Jonathan,
Any chance there could be a duplicate user?
getent passwd|grep /user/ would narrow the list down.
Dale
Jonathon Doran wrote:
I am obviously confused about something, and feel like I am chasing
ghosts. Any help or clarification would be appreciated.
When a user logs in we get messages about corrupt recycle bins.
Setting the logging to level 2 for that client, we have errors like:
open_directory: unable to create user/Desktop. Error was
NT_STATUS_OBJECT_NAME_COLLISION.
OK, the folder already exists in the profile. Why try to create it?
I can use smbclient and connect to the profile share as the user, and
I have no trouble reading or writing files. The root account can
access the raw folders without any problem. I expected that the
existing profile would be read and used. And it sort of is, since a
folder on the desktop is preserved across sessions.
When I up the logging to 4, I see messages like
get_privileges: No privileges assigned to SID
[S-1-5-21-1786355187-4025355074-2784741737-501]
Hmm. That RID doesn't look correct. This user is in two groups,
Domain Users (513) and a local lab group (3011). Slapcat does not
show that SID, nor does "net groupmap list". I looked this up, and it
appears to be a guest account. OK, maybe not a problem. As you might
be able to tell, the slightest thing sets me off.
The login continues with accesses using user nobody (uid=99,gid=99),
and the
user is authenticated.
I saw this in the log:
[2009/07/06 16:33:33, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1613)
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-1786355187-4025355074-2784741737-513] count=0
[2009/07/06 16:33:34, 2] passdb/pdb_ldap.c:init_group_from_ldap(2348)
init_group_from_ldap: Entry found for group: 513
RID 513 is in the group map. "getent group Domain\ Users" returns a
bunch of names. So maybe _this_ isn't an error either.
Then I see:
[2009/07/06 16:33:34, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID
[S-1-5-21-1786355187-4025355074-2784741737-3110]
[2009/07/06 16:33:34, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID
[S-1-5-21-1786355187-4025355074-2784741737-513]
(the two groups which this user should be a member).
A bit further down:
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11))
That SID does not show up in the group map, and I have no idea where
it comes from. All of my SIDS seem to start with S-1-5-21. So that
looks bad. But...
init_group_from_ldap: Entry found for group: 1005
Well, that is good. Group 1005 is the group with RID 3011, in case
that was
confusing. A VUID is registered later. And a connection is
made to the profdata service (uid=1055, gid = 513).
The user's main group is 1005, but the user is not showing up in group
513. By that I mean that "getent group Domain\ Users" shows a list of
users, but does not include this user. Nor does "groups user".
Sounds like a big problem. But slapcat shows the user in the group,
and LdapAdmin shows the user in the group. /etc/nsswitch.conf has
"group: compat ldap". I have rebooted the system, and this problem
persists. Removing the user from "Domain Users" in LdapAdmin, and
then readding them did nothing. Although slapcat did reflect the
removal.
I'm guessing that this is at the root of most of my problems. Where
in the world is getent getting its information, if not from LDAP?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
