[Samba] invalid SID in passdb on stand-alone file server with ldapsam

Frank Van Damme frank.vandamme at gmail.com
Wed Jul 13 05:38:44 MDT 2011 

2011/7/12 Frank Van Damme <frank.vandamme at gmail.com>:
> 2011/7/12 Frank Van Damme <frank.vandamme at gmail.com>:
>> hello!
>>
>> I got some log message I can't explain. when I log in to a server it says:
>>
>> [2011/07/12 14:20:41.784580,  0] passdb/passdb.c:627(lookup_global_sam_name)
>> User frvdamme with invalid SID S-1-5-21-2863620551-4077714424-203869783-5020 in
>> passdb
>>
>> It's a standalone file server, no domain, and the password backend is
>> (open)ldap. Samba is version 3.5.6 on Debian 6.0. Using the server
>> actually works well, I can allow/deny access to shares based on groups
>> etc. But I can't see user names in the security tab in Windows
>> explorer (I only see the sid). As a consequence, I also can't set
>> permissions from Windows.
>>
>> In fact, to be more precise, users and groups that exist locally on
>> the system *do* show up in the security tab. Those in ldap do not.
>
> OK, replying to myself: the problem turned out to be the fact that my
> "samba-admin" ldap user wasn't allowed to read the sambaSID attribute.
> Now onto setting permissions :-)


There's another problem. I can't change a group or user via Windows
(changing permissions works). Windows complains the object name for a
certain group, which exists in ldap, can not be found.
When I click "advanced" to get to the "select users or groups" dialog,
I'm asked for a username and password. I give my credentials again,
click "find now", and the resulting list contains none of my ldap
users or groups. I only have dialup, everyone, interactive, local
service, network, network service, remote interactive logon, service,
system, and terminal server user.

Also, nothing at all is logged when I click "find now". I have the log
level for auth, sam and passdb up to 10 in smb.conf.
When I click on the "security" tab of a files properties dialog, this
is written to the log:



[2011/07/13 11:25:48.092217, 10] passdb/pdb_get_set.c:608(pdb_set_username)
  pdb_set_username: setting username frvdamme, was
[2011/07/13 11:25:48.092341, 10] passdb/pdb_get_set.c:631(pdb_set_domain)
  pdb_set_domain: setting domain AMUNDSEN, was
[2011/07/13 11:25:48.092408, 10] passdb/pdb_get_set.c:654(pdb_set_nt_username)
  pdb_set_nt_username: setting nt username frvdamme, was
[2011/07/13 11:25:48.092473, 10] passdb/pdb_get_set.c:677(pdb_set_fullname)
  pdb_set_full_name: setting full name frvdamme, was
[2011/07/13 11:25:48.092548, 10] passdb/pdb_get_set.c:770(pdb_set_homedir)
  pdb_set_homedir: setting home dir \\amundsen\frvdamme, was
[2011/07/13 11:25:48.092615, 10] passdb/pdb_get_set.c:746(pdb_set_dir_drive)
  pdb_set_dir_drive: setting dir drive , was NULL
[2011/07/13 11:25:48.092682, 10] passdb/pdb_get_set.c:700(pdb_set_logon_script)
  pdb_set_logon_script: setting logon script , was
[2011/07/13 11:25:48.092785, 10] passdb/pdb_get_set.c:723(pdb_set_profile_path)
  pdb_set_profile_path: setting profile path \\amundsen\frvdamme\profile, was
[2011/07/13 11:25:48.092978, 10] passdb/pdb_get_set.c:813(pdb_set_workstations)
  pdb_set_workstations: setting workstations , was
[2011/07/13 11:25:48.093102, 10] passdb/pdb_get_set.c:537(pdb_set_user_sid)
  pdb_set_user_sid: setting user sid
S-1-5-21-2863620551-4077714424-203869783-5020
[2011/07/13 11:25:48.093174, 10]
passdb/pdb_compat.c:72(pdb_set_user_sid_from_rid)
  pdb_set_user_sid_from_rid:
  	setting user sid S-1-5-21-2863620551-4077714424-203869783-5020 from rid 5020
[2011/07/13 11:25:48.093277, 10] passdb/pdb_get_set.c:595(pdb_set_group_sid)
  pdb_set_group_sid: setting group sid
S-1-5-21-2863620551-4077714424-203869783-5021
[2011/07/13 11:25:48.168645, 10] passdb/pdb_get_set.c:608(pdb_set_username)
  pdb_set_username: setting username frvdamme, was
[2011/07/13 11:25:48.168743, 10] passdb/pdb_get_set.c:631(pdb_set_domain)
  pdb_set_domain: setting domain AMUNDSEN, was
[2011/07/13 11:25:48.168809, 10] passdb/pdb_get_set.c:654(pdb_set_nt_username)
  pdb_set_nt_username: setting nt username frvdamme, was
[2011/07/13 11:25:48.168961, 10] passdb/pdb_get_set.c:677(pdb_set_fullname)
  pdb_set_full_name: setting full name frvdamme, was
[2011/07/13 11:25:48.169045, 10] passdb/pdb_get_set.c:770(pdb_set_homedir)
  pdb_set_homedir: setting home dir \\amundsen\frvdamme, was
[2011/07/13 11:25:48.169111, 10] passdb/pdb_get_set.c:746(pdb_set_dir_drive)
  pdb_set_dir_drive: setting dir drive , was NULL
[2011/07/13 11:25:48.169178, 10] passdb/pdb_get_set.c:700(pdb_set_logon_script)
  pdb_set_logon_script: setting logon script , was
[2011/07/13 11:25:48.169249, 10] passdb/pdb_get_set.c:723(pdb_set_profile_path)
  pdb_set_profile_path: setting profile path \\amundsen\frvdamme\profile, was
[2011/07/13 11:25:48.169315, 10] passdb/pdb_get_set.c:813(pdb_set_workstations)
  pdb_set_workstations: setting workstations , was
[2011/07/13 11:25:48.169441, 10] passdb/pdb_get_set.c:537(pdb_set_user_sid)
  pdb_set_user_sid: setting user sid
S-1-5-21-2863620551-4077714424-203869783-5020
[2011/07/13 11:25:48.169514, 10]
passdb/pdb_compat.c:72(pdb_set_user_sid_from_rid)
  pdb_set_user_sid_from_rid:
  	setting user sid S-1-5-21-2863620551-4077714424-203869783-5020 from rid 5020
[2011/07/13 11:25:48.169615, 10] passdb/pdb_get_set.c:595(pdb_set_group_sid)
  pdb_set_group_sid: setting group sid
S-1-5-21-2863620551-4077714424-203869783-5021
[2011/07/13 11:25:48.176588, 10] passdb/pdb_get_set.c:608(pdb_set_username)
  pdb_set_username: setting username frvdamme, was
[2011/07/13 11:25:48.176671, 10] passdb/pdb_get_set.c:631(pdb_set_domain)
  pdb_set_domain: setting domain AMUNDSEN, was
[2011/07/13 11:25:48.176737, 10] passdb/pdb_get_set.c:654(pdb_set_nt_username)
  pdb_set_nt_username: setting nt username frvdamme, was
[2011/07/13 11:25:48.176803, 10] passdb/pdb_get_set.c:677(pdb_set_fullname)
  pdb_set_full_name: setting full name frvdamme, was
[2011/07/13 11:25:48.176949, 10] passdb/pdb_get_set.c:770(pdb_set_homedir)
  pdb_set_homedir: setting home dir \\amundsen\frvdamme, was
[2011/07/13 11:25:48.177026, 10] passdb/pdb_get_set.c:746(pdb_set_dir_drive)
  pdb_set_dir_drive: setting dir drive , was NULL
[2011/07/13 11:25:48.177094, 10] passdb/pdb_get_set.c:700(pdb_set_logon_script)
  pdb_set_logon_script: setting logon script , was
[2011/07/13 11:25:48.177165, 10] passdb/pdb_get_set.c:723(pdb_set_profile_path)
  pdb_set_profile_path: setting profile path \\amundsen\frvdamme\profile, was
[2011/07/13 11:25:48.177231, 10] passdb/pdb_get_set.c:813(pdb_set_workstations)
  pdb_set_workstations: setting workstations , was
[2011/07/13 11:25:48.177337, 10] passdb/pdb_get_set.c:537(pdb_set_user_sid)
  pdb_set_user_sid: setting user sid
S-1-5-21-2863620551-4077714424-203869783-5020
[2011/07/13 11:25:48.177425, 10]
passdb/pdb_compat.c:72(pdb_set_user_sid_from_rid)
  pdb_set_user_sid_from_rid:
  	setting user sid S-1-5-21-2863620551-4077714424-203869783-5020 from rid 5020
[2011/07/13 11:25:48.177549, 10] passdb/pdb_get_set.c:595(pdb_set_group_sid)
  pdb_set_group_sid: setting group sid
S-1-5-21-2863620551-4077714424-203869783-5021

I'm just wondering if I overlooked something - permissions on ldap are
fine now, I'm not using acl's yet - or if I'm hit by
https://bugzilla.samba.org/show_bug.cgi?id=7623 .


-- 
Frank Van Damme
No part of this copyright message may be reproduced, read or seen,
dead or alive or by any means, including but not limited to telepathy
without the benevolence of the author

More information about the samba mailing list