Do you have a complete sambaDomain record in your LDAP and is it at the root level of the LDAP structure?
On 12/19/08, Graham Seaman <g.sea...@lse.ac.uk> wrote: > Hi, > > I'm trying to set up samba with ldap authorization on a windows network. > I have samba running on one linux host, and openldap on another. I have > used smbldap-tools to populate my directory and used smbldap-useradd to > create an initial testuser on the samba host. I can ssh in to the samba > host as the testuser ok, and get in to the testuser directory (ie. there > are no permission problems). But if I try to do `smbclient > //DOMAIN/testuser -U testuser` I get 'tree connect failed: > NT_STATUS_ACCESS_DENIED'. Looking at the samba log, I see: > > > [2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) > init_sam_from_ldap: Entry found for user: testuser > [2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162) > init_group_from_ldap: Entry found for group: 513 > [2008/12/19 17:08:30, 0] passdb/passdb.c:lookup_global_sam_name(596) > User testuser with invalid SID > S-1-5-21-1306896613-1613859276-828620297-3000 in passdb > [2008/12/19 17:08:30, 2] smbd/service.c:make_connection_snum(616) user > 'testuser' (from session setup) not permitted to access this share > (testuser) > > net getlocalsid on the samba host gives: > SID for domain DOMAIN is: S-1-5-21-1306896613-1613859276-828620297 > > which matches the 'invalid SID' above. Looking in the ldap directory, I > see the uidNumber for testuser is 1000. The smbldap-tools documentation > say the algorithm to go from uid to sid is sid = 2 * uid + 1000, which > also matches the 'invalid SID'. > > Any suggestions for what to do from here? > > Thanks > Graham > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- Sent from my mobile device -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba