This seems to be fixed now.
I had two sambaDomain records. One had the correct base SID, the other
had an incorrect one. Although the user SID was correct, the group SID
was not, as it was being generated from the incorrect sambaDomain
record. It was unfortunate that the error message said it was the user
sid that was incorrect, when it was actually the group sid. To further
confuse things the user ldap entry has a value sambaPrimaryGroupSID
which was correct, but appears not to be used. I only found the invalid
group SID being generated by using pbedit -Lv user, following a hint on
another list.
Graham
Rob Shinn wrote:
Do you have a complete sambaDomain record in your LDAP and is it at
the root level of the LDAP structure?
On 12/19/08, Graham Seaman <[email protected]> wrote:
Hi,
I'm trying to set up samba with ldap authorization on a windows network.
I have samba running on one linux host, and openldap on another. I have
used smbldap-tools to populate my directory and used smbldap-useradd to
create an initial testuser on the samba host. I can ssh in to the samba
host as the testuser ok, and get in to the testuser directory (ie. there
are no permission problems). But if I try to do `smbclient
//DOMAIN/testuser -U testuser` I get 'tree connect failed:
NT_STATUS_ACCESS_DENIED'. Looking at the samba log, I see:
[2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
init_sam_from_ldap: Entry found for user: testuser
[2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162)
init_group_from_ldap: Entry found for group: 513
[2008/12/19 17:08:30, 0] passdb/passdb.c:lookup_global_sam_name(596)
User testuser with invalid SID
S-1-5-21-1306896613-1613859276-828620297-3000 in passdb
[2008/12/19 17:08:30, 2] smbd/service.c:make_connection_snum(616) user
'testuser' (from session setup) not permitted to access this share
(testuser)
net getlocalsid on the samba host gives:
SID for domain DOMAIN is: S-1-5-21-1306896613-1613859276-828620297
which matches the 'invalid SID' above. Looking in the ldap directory, I
see the uidNumber for testuser is 1000. The smbldap-tools documentation
say the algorithm to go from uid to sid is sid = 2 * uid + 1000, which
also matches the 'invalid SID'.
Any suggestions for what to do from here?
Thanks
Graham
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
