[Samba] Samba 3.6.6 - Debian 7

[Denis Cardon]

Hi Marco,

> I use Samba + Ldapas a domain controller but after the update the
> version of Debian6 to Debain 7I can't authenticate my users in the Samba
> server.
>
> logs:
>
>
> [2013/05/23 08:29:55.811240,  1] auth/server_info.c:386(samu_to_SamInfo3)
>    The primary group domain
> sid(S-1-5-21-3651478259-4121578499-3132057975-513) does not match the
> domain sid(S-1-5-21-3182595135-1874831366-4239877494) for
> user(S-1-5-21-3182595135-1874831366-4239877494-60012)
> [2013/05/23 08:29:55.811383,  0]
> auth/check_samsec.c:491(check_sam_security)
>    check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_UNSUCCESSFUL'
>
>
> # net getlocalsid
> SID for domain ROCKY is: S-1-5-21-2260219023-4180104146-1160048873
>
> # net getdomainsid
> SID for local machine ROCKY is: S-1-5-21-2260219023-4180104146-1160048873
> SID for domain PRINTERRESERVA is: S-1-5-21-3651478259-4121578499-3132057975
>
> #pdbedit -v user
> User SID: S-1-5-21-3182595135-1874831366-4239877494-60012
> Primary Group SID: S-1-5-21-3651478259-4121578499-3132057975-513

You user SID is composed of the domain SID (ie 
S-1-5-21-3182595135-1874831366-4239877494-60012), which is the same for 
all users and groups of a domain, and the end part which is the user RID 
(relative ID) -60012.

Same thing for your group SID.

So you can see here that the domain SID part of the user SID is not the 
same as the domain SID S-1-5-21-3651478259-4121578499-3132057975. That 
is what your debug log message basically says. I don't think that it is 
just a squeeze to wheezy upgrade that would have messed'up that much 
with you ldap entries. You should double check your ldap.

And take a look at samba4, it is much easier to setup and manage.

Cheers,

Denis





>
> Thanks,
>
>
> Marcos.
>


-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr