can give me a complete
> solution, I'd appreciate it even more. 8-)
>
> 1) An LDAP server "mv", running Ubuntu 8.04 LTS. Samba is not installed.
>
> 2) A group file server "sl1", running Ubuntu 8.04 LTS. LDAP is not
> installed.
>
> 3) Users can successfully authenticate to sl1 against LDAP when
> connecting via SSH. If their user directory exists (they have logged in
> via ssh) they can connect to their home directory through samba by
> connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal
> network), so I know samba is successfully connecting to the LDAP server.
> Traffic between the file server and the LDAP server is encrypted, as
> confirmed with tcpdump.
>
> 4) When attempting to access a group share, the connection is refused,
> and the following shows up in the samba logs: the share has users
> amckenzie and suzanne.
>
> [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
> User spalmer with invalid SID
> S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb
> [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
> User amckenzie with invalid SID
> S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb
>
> 5) All connections, successful or not, cause the following messages in
> the samba logs on sl1:
>
> [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792)
> create_builtin_administrators: Failed to create Administrators
> [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758)
> create_builtin_users: Failed to create Users
> [2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718)
> Share 'IPC$' has wide links and unix extensions enabled. These
> parameters are incompatible. Wide links will be disabled for this share.
>
> 6) On sl1, net getdomainsid returns the following:
>
> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
>
> 7) Users have both user and group SIDs in the form
> "S-1-5-21-4167008922-1292391803-4044586981-[unique number]", which is
> generated according to the rules the smbldap tools use.
>
> 8) testparm on sl1 returns the following:
>
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[itadmins]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
> Press enter to see a dump of your service definitions
>
> [global]
> workgroup = CHEMBMB
> server string = %h server (Samba, Ubuntu)
> map to guest = Bad User
> obey pam restrictions = Yes
> passdb backend = ldapsam:ldaps://multivac.chem.umass.edu
> pam password change = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> unix password sync = Yes
> syslog = 255
> log file = /var/log/samba/log.%m
> max log size = 1000
> dns proxy = No
> ldap admin dn = cn=admin,dc=cns
> ldap group suffix = ou=Chemistry groups
> ldap suffix = ou=Chemistry,dc=cns
> ldap ssl = no
> ldap user suffix = ou=Chemistry users
> usershare allow guests = Yes
> panic action = /usr/share/samba/panic-action %d
> invalid users = root
>
> [homes]
> comment = Home Directories
> read only = No
> browseable = No
>
> [itadmins]
> comment = Shared directory for the IT group
> path = /home/itadmins
> valid users = spalmer, amckenzie
> read only = No
> create mask = 0665
> directory mask = 0775
>
>
>
> Any advice would be appreciated -- I'm well beyond my understanding of
> samba at the moment, and my understanding of samba is well beyond what
> it was 48 hours ago. At the moment neither server is mission critical,
> so tests that take them temporarily off-line are possible. By early
> next week things will be authenticating against the LDAP server (we've
> got no choice -- the old LDAP server is failing fast), so I won't be
> able to take it down for testing.
>
> Thanks in advance,
> Alex McKenzie
> alex at chem.umass.edu
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr
zwCfbXwvHr50j7vZZTuSJxLels7Izv8=
=58HV
-----END PGP SIGNATURE-----
More information about the samba
mailing list