RE: FW: [Samba] RID to SID Bug? Share ACL Access Denied

2004-03-31 Thread Aden, Steve 
Thank you for the response.

I tried the suggestions and have found no change. I still see the sid
being set to the domain SAMBASERVER instead of the W2K ADS domain and
the rid logged does not match the actual rid of the user account.

-snip-from machine log
[2004/03/31 15:45:48, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(510)
  PAC_TYPE_UNKNOWN_10
[2004/03/31 15:45:48, 7] rpc_parse/parse_prs.c:prs_debug(82)
  000200 pac_io_unknown_type_10 pac data
[2004/03/31 15:45:48, 8] rpc_parse/parse_prs.c:prs_debug(82)
  000200 smb_io_time unknown_time
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint32(635)
  0200 low : 719e7000
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint32(635)
  0204 high: 01c41739
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint16(606)
  0208 len: 0010
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint16s(765)
  020a name: t.e.s.t.g.i.r.l.
[2004/03/31 15:45:48, 6] rpc_parse/parse_prs.c:prs_debug(82)
  00021a pac_io_pac_info_hdr_ctr pac data
[2004/03/31 15:45:48, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(452)
  offset in header(x220) and data(x21c) do not match
[2004/03/31 15:45:48, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(481)
  PAC_TYPE_SERVER_CHECKSUM
[2004/03/31 15:45:48, 7] rpc_parse/parse_prs.c:prs_debug(82)
  000220 pac_io_pac_signature_data pac data
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint32(635)
  0220 type: ff76
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
  0224 signature: f0 26 d7 63 5d e6 8b 4e 52 40 72 cb 6a f1
ac 16
[2004/03/31 15:45:48, 6] rpc_parse/parse_prs.c:prs_debug(82)
  000234 pac_io_pac_info_hdr_ctr pac data
[2004/03/31 15:45:48, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(452)
  offset in header(x238) and data(x234) do not match
[2004/03/31 15:45:48, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(495)
  PAC_TYPE_PRIVSVR_CHECKSUM
[2004/03/31 15:45:48, 7] rpc_parse/parse_prs.c:prs_debug(82)
  000238 pac_io_pac_signature_data pac data
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint32(635)
  0238 type: ff76
[2004/03/31 15:45:48, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
  023c signature: 68 49 32 71 0c 65 b0 f2 05 53 7e 1b 7e 06
52 e2
[2004/03/31 15:45:48, 3] smbd/sesssetup.c:reply_spnego_kerberos(179)
  Ticket name is [EMAIL PROTECTED]
[2004/03/31 15:45:48, 10] smbd/sesssetup.c:reply_spnego_kerberos(220)
  Mapping [DOMAIN.COM] to short name
[2004/03/31 15:45:48, 10] smbd/sesssetup.c:reply_spnego_kerberos(233)
  Mapped to [DOMAIN]
[2004/03/31 15:45:48, 5] lib/username.c:Get_Pwnam(288)
  Finding user DOMAIN_testgirl
[2004/03/31 15:45:48, 5] lib/username.c:Get_Pwnam_internals(223)
  Trying _Get_Pwnam(), username as lowercase is domain_testgirl
[2004/03/31 15:45:48, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals did find user [DOMAIN_testgirl]!
[2004/03/31 15:45:48, 6] param/loadparm.c:lp_file_list_changed(2653)
  lp_file_list_changed()
  file /etc/samba/smb.conf - /etc/samba/smb.conf  last mod_time: Wed
Mar 31 15:
43:28 2004
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_username(593)
  pdb_set_username: setting username DOMAIN_testgirl, was
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_init_flags(493)
  element 11 - now SET
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_fullname(674)
  pdb_set_full_name: setting full name testgirl, was
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_init_flags(493)
  element 12 - now SET
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_unix_homedir(809)
  pdb_set_unix_homedir: setting home dir /home/DOMAIN/testgirl, was NULL
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_init_flags(493)
  element 21 - now SET
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_domain(620)
  pdb_set_domain: setting domain SAMBASERVER, was
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_user_sid(520)
  pdb_set_user_sid: setting user sid
S-1-5-21-74637098-2648309090-13861X-210
02
[2004/03/31 15:45:48, 10] passdb/pdb_get_set.c:pdb_set_init_flags(493)
  element 17 - now SET
[2004/03/31 15:45:48, 10]
passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73)
  pdb_set_user_sid_from_rid:
setting user sid S-1-5-21-74637098-2648309090-13861X-21002
from rid
21002
-snip-

does wbinfo -[tug] all work?
What about 'getent passwd' ?
Yes all of these work correctly.

Do the PAC errors have something to do with this? As seen above, there
are a few in the log: PAC_TYPE_UNKNOWN_10, pac_io_unknown_type_10 pac
data, offset in header(x238) and data(x234) do not match.

What else can I send that will help nail down the problem here?

Thanks again.
Steve

-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 31, 2004 3:37 PM
To: Aden, Steve
Subject: Re: FW: [Samba] RID to SID Bug? Share ACL Access Denied


-BEGIN PGP

FW: [Samba] RID to SID Bug? Share ACL Access Denied

2004-03-30 Thread Aden, Steve 
Hi,
Is this problem related to this bug?
Bugzilla Bug 1165  
   Samba ADS Kerberos login doesnt resolve correct groups when smbd is
su'ing to the uid 
https://bugzilla.samba.org/show_bug.cgi?id=1165

Anyone? Please respond. I am desperate to get this working.

Thank you,
Steve

-Original Message-
From: Aden, Steve 
Sent: Friday, March 26, 2004 3:24 PM
To: [EMAIL PROTECTED]
Subject: [Samba] RID to SID Bug? Share ACL Access Denied


Hello,
I have been trying to work through an Access Denied problem and
have found that the user rid is not getting mapped properly. I have yet
to figure out where the assigned rid is coming from, but I know is that
is incorrect. In the log (level 10) for the connecting computer, I see:

pdb_set_user_sid_from_rid:
 setting user sid S-1-5-21-74637098-2648309090-13861X-21006 from rid
21006

There are two problems here. One the rid should be 1586 as verified with
rpcclient. Also the remainder of the sid does not match the W2K ADS
domain the samba server has been joined to. Instead it is the SID of the
domain for the samba server as verified with net getlocalsid:
SID for domain SAMBASERVER is: S-1-5-21-74637098-2648309090-13861X

net ads status shows the SID for the SAMBASERVER:
distinguishedName: CN=sambaserver,CN=Computers,DC=domain,DC=com
objectSid: S-1-5-21-1202660629-1292428093-18016X-1588

The Winbind log shows the correct lookup of the user and sid from the
W2K ADS domain. Since the sid doesn't actually represent the user, the
share acl's do not match and causes denial to the share. Tdbdump of the
winbindd_idmap.tdb shows the user's UID and actual SID. The UID matches
what is listed using getent passwd.

The commands wbinfo, getent, smbclient -k all work. I can kinit a user
and access Windows shares from the Samba server, but users cannot
connect to the Samba server by name from a Windows client. They can
access by ip address, but as I understand it, that method does not use
kerberos.

This is 3.0.2a-1 on Redhat 9.0 with security = ADS.

I have searched the Samba list archives and read man pages and the
HOWTO, but haven't been able find an answer to why this is happening.
Any help would be greatly appreciated.


Thank you,
Steve Aden

Privileged/Confidential Information may be contained in this message. If
you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not copy or deliver
this message to anyone. In such case, you should destroy this message
and kindly notify the sender by reply email. Opinions, conclusions and
other information contained in this message that do not relate to
official business shall be understood as neither given nor endorsed by
ITS
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

_
This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BF08d9f679.0001.mml
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba