Re: [Samba] User invalid SID with home directory - Bueller?
- Date: Thu, 15 May 2008 12:12:14 -0700
- From: Wes Modes <wmodes@xxxxxxxx>
- Subject: Re: [Samba] User invalid SID with home directory - Bueller?
The [homes] share is configured similarly to the [home] share, though one would mount it different:
\\fileserver.ucsc.edu\home for the [home] share \\fileserver.ucsc.edu\wmodes for the [homes] shareand for users who have the problem, they have the SID problem in mounting both shares.
On my server, even for those accounts that work fine, there is little similarity in the SID for the domain and the user's SambaSID, and the SambaPrimaryGroupSID.
I am beginning to suspect, I reset the machine SID after I created many of my accounts. And so the old SID somewhere somehow encoded within the user's old SambaSID turns up as invalid.
If anybody knows how to specify that I can trust these accounts so I don't have the SID problem, that'd be swell.
W. Charlie wrote:
The first part of any SID is the domain portion. It should be pretty constant throughout your domain as I understand things. When dealing with users and groups, the bit after the last dash is the RID or relative ID and it must be unique within the domain. Really really unique! If samba created your user & group sids the groups will be odd-numbered and users will be even-numbered. So, for example, the domain SID for my domain looks somewhat like this: SID for domain DARKAGES is: S-1-5-21-267844371-1268535915-2638854549 And the SID for my PDC and BDCs are exactly the same, although other servers (that are not either PDCs or BDCs) have their own unique SIDs. My personal SID looks like this: S-1-5-21-267844371-1268535915-2638854549-1802 Notice my RID of 1802 on the end there? I have a uidNumber of 401 on the POSIX side. The beginning bit seems to define my domain membership, though. If I change the domain SID on my PDC with "net setlocalsid" I can no longer log in using my own account, apparently because I do not have the right SID. There are ways to get around that involving winbind and/or domain trust accounts - but I can't explain those things because I don't understand them either. My knowledge of CIFS and samba is pretty shallow. We may be off in the weeds here, though - you should check out samba's automagical [homes] share and see if you can make it do what you want without having to do the %U thing. --Charlie On Wed, May 14, 2008 at 6:23 PM, Wes Modes <wmodes@xxxxxxxx> wrote:It does not. But then the SID of each user doesn't match those of each other either. I've seen that asked before, but are you sure the machine's SID and every user SID should be the same? W. Charlie wrote: If you do a "net getlocalsid" at your shell prompt on the samba server that hosts the share, does the preamble of the SID returned match that of the SID you see in your error messages? I'm betting not... --Charlie On Tue, May 13, 2008 at 2:39 PM, Wes Modes <wmodes@xxxxxxxx> wrote: So even though I see this popping up in tons of posts, no one has encountered it and successfully solved the problem or can illuminate the issue? Here's what I did not knowing what else to do: 1. Deleted the account. (smbldap-userdel) 2. Recreated the account (smbldap-useradd) 3. Searched for any files owned by the old user, and chown'd them to the new user It is not an elegant solution, but it is the only one I have now. So far I haven't gotten any accounts that have had the problem reoccur. But I'm waiting to see. Wes Wes Modes wrote: I'm having the problem in which users can access their group shares, but not their home shares. These two shares are defined thusly in smb.conf: [seref] comment = Science & Engineering Reference Section path = /data/group/seref valid users = @seref, @seref-read, @admin read list = @seref-read write list = @seref, @admin force group = seref create mask = 0664 directory mask = 0770 [home] comment = %u's Personal Share Directory path = /data/home/%U valid users = %U, @admin write list = %U, @admin create mask = 0600 directory mask = 0700 browseable = No It seems that the %U variable, causes Samba to do a lookup_global_sam_name which fails. [root@fileserver]# smbclient -Ujoeblow '\\edgar.library.ucsc.edu\home' xxxxxxxx tree connect failed: NT_STATUS_ACCESS_DENIED Here's the relevant section of the log: passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: joeblow passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 30023 passdb/passdb.c:lookup_global_sam_name(596) User joeblow with invalid SID S-1-5-21-2642364908-3785178431-1037763545-61756 in passdb passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1001 smbd/service.c:make_connection_snum(616) user 'joeblow' (from session setup) not permitted to access this share (home) Please note that I am not using the ADS security model, nor do I care to at the moment. Here's the significant part of my smb.conf: ### Basic information for server workgroup = MCHSTAFF netbios name = EDGAR server string = Library Samba Server hosts allow = 169.233. hosts allow = 128.114. enable privileges = yes security = user encrypt passwords = yes preferred master = yes domain master = yes domain logons = yes local master = yes username map = /etc/samba/smbusers logon path = wins support = yes dns proxy = no So why I am I getting the failure "User joeblow with invalid SID"? Wes -- Wes Modes Server Administrator & Programmer Analyst McHenry Library Computing & Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Wes Modes Server Administrator & Programmer Analyst McHenry Library Computing & Network Services Information and Technology Services 459-5208
-- Wes Modes Server Administrator & Programmer Analyst McHenry Library Computing & Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
- References:
- [Samba] User SID problem with home directory
- From: Wes Modes
- Re: [Samba] User invalid SID with home directory - Bueller?
- From: Wes Modes
- Re: [Samba] User invalid SID with home directory - Bueller?
- From: Charlie
- Re: [Samba] User invalid SID with home directory - Bueller?
- From: Wes Modes
- Re: [Samba] User invalid SID with home directory - Bueller?
- From: Charlie
- [Samba] User SID problem with home directory
- Prev by Date: Re: [Samba] User invalid SID with home directory - Bueller?
- Next by Date: [Samba] Re: PDC replacement
- Previous by thread: Re: [Samba] User invalid SID with home directory - Bueller?
- Next by thread: [Samba] PDC replacement
- Index(es):