Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You are missing something, which I just realized reading this: a couple of emails that went back and forth off-list. Oops. I think the following is essentially accurate: someone will surely correct me if it's not. At the moment, this is the only samba server there is, and it's acting as a PDC. At some point, I'll (probably) be building an actual PDC, at which point domain master will be set to "no". That will change the role from PDC to BDC, which is (as far as I can tell) what I want. The problem right now is that, if I set this to act as a BDC, I can't actually join the domain, because there isn't a controller. Because of that, this system (SL1) has to act as a PDC. When I said it's not acting as a PDC, I should have said "...but not being used as a domain login controller", rather than "...not acting as...". What I really probably OUGHT to do is set up mv (our LDAP server) to act as a PDC now, and simply let this act as a client. Unfortunately, I don't have time to do it now -- I'll probably get to that sometime over the summer, when things are a little less crazy. - -Alex zoolook wrote: > 2010/5/18 Alex McKenzie : >> r...@sl1:/etc/samba# testparm > >> Server role: ROLE_DOMAIN_PDC > >> [global] >>workgroup = CHEMBMB > >>domain logons = Yes >>preferred master = Yes >>domain master = Yes > >> This is a standalone server providing file sharing, but not acting as a >> domain login controller: if I ever want that, I'll be building a >> different server for it. > > Hm!? > > >> Thanks to tms3 for the instructions: I'd been spinning my wheels for >> two weeks before his (her?) advice! > > > Can you (or someone else) please explain this because either, I'm too > dumb or too sleepy. From what I can see, your samba server IS a PDC. > > If you want SL1 to be a member of CHEMBMB, you need to: > > domain logons = No > security = DOMAIN > > Then: > > # net rpc join ((or net ads join)) > > > > Am I missing something here? > > > Thanks, > Norberto -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvz3p8ACgkQWFYfIucpZ2NK2wCeOcNMnyoiOO1vcjZmTUZmi893 7EgAnA9yyP0S1jV0g3Da4ONzrVhpP5Xq =eYFN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting file server access by group
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks -- the first two were useful, but only blocked samba. Which, to be fair, is all I asked about. Here's a third option, which will also block PAM: In ldap.conf (on my system, running Ubuntu 8.04 LTS Server), modify the following two lines: 1) pam_groupdn (group) In my case, this becomes: pam_groupdn cn=schnell,ou=Biochemistry groups,ou=Biochemistry,dc=cns 2) pam_member_attribute (attribute) In my case, it becomes: pam_member_attribute memberUid At that point attempts to log in with an LDAP user who isn't part of the group returns: You must be a memberUid of cn=schnell,ou=Biochemistry groups,ou=Biochemistry,dc=cns to login. Connection closed by 172.30.35.146 Samba returns that it cannot mount the share, or that the uid/password combination is wrong. In any case, I'm putting this up in case anyone else has seen the same problem... I'd still like a way to restrict to multiple groups, but this works for what I need now. Thanks for all the help! - -Alex t...@tms3.com wrote: > > > > On Tuesday 18/05/2010 at 8:46 am, Alex McKenzie wrote: > This is for the same file server I wrote about earlier. > > I would like to restrict access by group, as defined in LDAP. >> Two ways. > >> 1) First is at the share level, which is controlled by smb.conf and is >> fairly similar to permissions on a share in Window$. > >> man smb.conf > >> "To restrict a service to a particular set of users you can use the >>valid users parameter. > >>If any of the usernames begin with a '@' then the name will be >>looked up first in the NIS netgroups list (if Samba is compiled >>with netgroup support), followed by a lookup in the UNIX groups >>database and will expand to a list of all users in the group of >>that name." > >> Works with groups in ldap, if your posix box is setup correctly. > >> 2a) The second is to enable acls on your posix file system. If so, you >> can use a Window$ workstation and the Administrator account to write M$ >> file permissions to the directories in the share. > >> 2b) Or if it is a very simple set up, merely use standard posix file >> and directory permissions. For instance, say the samba share is >> \\servername\chemlab and the posix path is /usr/home/samba/chemlab, >> you could then simply do > >> chgrp -R CHEMLABGROUP /usr/home/samba/chemlab and chmod it to your >> liking. (Where CHEMLABGROUP is a samba ldap group). > The > obvious solution is to add a filter to the login LDAP search that > restricts to gidNumber=10038 or 10001, since those are the groups I > need. From what I'm seeing, I need to add that to /etc/ldap.conf in the > nss_base_ section, but how to do it isn't clear. > > Do I just enter it as a standard LDAP filter? In this case, I think I'd > want (|(gidNumber=10038)(gidNumber=10001)), but it's really not clear > the syntax really isn't clear from the file. Would it just be > > nss_base_passwd (|(gidNumber=10038)(gidNumber=10001))?one > > > That's what it looks like, anyway... if anyone can give me an answer, > or at least point me towards a good source of documentation on this, I'd > appreciate it. > > Thanks, > Alex McKenzie - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvy5o4ACgkQWFYfIucpZ2MkeACfeDGnthp9QkLa1dO/Ili6b/bV u9EAnR5NgmEFulopWl+QMx01++X1MLnf =K9la -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Restricting file server access by group
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is for the same file server I wrote about earlier. I would like to restrict access by group, as defined in LDAP. The obvious solution is to add a filter to the login LDAP search that restricts to gidNumber=10038 or 10001, since those are the groups I need. From what I'm seeing, I need to add that to /etc/ldap.conf in the nss_base_ section, but how to do it isn't clear. Do I just enter it as a standard LDAP filter? In this case, I think I'd want (|(gidNumber=10038)(gidNumber=10001)), but it's really not clear the syntax really isn't clear from the file. Would it just be nss_base_passwd (|(gidNumber=10038)(gidNumber=10001))?one That's what it looks like, anyway... if anyone can give me an answer, or at least point me towards a good source of documentation on this, I'd appreciate it. Thanks, Alex McKenzie -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvyttoACgkQWFYfIucpZ2ObvgCfSM9nizx9FgEwHJ+RDAGG6v/Q C8EAn3C4d7rznRFcdLT/T/qL74lpPAY8 =uSMj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This fixed it! For the record, since I suspect this all gets archived and is searchable: here's the output of testparm. r...@sl1:/etc/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[itadmins]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://mv.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 domain logons = Yes preferred master = Yes domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No valid users = %S [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = amckenzie, jmaher, spalmer, bmbchem read only = No create mask = 0665 directory mask = 0775 browseable = No net getdomainsid returns: SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 This is a standalone server providing file sharing, but not acting as a domain login controller: if I ever want that, I'll be building a different server for it. Thanks to tms3 for the instructions: I'd been spinning my wheels for two weeks before his (her?) advice! - -Alex McKenzie t...@tms3.com wrote: > > > SNIP >> I do have smbldap tools installed and, as far as I can tell, set up. >> >> net join CHEMBMB -U Administrator returns "cannot join as standalone >> machine". > > DUHHH! I'm sorry I'm a moron. OK, change that to > > preferred master = Yes > domain logons =Yes > domain master = Yes <---if this is the only DC in CHEMBMB. If > you have another samba server os PDC in CHEMBMB then set that to "no" >> >> >> The LDAP structure may be the issue... I don't think computer accounts >> were ever set up on the current server (the last server was done by the >> guy who used to do my job, who left basically no documentation), because >> I wasn't aware they were necessary for this. We're not planning to use >> Samba/LDAP for windows authentication (only Mac, which doesn't require >> any sort of machine account, and linux, which also doesn't require a >> machine account), and if we do decide to do windows auth with Samba, it >> won't be using SL1. >> >> SL1 is only a file server -- it's for a small research group, and there >> will eventually be a bunch of them, possibly as many as 30-40. The >> system that LDAP runs on will eventually become a PDC, if necessary, but >> for now samba isn't even installed. If that's the issue, I'll feel >> stupid, but grateful that someone pointed me in the right direction. >> Let me know what to try next... as I said initially, I'm quite out of my >> depth. >> >> I haven't been testing with a Windows machine, and I did something to >> completely break SL1 yesterday, so I can't test it right now. (I >> changed something in smb.conf, and now samba won't start -- I need to >> figure out what that is before I go any further.) >> >> - -Alex >> >> t...@tms3.com wrote: >>> >>> >>> >>> >>>> How do I get the server to join CHEMBMB? >>> >>> I may have been hasty, but I don't have a proper domain to check at the >>> moment. However: >>> >>> >>> Do you have smbldap-tools installed and set up on sl1? >>> >>> Did you ever issue >>> >>> net join CHEMBMB -U Administrator >>> >>> from sl1? >>> >>> Check your ldap structure. You should have a computer with an LDIF that >>> looks like this: >>> >>> dn: uid=zaphod$, ou=compu
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
password sync = Yes >>>>> syslog = 255 >>>>> log file = /var/log/samba/log.%m >>>>> max log size = 1000 >>>>> dns proxy = No >>>>> ldap admin dn = cn=admin,dc=cns >>>>> ldap group suffix = ou=Chemistry groups >>>>> ldap suffix = ou=Chemistry,dc=cns >>>>> ldap ssl = no >>>>> ldap user suffix = ou=Chemistry users >>>>> usershare allow guests = Yes >>>>> panic action = /usr/share/samba/panic-action %d >>>>> invalid users = root >>>>> >>>>> [homes] >>>>> comment = Home Directories >>>>> read only = No >>>>> browseable = No >>>>> >>>>> [itadmins] >>>>> comment = Shared directory for the IT group >>>>> path = /home/itadmins >>>>> valid users = spalmer, amckenzie >>>>> read only = No >>>>> create mask = 0665 >>>>> directory mask = 0775 >>>>> >>>>> >>>>> >>>>> Any advice would be appreciated -- I'm well beyond my understanding of >>>>> samba at the moment, and my understanding of samba is well beyond what >>>>> it was 48 hours ago. At the moment neither server is mission critical, >>>>> so tests that take them temporarily off-line are possible. By early >>>>> next week things will be authenticating against the LDAP server (we've >>>>> got no choice -- the old LDAP server is failing fast), so I won't be >>>>> able to take it down for testing. >>>>> >>>>> Thanks in advance, >>>>> Alex McKenzie >>>>> a...@chem.umass.edu >>>>> >>>>> >>>> -BEGIN PGP SIGNATURE- >>>> Version: GnuPG v1.4.8 (Darwin) >>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>>> >>>> iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr >>>> zwCfbXwvHr50j7vZZTuSJxLels7Izv8= >>>> =58HV >>>> -END PGP SIGNATURE- >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v1.4.8 (Darwin) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAkvyk6wACgkQWFYfIucpZ2NCiQCfWaicXsuhA6P01Pbw9xeanUql >> dqEAn2Z31M+dqjlIKG5uciscBsTB9Rl0 >> =LAsj >> -END PGP SIGNATURE- >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvynSgACgkQWFYfIucpZ2OuBACfQSFJevBKOozQW10vET9q08yK DKQAnRXbDj34yLU6ctBzWPIEEIiLiOgX =Z8VF -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 t...@tms3.com wrote: > SNIP >>> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 >>> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 >>> >>> 7) Users have both user and group SIDs in the form >>> "S-1-5-21-4167008922-1292391803-4044586981-[unique number]", which is >>> generated according to the rules the smbldap tools use. > > You have two different domains. And the users are in CHEMBMB and the > server is a member of SL1. Why not join SL1 to CHEMBMB? How do I get the server to join CHEMBMB? I spent about two hours trying to get the two SIDs to be the same, with no success. I assumed that was part of the issue, but I finally gave up on making it work. I assume I'd use "net setlocalsid", which shows the following: r...@sl1:~# net getdomainsid SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 r...@sl1:~# net setlocalsid S-1-5-21-4167008922-1292391803-4044586981 r...@schnelllab1:~# net getdomainsid SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 If there's something else I should be doing, I'd love to know what it is! - -Alex >>> >>> >>> 8) testparm on sl1 returns the following: >>> >>> Load smb config files from /etc/samba/smb.conf >>> Processing section "[homes]" >>> Processing section "[itadmins]" >>> Loaded services file OK. >>> Server role: ROLE_STANDALONE >>> Press enter to see a dump of your service definitions >>> >>> [global] >>> workgroup = CHEMBMB >>> server string = %h server (Samba, Ubuntu) >>> map to guest = Bad User >>> obey pam restrictions = Yes >>> passdb backend = ldapsam:ldaps://multivac.chem.umass.edu >>> pam password change = Yes >>> passwd program = /usr/bin/passwd %u >>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>> unix password sync = Yes >>> syslog = 255 >>> log file = /var/log/samba/log.%m >>> max log size = 1000 >>> dns proxy = No >>> ldap admin dn = cn=admin,dc=cns >>> ldap group suffix = ou=Chemistry groups >>> ldap suffix = ou=Chemistry,dc=cns >>> ldap ssl = no >>> ldap user suffix = ou=Chemistry users >>> usershare allow guests = Yes >>> panic action = /usr/share/samba/panic-action %d >>> invalid users = root >>> >>> [homes] >>> comment = Home Directories >>> read only = No >>> browseable = No >>> >>> [itadmins] >>> comment = Shared directory for the IT group >>> path = /home/itadmins >>> valid users = spalmer, amckenzie >>> read only = No >>> create mask = 0665 >>> directory mask = 0775 >>> >>> >>> >>> Any advice would be appreciated -- I'm well beyond my understanding of >>> samba at the moment, and my understanding of samba is well beyond what >>> it was 48 hours ago. At the moment neither server is mission critical, >>> so tests that take them temporarily off-line are possible. By early >>> next week things will be authenticating against the LDAP server (we've >>> got no choice -- the old LDAP server is failing fast), so I won't be >>> able to take it down for testing. >>> >>> Thanks in advance, >>> Alex McKenzie >>> a...@chem.umass.edu >>> >>> >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v1.4.8 (Darwin) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr >> zwCfbXwvHr50j7vZZTuSJxLels7Izv8= >> =58HV >> -END PGP SIGNATURE- >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvyk6wACgkQWFYfIucpZ2NCiQCfWaicXsuhA6P01Pbw9xeanUql dqEAn2Z31M+dqjlIKG5uciscBsTB9Rl0 =LAsj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So no one has any guesses on this? I've found nothing new, so any help at all would be appreciated... - -Alex Alex McKenzie wrote: > Greetings, > > While I've seen this referred to a lot of places, I haven't yet found > a posted solution that works for me. Testing has been done from a Mac > running OSX 10.5.8 Here's what I have so far: if anyone can give me a > next step to test, I'd appreciate it. If anyone can give me a complete > solution, I'd appreciate it even more. 8-) > > 1) An LDAP server "mv", running Ubuntu 8.04 LTS. Samba is not installed. > > 2) A group file server "sl1", running Ubuntu 8.04 LTS. LDAP is not > installed. > > 3) Users can successfully authenticate to sl1 against LDAP when > connecting via SSH. If their user directory exists (they have logged in > via ssh) they can connect to their home directory through samba by > connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal > network), so I know samba is successfully connecting to the LDAP server. > Traffic between the file server and the LDAP server is encrypted, as > confirmed with tcpdump. > > 4) When attempting to access a group share, the connection is refused, > and the following shows up in the samba logs: the share has users > amckenzie and suzanne. > > [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) > User spalmer with invalid SID > S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb > [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) > User amckenzie with invalid SID > S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb > > 5) All connections, successful or not, cause the following messages in > the samba logs on sl1: > > [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792) > create_builtin_administrators: Failed to create Administrators > [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758) > create_builtin_users: Failed to create Users > [2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718) > Share 'IPC$' has wide links and unix extensions enabled. These > parameters are incompatible. Wide links will be disabled for this share. > > 6) On sl1, net getdomainsid returns the following: > > SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 > SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 > > 7) Users have both user and group SIDs in the form > "S-1-5-21-4167008922-1292391803-4044586981-[unique number]", which is > generated according to the rules the smbldap tools use. > > 8) testparm on sl1 returns the following: > > Load smb config files from /etc/samba/smb.conf > Processing section "[homes]" > Processing section "[itadmins]" > Loaded services file OK. > Server role: ROLE_STANDALONE > Press enter to see a dump of your service definitions > > [global] > workgroup = CHEMBMB > server string = %h server (Samba, Ubuntu) > map to guest = Bad User > obey pam restrictions = Yes > passdb backend = ldapsam:ldaps://multivac.chem.umass.edu > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > unix password sync = Yes > syslog = 255 > log file = /var/log/samba/log.%m > max log size = 1000 > dns proxy = No > ldap admin dn = cn=admin,dc=cns > ldap group suffix = ou=Chemistry groups > ldap suffix = ou=Chemistry,dc=cns > ldap ssl = no > ldap user suffix = ou=Chemistry users > usershare allow guests = Yes > panic action = /usr/share/samba/panic-action %d > invalid users = root > > [homes] > comment = Home Directories > read only = No > browseable = No > > [itadmins] > comment = Shared directory for the IT group > path = /home/itadmins > valid users = spalmer, amckenzie > read only = No > create mask = 0665 > directory mask = 0775 > > > > Any advice would be appreciated -- I'm well beyond my understanding of > samba at the moment, and my understanding of samba is well beyond what > it was 48 hours ago. At the moment neither server is mission critical, > so tests that take them temporarily off-line are possible. By early > next week things will be authenticating against the LDAP server (we've > got no choice -- the old LDAP server is failing fast), so I won't be > able to
[Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, While I've seen this referred to a lot of places, I haven't yet found a posted solution that works for me. Testing has been done from a Mac running OSX 10.5.8 Here's what I have so far: if anyone can give me a next step to test, I'd appreciate it. If anyone can give me a complete solution, I'd appreciate it even more. 8-) 1) An LDAP server "mv", running Ubuntu 8.04 LTS. Samba is not installed. 2) A group file server "sl1", running Ubuntu 8.04 LTS. LDAP is not installed. 3) Users can successfully authenticate to sl1 against LDAP when connecting via SSH. If their user directory exists (they have logged in via ssh) they can connect to their home directory through samba by connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal network), so I know samba is successfully connecting to the LDAP server. Traffic between the file server and the LDAP server is encrypted, as confirmed with tcpdump. 4) When attempting to access a group share, the connection is refused, and the following shows up in the samba logs: the share has users amckenzie and suzanne. [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) User spalmer with invalid SID S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) User amckenzie with invalid SID S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb 5) All connections, successful or not, cause the following messages in the samba logs on sl1: [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718) Share 'IPC$' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share. 6) On sl1, net getdomainsid returns the following: SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 7) Users have both user and group SIDs in the form "S-1-5-21-4167008922-1292391803-4044586981-[unique number]", which is generated according to the rules the smbldap tools use. 8) testparm on sl1 returns the following: Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[itadmins]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://multivac.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 255 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = spalmer, amckenzie read only = No create mask = 0665 directory mask = 0775 Any advice would be appreciated -- I'm well beyond my understanding of samba at the moment, and my understanding of samba is well beyond what it was 48 hours ago. At the moment neither server is mission critical, so tests that take them temporarily off-line are possible. By early next week things will be authenticating against the LDAP server (we've got no choice -- the old LDAP server is failing fast), so I won't be able to take it down for testing. Thanks in advance, Alex McKenzie a...@chem.umass.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvjKDIACgkQWFYfIucpZ2OKUQCeLuwQhp1dybJfktYHh3GX375o eGEAnip1TnApBIi/HqZar0zInN9DrmEO =hq2A -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
