[Samba] Samba 3.5 to 3.6

2013-02-05 Thread Jacky Carimalo 

Reading :
http://wiki.samba.org/index.php/Samba_3.6_Features_added/changed
it seems there are options not to check having consistant SIDs.

Otherwise, I used the solution with :
net setlocalsid
and it worked for me.

Jacky

---
Here, the details of what I did :

BEFORE :

j-carimalo@j-carimalo-desktop:~$ smbclient //172.18.220.10/test -U 
j-carimalo

Enter j-carimalo's password:
session setup failed: NT_STATUS_UNSUCCESSFUL


root@doctoriale:/var/log/samba# vi log.j-carimalo-desktop

[2013/02/04 18:39:53.255226,  3] 
passdb/lookup_sid.c:1754(get_primary_group_sid)

  Forcing Primary Group to 'Domain Users' for j-carimalo
[2013/02/04 18:39:53.255402,  1] auth/server_info.c:386(samu_to_SamInfo3)
  The primary group domain 
sid(S-1-5-21-2904347395-2486898077-706273725-513) does not match the 
domain sid(S-1-5-21-1927198471-1056857077-4159082931) for 
j-carimalo(S-1-5-21-1927198471-1056857077-4159082931-14228)

[2013/02/04 18:39:53.255479,  0] auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_UNSUCCESSFUL'

[2013/02/04 18:39:53.255684,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [j-carimalo] -> 
[j-carimalo] FAILED with error NT_STATUS_UNSUCCESSFUL

[2013/02/04 18:39:53.255731,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) 
NT_STATUS_UNSUCCESSFUL

[2013/02/04 18:39:53.256517,  3] smbd/server_exit.c:181(exit_server_common)
  Server exit (failed to receive smb request)



root@doctoriale:/etc/samba# net getlocalsid
smbldap_search_domain_info: Adding domain info for DOCTO failed with 
NT_STATUS_UNSUCCESSFUL

SID for domain DOCTO is: S-1-5-21-2904347395-2486898077-706273725

root@doctoriale:/etc/samba# net getdomainsid
smbldap_search_domain_info: Adding domain info for DOCTO failed with 
NT_STATUS_UNSUCCESSFUL

SID for local machine DOCTO is: S-1-5-21-2904347395-2486898077-706273725
SID for domain DOCTO is: S-1-5-21-2904347395-2486898077-706273725


root@doctoriale:/etc/samba# pdbedit -v j-carimalo
WARNING: The "enable privileges" option is deprecated
smbldap_search_domain_info: Searching 
for:[(&(objectClass=sambaDomain)(sambaDomainName=MSH))]

smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_domain_info: Got no domain info entries for domain
add_new_domain_info: Adding new domain
add_new_domain_info: failed to add domain dn= 
sambaDomainName=MSH,dc=univ-nantes,dc=fr with: Referral

unknown
smbldap_search_domain_info: Adding domain info for MSH failed with 
NT_STATUS_UNSUCCESSFUL
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the 
domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate 
new users/groups, and will risk BDCs having inconsistant SIDs

init_sam_from_ldap: Entry found for user: j-carimalo
Unix username:j-carimalo
NT username:  j-carimalo
Account Flags:[UX ]
User SID: S-1-5-21-1927198471-1056857077-4159082931-14228
Primary Group SID:S-1-5-21-2942490213-4119275230-1086943613-513
Full Name:Jacky CARIMALO
Home Directory:   \\HOMESRV\j-carimalo
HomeDir Drive:Z:
Logon Script:
Profile Path: \\docto\j-carimalo\profile
Domain:   DOCTO
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  never
Kickoff time: never
Password last set:sam., 30 juin 2012 11:19:31 CEST
Password can change:  sam., 30 juin 2012 11:19:31 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF



ACTION :

root@doctoriale:/etc/samba# net setlocalsid 
S-1-5-21-1927198471-1056857077-4159082931



AFTER :

root@doctoriale:/etc/samba# net getlocalsid
smbldap_search_domain_info: Adding domain info for DOCTO failed with 
NT_STATUS_UNSUCCESSFUL

SID for domain DOCTO is: S-1-5-21-1927198471-1056857077-4159082931

root@doctoriale:/etc/samba# net getdomainsid
smbldap_search_domain_info: Adding domain info for DOCTO failed with 
NT_STATUS_UNSUCCESSFUL

SID for local machine DOCTO is: S-1-5-21-1927198471-1056857077-4159082931
SID for domain DOCTO is: S-1-5-21-1927198471-1056857077-4159082931

root@doctoriale:

Re: [Samba] Samba 3.5 to 3.6

2012-05-24 Thread manfred 
same problem here with a pc not in the same workgroup/domain

we had no problems to access the server with user/password from other workgroup
since update to 3.6.3 - now the user can't access and samba log's the error:

[2012/05/24 15:54:12.124757,  1] auth/server_info.c:391(samu_to_SamInfo3)
  The primary group domain sid(S-1-5-21-133745353-162177866-37141012-513) does
not match the domain sid(S-1-5-21-71619937-141952100-153857936) for
bgsystem(S-1-5-21-71619937-141951100-153857936-4306)

with the correct user/password access to the share should always be granted!
with two windows pc's this would work too.

is there a way to turn the consistency off or switch to the old behavior?

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3.5 to 3.6

2012-02-23 Thread Christian Ambach 

On 02/23/2012 11:38 AM, marco.schaer...@proteomics.com wrote:

[2012/02/23 09:32:21.669389, 1] auth/server_info.c:391(samu_to_SamInfo3)
The primary group domain
sid(S-1-5-21-463168302-511420122-2937072671-513) does not match the
domain sid(S-1-5-21-706331994-863180292-319919955) for
mos(S-1-5-21-706331994-863180292-319919955-5019)
[2012/02/23 09:32:21.669528, 0] auth/check_samsec.c:491(check_sam_security)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'


The entries for the domain and the users/groups are inconsistent.
Newer Samba versions added some more consistency checks.

So the primary group has domain SID
S-1-5-21-463168302-511420122-2937072671
while user "mos" has domain SID of
S-1-5-21-706331994-863180292-319919955

The domain SIDs need to be in sync to pass the semantical checks in Samba.

Cheers,
Christian
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 3.5 to 3.6

2012-02-23 Thread marco . schaerfke 

Dear reader,
I tried to switch my server from samba 3.5 to 3.6. Unfortunately I was 
not successful.


The smb.conf below  works without any problems under 3.5


With 3.6.3 I get the following error:

[2012/02/23 09:32:21.669389,  1] auth/server_info.c:391(samu_to_SamInfo3)
  The primary group domain 
sid(S-1-5-21-463168302-511420122-2937072671-513) does not match the 
domain sid(S-1-5-21-706331994-863180292-319919955) for 
mos(S-1-5-21-706331994-863180292-319919955-5019)

[2012/02/23 09:32:21.669528,  0] auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_UNSUCCESSFUL'




Any ideas ?

Cheers

Marco





[global]
workgroup = PSF
netbios name = rhea
server string = Test

local master = no
domain master = no
preferred master = no
os level = 100

load printers = no
security = user
passdb backend = ldapsam:"ldap://XXX ldap://YYY";
guest account = Gast
map acl inherit = yes
ldap suffix = dc=XXX
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=People
ldap admin dn = "XXX"
ldap ssl = start tls
ldap passwd sync = yes
ldap delete dn = no
socket options = TCP_NODELAY

interfaces = br0
bind interfaces only = Yes

wins support = no
wins server = 10.199.0.248
dns proxy = yes

keep alive = 60
deadtime = 15
log level = 1
read raw = yes
write raw = yes
oplocks = yes
kernel oplocks = yes
max xmit = 65535
getwd cache = yes

create mode = 0666
directory mask = 0777
short preserve case = no
preserve case = yes

name resolve order = host bcast
name cache timeout = 600
enable privileges = yes

Follow symlinks = yes
write cache size = 262144
strict allocate = yes
use sendfile = yes
encrypt passwords = true

unix charset = UTF-8
display charset = ISO8859-1
dos charset = 850

vfs objects = fileid
fileid:algorithm = fsid

[MyShare]
comment = Test
path = /data/local/samba
public = yes
guest ok = yes
writeable = yes
create mask = 0777
directory mask = 0777
force group = +Mitarbeiter
oplocks = yes
level2 oplocks = yes
inherit acls = yes






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba