samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] Samba/LDAP share issue -- user with invalid

[Samba] Samba/LDAP share issue -- user with invalid SID

From: Alex McKenzie <alex_at_nospam>
Date: Thu May 06 2010 - 20:36:02 GMT

Hash: SHA1


  While I've seen this referred to a lot of places, I haven't yet found
a posted solution that works for me. Testing has been done from a Mac
running OSX 10.5.8 Here's what I have so far: if anyone can give me a
next step to test, I'd appreciate it. If anyone can give me a complete
solution, I'd appreciate it even more. 8-)

1) An LDAP server "mv", running Ubuntu 8.04 LTS. Samba is not installed.

2) A group file server "sl1", running Ubuntu 8.04 LTS. LDAP is not

3) Users can successfully authenticate to sl1 against LDAP when
connecting via SSH. If their user directory exists (they have logged in
via ssh) they can connect to their home directory through samba by
connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal
network), so I know samba is successfully connecting to the LDAP server.
 Traffic between the file server and the LDAP server is encrypted, as
confirmed with tcpdump.

4) When attempting to access a group share, the connection is refused,
and the following shows up in the samba logs: the share has users
amckenzie and suzanne.

[2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
  User spalmer with invalid SID
S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb
[2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
  User amckenzie with invalid SID
S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb

5) All connections, successful or not, cause the following messages in
the samba logs on sl1:

[2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792)
  create_builtin_administrators: Failed to create Administrators
[2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758)
  create_builtin_users: Failed to create Users
[2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718)
  Share 'IPC$' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.

6) On sl1, net getdomainsid returns the following:

SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981

7) Users have both user and group SIDs in the form
"S-1-5-21-4167008922-1292391803-4044586981-[unique number]", which is
generated according to the rules the smbldap tools use.

8) testparm on sl1 returns the following:

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[itadmins]"
Loaded services file OK.
Press enter to see a dump of your service definitions

        workgroup = CHEMBMB
        server string = %h server (Samba, Ubuntu)
        map to guest = Bad User
        obey pam restrictions = Yes
        passdb backend = ldapsam:ldaps://
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 255
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        ldap admin dn = cn=admin,dc=cns
        ldap group suffix = ou=Chemistry groups
        ldap suffix = ou=Chemistry,dc=cns
        ldap ssl = no
        ldap user suffix = ou=Chemistry users
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        invalid users = root

        comment = Home Directories
        read only = No
        browseable = No

        comment = Shared directory for the IT group
        path = /home/itadmins
        valid users = spalmer, amckenzie
        read only = No
        create mask = 0665
        directory mask = 0775

Any advice would be appreciated -- I'm well beyond my understanding of
samba at the moment, and my understanding of samba is well beyond what
it was 48 hours ago. At the moment neither server is mission critical,
so tests that take them temporarily off-line are possible. By early
next week things will be authenticating against the LDAP server (we've
got no choice -- the old LDAP server is failing fast), so I won't be
able to take it down for testing.

Thanks in advance,
  Alex McKenzie

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -

-- To unsubscribe from this list go to the following URL and read the instructions: