[Samba] Samba/LDAP share issue -- user with invalid SID

Mon May 17 12:39:44 MDT 2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So no one has any guesses on this?  I've found nothing new, so any help
at all would be appreciated...

- -Alex

Alex McKenzie wrote:
> Greetings,
> 
>   While I've seen this referred to a lot of places, I haven't yet found
> a posted solution that works for me.  Testing has been done from a Mac
> running OSX 10.5.8 Here's what I have so far:  if anyone can give me a
> next step to test, I'd appreciate it.  If anyone can give me a complete
> solution, I'd appreciate it even more. 8-)
> 
> 1) An LDAP server "mv", running Ubuntu 8.04 LTS.  Samba is not installed.
> 
> 2) A group file server "sl1", running Ubuntu 8.04 LTS.  LDAP is not
> installed.
> 
> 3) Users can successfully authenticate to sl1 against LDAP when
> connecting via SSH.  If their user directory exists (they have logged in
> via ssh) they can connect to their home directory through samba by
> connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal
> network), so I know samba is successfully connecting to the LDAP server.
>  Traffic between the file server and the LDAP server is encrypted, as
> confirmed with tcpdump.
> 
> 4) When attempting to access a group share, the connection is refused,
> and the following shows up in the samba logs:  the share has users
> amckenzie and suzanne.
> 
> [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
>   User spalmer with invalid SID
> S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb
> [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
>   User amckenzie with invalid SID
> S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb
> 
> 5) All connections, successful or not, cause the following messages in
> the samba logs on sl1:
> 
> [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792)
>   create_builtin_administrators: Failed to create Administrators
> [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758)
>   create_builtin_users: Failed to create Users
> [2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718)
>   Share 'IPC$' has wide links and unix extensions enabled. These
> parameters are incompatible. Wide links will be disabled for this share.
> 
> 6) On sl1, net getdomainsid returns the following:
> 
> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
> 
> 7) Users have both user and group SIDs in the form
> "S-1-5-21-4167008922-1292391803-4044586981-[unique number]", which is
> generated according to the rules the smbldap tools use.
> 
> 8) testparm on sl1 returns the following:
> 
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[itadmins]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
> Press enter to see a dump of your service definitions
> 
> [global]
> 	workgroup = CHEMBMB
> 	server string = %h server (Samba, Ubuntu)
> 	map to guest = Bad User
> 	obey pam restrictions = Yes
> 	passdb backend = ldapsam:ldaps://multivac.chem.umass.edu
> 	pam password change = Yes
> 	passwd program = /usr/bin/passwd %u
> 	passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> 	unix password sync = Yes
> 	syslog = 255
> 	log file = /var/log/samba/log.%m
> 	max log size = 1000
> 	dns proxy = No
> 	ldap admin dn = cn=admin,dc=cns
> 	ldap group suffix = ou=Chemistry groups
> 	ldap suffix = ou=Chemistry,dc=cns
> 	ldap ssl = no
> 	ldap user suffix = ou=Chemistry users
> 	usershare allow guests = Yes
> 	panic action = /usr/share/samba/panic-action %d
> 	invalid users = root
> 
> [homes]
> 	comment = Home Directories
> 	read only = No
> 	browseable = No
> 
> [itadmins]
> 	comment = Shared directory for the IT group
> 	path = /home/itadmins
> 	valid users = spalmer, amckenzie
> 	read only = No
> 	create mask = 0665
> 	directory mask = 0775
> 
> 
> 
> Any advice would be appreciated -- I'm well beyond my understanding of
> samba at the moment, and my understanding of samba is well beyond what
> it was 48 hours ago.  At the moment neither server is mission critical,
> so tests that take them temporarily off-line are possible.  By early
> next week things will be authenticating against the LDAP server (we've
> got no choice -- the old LDAP server is failing fast), so I won't be
> able to take it down for testing.
> 
> Thanks in advance,
>   Alex McKenzie
>   alex at chem.umass.edu
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr
zwCfbXwvHr50j7vZZTuSJxLels7Izv8=
=58HV
-----END PGP SIGNATURE-----