Hi John:
Thanks a lot for your detailed explanations!
Am 19.08.2008 18:35:48 schrieb(en) John H Terpstra:
Inside the NTUSER.DAT file, that you will find in the user's profile
directory on the Samba server, is stored the SID of the user who owns
the profile. If for any reason the user's SID is changed the user
will not longer be able to access that profile.
You can list the SIDs inside the NTUSER.DAT file using the Samba
"profiles" tool.
O.k., I did that, and /basically/ the differences between the "working"
and the "non-working" accounts are in the "Owner SID" and "Trustee SID"
fields, plus many diffs in stuff like "ACL for
$$$PROTO.HIV\Software\Microsoft\Protected Storage System Provider\<user
sid>".
Maybe I should add that I didn't create the accounts using Samba, but
through a hack to the Kolab groupware server which also uses LDAP as
backend. The hack assigns User and Group SID as
User SID == S-1-5-21-<number a>-<number b>-<number c>-<posix uid>;
posix uid = 2000, 2001, ..., 2999
Group SID == S-1-5-21-<number a>-<number b>-<number c>-3001
where <number a>-<number b>-<number c> is taken from the "net
getlocalsid" output.
Maybe this approach is plain wrong, i.e. do I have to assign the SID's
in a different way? When I look at extra Samba group mappings created
with LAM, the spacing is always /2/, i.e. group numbers are 3001, 3003,
3005, etc. Is that a requirement which explain the effects if I don't
follow them?
Disabling of the profile ownership is usually a red-flag that there
is a problem with the consistency between the user SIDs stored in
NTUSER.DAT and the current SID reported through Samba. This is what
should be fixed, rather than using a sledge-hammer to get around the
problem. Work-arounds often have side-effects.
O.k., got the message ;-)
Have you recently change the domain (workgroup) name or the machine
name? Either will change the Domain and/or machine SID.
Nope. Initialised LDAP using 'smbldap-populate -b guest -l 65534 -a
myadmin'. Joined a workstation to the domain, and never touched any
setting afterwards.
Check out the use of the "net" utility to set/record your domain and
machine SIDs:
net getdomainsid
SID for domain MY-PDC is: S-1-5-21-<number a>-<number b>-<number c>
SID for domain MY-DOMIAN is: S-1-5-21-<number a>-<number b>-<number c>
net getmachinesid
Hmm, says "No command: getmachinesid"? In LDAP, the machine sid of the
workstation is "S-1-5-21-<number a>-<number b>-<number c>-1001".
net getlocalsid
SID for domain MY-PDC is: S-1-5-21-<number a>-<number b>-<number c>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
