samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Samba/LDAP share issue -- user with inv

Re: [Samba] Samba/LDAP share issue -- user with invalid SID

From: Alex McKenzie <alex_at_nospam>
Date: Tue May 18 2010 - 13:59:05 GMT
To: samba@lists.samba.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I do have smbldap tools installed and, as far as I can tell, set up.

net join CHEMBMB -U Administrator returns "cannot join as standalone
machine".

The LDAP structure may be the issue... I don't think computer accounts
were ever set up on the current server (the last server was done by the
guy who used to do my job, who left basically no documentation), because
I wasn't aware they were necessary for this. We're not planning to use
Samba/LDAP for windows authentication (only Mac, which doesn't require
any sort of machine account, and linux, which also doesn't require a
machine account), and if we do decide to do windows auth with Samba, it
won't be using SL1.

SL1 is only a file server -- it's for a small research group, and there
will eventually be a bunch of them, possibly as many as 30-40. The
system that LDAP runs on will eventually become a PDC, if necessary, but
for now samba isn't even installed. If that's the issue, I'll feel
stupid, but grateful that someone pointed me in the right direction.
Let me know what to try next... as I said initially, I'm quite out of my
depth.

I haven't been testing with a Windows machine, and I did something to
completely break SL1 yesterday, so I can't test it right now. (I
changed something in smb.conf, and now samba won't start -- I need to
figure out what that is before I go any further.)

- -Alex

tms3@tms3.com wrote:
>
>
>
>
>> How do I get the server to join CHEMBMB?
>
> I may have been hasty, but I don't have a proper domain to check at the
> moment. However:
>
>
> Do you have smbldap-tools installed and set up on sl1?
>
> Did you ever issue
>
> net join CHEMBMB -U Administrator
>
> from sl1?
>
> Check your ldap structure. You should have a computer with an LDIF that
> looks like this:
>
> dn: uid=zaphod$, ou=computers, dc=mydomain,dc=com
> sambaPrimaryGroupSID: S-1-5-21-1498823292-3530380933-788562438-515
> sambaDomainName: MYDOMAIN
> displayName: zaphod$
> objectClass: posixAccount
> objectClass: account
> objectClass: sambaSamAccount
> sambaLogonTime: 0
> uid: zaphod$
> uidNumber: 41328
> cn: zaphod$
> sambaLogoffTime: 2147483647
> sambaPwdLastSet: 1267756286
> sambaAcctFlags: [S ]
> loginShell: /bin/false
> gidNumber: 553
> sambaPwdMustChange: 2147483647
> sambaNTPassword: 3509E1ED1B7398134D9D429474E47386
> sambaPwdCanChange: 0
> sambaSID: S-1-5-21-1498823292-3530380933-788562438-83656
> gecos: Computer
> description: Computer
> homeDirectory: /dev/null
> sambaKickoffTime: 2147483647
>
> ALSO, I assume you are using some kind of Windows work station for the
> users, so what error does Windows display when the users log in?
>
> Cheers,
>
> TMS III
>> I spent about two hours trying
>> to get the two SIDs to be the same, with no success. I assumed that was
>> part of the issue, but I finally gave up on making it work. I assume
>> I'd use "net setlocalsid", which shows the following:
>>
>> root@sl1:~# net getdomainsid
>> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
>> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
>> root@sl1:~# net setlocalsid S-1-5-21-4167008922-1292391803-4044586981
>> root@schnelllab1:~# net getdomainsid
>> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
>> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
>>
>> If there's something else I should be doing, I'd love to know what it is!
>>
>> - -Alex
>>
>>
>>
>>
>>>>>
>>>>>
>>>>> 8) testparm on sl1 returns the following:
>>>>>
>>>>> Load smb config files from /etc/samba/smb.conf
>>>>> Processing section "[homes]"
>>>>> Processing section "[itadmins]"
>>>>> Loaded services file OK.
>>>>> Server role: ROLE_STANDALONE
>>>>> Press enter to see a dump of your service definitions
>>>>>
>>>>> [global]
>>>>> workgroup = CHEMBMB
>>>>> server string = %h server (Samba, Ubuntu)
>>>>> map to guest = Bad User
>>>>> obey pam restrictions = Yes
>>>>> passdb backend = ldapsam:ldaps://multivac.chem.umass.edu
>>>>> pam password change = Yes
>>>>> passwd program = /usr/bin/passwd %u
>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>>> unix password sync = Yes
>>>>> syslog = 255
>>>>> log file = /var/log/samba/log.%m
>>>>> max log size = 1000
>>>>> dns proxy = No
>>>>> ldap admin dn = cn=admin,dc=cns
>>>>> ldap group suffix = ou=Chemistry groups
>>>>> ldap suffix = ou=Chemistry,dc=cns
>>>>> ldap ssl = no
>>>>> ldap user suffix = ou=Chemistry users
>>>>> usershare allow guests = Yes
>>>>> panic action = /usr/share/samba/panic-action %d
>>>>> invalid users = root
>>>>>
>>>>> [homes]
>>>>> comment = Home Directories
>>>>> read only = No
>>>>> browseable = No
>>>>>
>>>>> [itadmins]
>>>>> comment = Shared directory for the IT group
>>>>> path = /home/itadmins
>>>>> valid users = spalmer, amckenzie
>>>>> read only = No
>>>>> create mask = 0665
>>>>> directory mask = 0775
>>>>>
>>>>>
>>>>>
>>>>> Any advice would be appreciated -- I'm well beyond my understanding of
>>>>> samba at the moment, and my understanding of samba is well beyond what
>>>>> it was 48 hours ago. At the moment neither server is mission critical,
>>>>> so tests that take them temporarily off-line are possible. By early
>>>>> next week things will be authenticating against the LDAP server (we've
>>>>> got no choice -- the old LDAP server is failing fast), so I won't be
>>>>> able to take it down for testing.
>>>>>
>>>>> Thanks in advance,
>>>>> Alex McKenzie
>>>>> alex@chem.umass.edu
>>>>>
>>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.8 (Darwin)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>
>>>> iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr
>>>> zwCfbXwvHr50j7vZZTuSJxLels7Izv8=
>>>> =58HV
>>>> -----END PGP SIGNATURE-----
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.8 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAkvyk6wACgkQWFYfIucpZ2NCiQCfWaicXsuhA6P01Pbw9xeanUql
>> dqEAn2Z31M+dqjlIKG5uciscBsTB9Rl0
>> =LAsj
>> -----END PGP SIGNATURE-----
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvynSgACgkQWFYfIucpZ2OuBACfQSFJevBKOozQW10vET9q08yK
DKQAnRXbDj34yLU6ctBzWPIEEIiLiOgX
=Z8VF
-----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba