Re: [Samba] Samba LDAP troubleshooting
Brad C wrote: Hi There, Yep, Ok now I understand the SID needs to be the same as the server the client formed the initial security relationship with, Is this correct? Kind Regards Brad yes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP troubleshooting
Hi There, Yep, Ok now I understand the SID needs to be the same as the server the client formed the initial security relationship with, Is this correct? Kind Regards Brad On Tue, Mar 17, 2009 at 7:47 PM, Adam Williams wrote: > well the user's sid is invalid. does it match the domain's sid with net > getdomainsid? > > > Brad C wrote: > >> Hello >> >> I'm hoping someone can provide some insight, sample snippet from smb.conf >> and the samba log. >> Password authentication is working & succeeding, complains about an >> invalid >> SID which I know is the trust relationship that is formed between server >> and >> client, this is a duplicate ldap database from a samba domain controller. >> >> On the topic, anyone have a good book to recommend on Samba, I feel I am >> only using 10% of its capability and not really well at that... something >> is >> staring me in the face and Im missing it. >> >> [global] >>workgroup = companyx >>printing = cups >> hosts allow = 192.168.1.printcap name = cups >>printcap cache time = 750 >>cups options = raw >>map to guest = Bad User >>include = /etc/samba/dhcp.conf >>security = user >>encrypt passwords = Yes >>obey pam restrictions = No >>log level = 2 >>passdb backend = ldapsam:ldap://127.0.0.1/ >>ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za >>ldap suffix = dc=companyx,dc=co,dc=za >>ldap group suffix = ou=Groups >>ldap user suffix = ou=Users >>ldap machine suffix = ou=Computers >>ldap idmap suffix = ou=Users >>ldap ssl = off >>ldap delete dn = Yes >> >> [testdir] >>comment = test1 >>path = "/data/test" >>browseable = yes >>writable = yes >>read only = no >>available = yes >>valid users = bradleyc >>admin users = bradleyc >> >> >> >> [2009/03/13 08:36:39, 2] >> lib/access.c:check_access(406) >> >> Allowed connection from ___192.168.2.154 >> (:::192.168.2.154) >> >> [2009/03/13 08:36:39, 2] >> lib/smbldap.c:smbldap_open_connection(796) >> >> smbldap_open_connection: connection >> opened >> >> [2009/03/13 08:36:39, 2] >> passdb/pdb_ldap.c:init_sam_from_ldap(571) >> >> init_sam_from_ldap: Entry found for user: >> bradleyc >> >> [2009/03/13 08:36:39, 2] >> passdb/pdb_ldap.c:init_group_from_ldap(2344) >> >> init_group_from_ldap: Entry found for group: >> 513 >> >> [2009/03/13 08:36:39, 2] >> passdb/pdb_ldap.c:init_group_from_ldap(2344) >> >> init_group_from_ldap: Entry found for group: >> 513 >> >> [2009/03/13 08:36:39, 2] >> passdb/pdb_ldap.c:init_group_from_ldap(2344) >> >> init_group_from_ldap: Entry found for group: >> 1010 >> >> [2009/03/13 08:36:39, 2] >> passdb/pdb_ldap.c:init_group_from_ldap(2344) >> >> init_group_from_ldap: Entry found for group: >> 512 >> >> [2009/03/13 08:36:39, 2] >> auth/auth.c:check_ntlm_password(308) >> >> check_ntlm_password: authentication for user [bradleyc] -> [bradleyc] -> >> [bradleyc] succeeded >> [2009/03/13 08:36:39, 2] >> passdb/pdb_ldap.c:init_group_from_ldap(2344) >> >> init_group_from_ldap: Entry found for group: >> 544 >> >> [2009/03/13 08:36:39, 2] >> lib/access.c:check_access(406) >> >> Allowed connection from :::192.168.2.154 >> (:::192.168.2.154) >> >> [2009/03/13 08:36:39, 2] >> passdb/pdb_ldap.c:init_sam_from_ldap(571) >> >> init_sam_from_ldap: Entry found for user: >> bradleyc >> >> [2009/03/13 08:36:39, 2] >> passdb/pdb_ldap.c:init_group_from_ldap(2344) >> >> init_group_from_ldap: Entry found for group: >> 513 >> >> [2009/03/13 08:36:39, 0] >> passdb/passdb.c:lookup_global_sam_name(595) >> >> User bradleyc with invalid SID >> S-1-5-21-1571991244-1820204139-1100571284-3420 in >> passdb >> [2009/03/13 08:36:39, 2] >> smbd/service.c:make_connection_snum(736) >> >> user 'bradleyc' (from session setup) not permitted to access this share >> (testdir) >> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP troubleshooting
well the user's sid is invalid. does it match the domain's sid with net getdomainsid? Brad C wrote: Hello I'm hoping someone can provide some insight, sample snippet from smb.conf and the samba log. Password authentication is working & succeeding, complains about an invalid SID which I know is the trust relationship that is formed between server and client, this is a duplicate ldap database from a samba domain controller. On the topic, anyone have a good book to recommend on Samba, I feel I am only using 10% of its capability and not really well at that... something is staring me in the face and Im missing it. [global] workgroup = companyx printing = cups hosts allow = 192.168.1.printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf security = user encrypt passwords = Yes obey pam restrictions = No log level = 2 passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za ldap suffix = dc=companyx,dc=co,dc=za ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap ssl = off ldap delete dn = Yes [testdir] comment = test1 path = "/data/test" browseable = yes writable = yes read only = no available = yes valid users = bradleyc admin users = bradleyc [2009/03/13 08:36:39, 2] lib/access.c:check_access(406) Allowed connection from ___192.168.2.154 (:::192.168.2.154) [2009/03/13 08:36:39, 2] lib/smbldap.c:smbldap_open_connection(796) smbldap_open_connection: connection opened [2009/03/13 08:36:39, 2] passdb/pdb_ldap.c:init_sam_from_ldap(571) init_sam_from_ldap: Entry found for user: bradleyc [2009/03/13 08:36:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344) init_group_from_ldap: Entry found for group: 513 [2009/03/13 08:36:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344) init_group_from_ldap: Entry found for group: 513 [2009/03/13 08:36:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344) init_group_from_ldap: Entry found for group: 1010 [2009/03/13 08:36:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344) init_group_from_ldap: Entry found for group: 512 [2009/03/13 08:36:39, 2] auth/auth.c:check_ntlm_password(308) check_ntlm_password: authentication for user [bradleyc] -> [bradleyc] -> [bradleyc] succeeded [2009/03/13 08:36:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344) init_group_from_ldap: Entry found for group: 544 [2009/03/13 08:36:39, 2] lib/access.c:check_access(406) Allowed connection from :::192.168.2.154 (:::192.168.2.154) [2009/03/13 08:36:39, 2] passdb/pdb_ldap.c:init_sam_from_ldap(571) init_sam_from_ldap: Entry found for user: bradleyc [2009/03/13 08:36:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344) init_group_from_ldap: Entry found for group: 513 [2009/03/13 08:36:39, 0] passdb/passdb.c:lookup_global_sam_name(595) User bradleyc with invalid SID S-1-5-21-1571991244-1820204139-1100571284-3420 in passdb [2009/03/13 08:36:39, 2] smbd/service.c:make_connection_snum(736) user 'bradleyc' (from session setup) not permitted to access this share (testdir) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP troubleshooting
Hi Julian, It is not acting as a domain controller, I would like to use the ldap backend of the pdc to authenticate instead of having to setup separate passwords. I have not reset passwords, its a duplicate database of the pdc. net getlocalsid SID for domain ITSHARE is: S-1-5-21-1243312448-3956249592-3341015638 Kind Regards Brad On Fri, Mar 13, 2009 at 12:39 PM, wrote: > Hiya, > > A few questions. > > Is the machine a PDC > > what's the output of the command "net getlocalsid" in a terminal > > What scripts are you using to change passwords? smbldaptools? > > Cheers, > > Julian > > > > Hello > > > > I'm hoping someone can provide some insight, sample snippet from smb.conf > > and the samba log. > > Password authentication is working & succeeding, complains about an > > invalid > > SID which I know is the trust relationship that is formed between server > > and > > client, this is a duplicate ldap database from a samba domain controller. > > > > On the topic, anyone have a good book to recommend on Samba, I feel I am > > only using 10% of its capability and not really well at that... something > > is > > staring me in the face and Im missing it. > > > > [global] > > workgroup = companyx > > printing = cups > > hosts allow = 192.168.1.printcap name = cups > > printcap cache time = 750 > > cups options = raw > > map to guest = Bad User > > include = /etc/samba/dhcp.conf > > security = user > > encrypt passwords = Yes > > obey pam restrictions = No > > log level = 2 > > passdb backend = ldapsam:ldap://127.0.0.1/ > > ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za > > ldap suffix = dc=companyx,dc=co,dc=za > > ldap group suffix = ou=Groups > > ldap user suffix = ou=Users > > ldap machine suffix = ou=Computers > > ldap idmap suffix = ou=Users > > ldap ssl = off > > ldap delete dn = Yes > > > > [testdir] > > comment = test1 > > path = "/data/test" > > browseable = yes > > writable = yes > > read only = no > > available = yes > > valid users = bradleyc > > admin users = bradleyc > > > > > > > > [2009/03/13 08:36:39, 2] > > lib/access.c:check_access(406) > > > > Allowed connection from ___192.168.2.154 > > (:::192.168.2.154) > > > > [2009/03/13 08:36:39, 2] > > lib/smbldap.c:smbldap_open_connection(796) > > > > smbldap_open_connection: connection > > opened > > > > [2009/03/13 08:36:39, 2] > > passdb/pdb_ldap.c:init_sam_from_ldap(571) > > > > init_sam_from_ldap: Entry found for user: > > bradleyc > > > > [2009/03/13 08:36:39, 2] > > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > > > init_group_from_ldap: Entry found for group: > > 513 > > > > [2009/03/13 08:36:39, 2] > > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > > > init_group_from_ldap: Entry found for group: > > 513 > > > > [2009/03/13 08:36:39, 2] > > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > > > init_group_from_ldap: Entry found for group: > > 1010 > > > > [2009/03/13 08:36:39, 2] > > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > > > init_group_from_ldap: Entry found for group: > > 512 > > > > [2009/03/13 08:36:39, 2] > > auth/auth.c:check_ntlm_password(308) > > > > check_ntlm_password: authentication for user [bradleyc] -> [bradleyc] > > -> > > [bradleyc] succeeded > > [2009/03/13 08:36:39, 2] > > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > > > init_group_from_ldap: Entry found for group: > > 544 > > > > [2009/03/13 08:36:39, 2] > > lib/access.c:check_access(406) > > > > Allowed connection from :::192.168.2.154 > > (:::192.168.2.154) > > > > [2009/03/13 08:36:39, 2] > > passdb/pdb_ldap.c:init_sam_from_ldap(571) > > > > init_sam_from_ldap: Entry found for user: > > bradleyc > > > > [2009/03/13 08:36:39, 2] > > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > > > init_group_from_ldap: Entry found for group: > > 513 > > > > [2009/03/13 08:36:39, 0] > > passdb/passdb.c:lookup_global_sam_name(595) > > > > User bradleyc with invalid SID > > S-1-5-21-1571991244-1820204139-1100571284-3420 in > > passdb > > [2009/03/13 08:36:39, 2] > > smbd/service.c:make_connection_snum(736) > > > > user 'bradleyc' (from session setup) not permitted to access this share > > (testdir) > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP troubleshooting
Hiya, A few questions. Is the machine a PDC what's the output of the command "net getlocalsid" in a terminal What scripts are you using to change passwords? smbldaptools? Cheers, Julian > Hello > > I'm hoping someone can provide some insight, sample snippet from smb.conf > and the samba log. > Password authentication is working & succeeding, complains about an > invalid > SID which I know is the trust relationship that is formed between server > and > client, this is a duplicate ldap database from a samba domain controller. > > On the topic, anyone have a good book to recommend on Samba, I feel I am > only using 10% of its capability and not really well at that... something > is > staring me in the face and Im missing it. > > [global] > workgroup = companyx > printing = cups > hosts allow = 192.168.1.printcap name = cups > printcap cache time = 750 > cups options = raw > map to guest = Bad User > include = /etc/samba/dhcp.conf > security = user > encrypt passwords = Yes > obey pam restrictions = No > log level = 2 > passdb backend = ldapsam:ldap://127.0.0.1/ > ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za > ldap suffix = dc=companyx,dc=co,dc=za > ldap group suffix = ou=Groups > ldap user suffix = ou=Users > ldap machine suffix = ou=Computers > ldap idmap suffix = ou=Users > ldap ssl = off > ldap delete dn = Yes > > [testdir] > comment = test1 > path = "/data/test" > browseable = yes > writable = yes > read only = no > available = yes > valid users = bradleyc > admin users = bradleyc > > > > [2009/03/13 08:36:39, 2] > lib/access.c:check_access(406) > > Allowed connection from ___192.168.2.154 > (:::192.168.2.154) > > [2009/03/13 08:36:39, 2] > lib/smbldap.c:smbldap_open_connection(796) > > smbldap_open_connection: connection > opened > > [2009/03/13 08:36:39, 2] > passdb/pdb_ldap.c:init_sam_from_ldap(571) > > init_sam_from_ldap: Entry found for user: > bradleyc > > [2009/03/13 08:36:39, 2] > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > init_group_from_ldap: Entry found for group: > 513 > > [2009/03/13 08:36:39, 2] > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > init_group_from_ldap: Entry found for group: > 513 > > [2009/03/13 08:36:39, 2] > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > init_group_from_ldap: Entry found for group: > 1010 > > [2009/03/13 08:36:39, 2] > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > init_group_from_ldap: Entry found for group: > 512 > > [2009/03/13 08:36:39, 2] > auth/auth.c:check_ntlm_password(308) > > check_ntlm_password: authentication for user [bradleyc] -> [bradleyc] > -> > [bradleyc] succeeded > [2009/03/13 08:36:39, 2] > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > init_group_from_ldap: Entry found for group: > 544 > > [2009/03/13 08:36:39, 2] > lib/access.c:check_access(406) > > Allowed connection from :::192.168.2.154 > (:::192.168.2.154) > > [2009/03/13 08:36:39, 2] > passdb/pdb_ldap.c:init_sam_from_ldap(571) > > init_sam_from_ldap: Entry found for user: > bradleyc > > [2009/03/13 08:36:39, 2] > passdb/pdb_ldap.c:init_group_from_ldap(2344) > > init_group_from_ldap: Entry found for group: > 513 > > [2009/03/13 08:36:39, 0] > passdb/passdb.c:lookup_global_sam_name(595) > > User bradleyc with invalid SID > S-1-5-21-1571991244-1820204139-1100571284-3420 in > passdb > [2009/03/13 08:36:39, 2] > smbd/service.c:make_connection_snum(736) > > user 'bradleyc' (from session setup) not permitted to access this share > (testdir) > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba