Hello,

I am working on a configuration of Samba309 PDC OpenLDAP.

I am getting errors in my smbd log file complaining about SID lookup
failues. For example when opening a printer property page on Win XP:

[2004/11/29 23:45:08, 5] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(259)
init_lsa_trans_names: looking up sid S-1-5-32-548

then there is a really long delay before the next line

[2004/11/29 23:45:24, 10] passdb/lookup_sid.c:lookup_sid(98)
lookup_sid: winbind lookup for SID S-1-5-32-548 failed - trying local.
[2004/11/29 23:45:24, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(167)
map_domain_sid_to_name: S-1-5-32
[2004/11/29 23:45:24, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-21-2447010516-1360269415-922591102
[2004/11/29 23:45:24, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-21-2447010516-1360269415-922591102
[2004/11/29 23:45:24, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-32
[2004/11/29 23:45:24, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(177)
map_domain_sid_to_name: found 'BUILTIN'
[2004/11/29 23:45:24, 5] passdb/util_sam_sid.c:lookup_known_rid(207)
lookup_builtin_rid: rid = 548, domain = 'BUILTIN', user = 'Account
Operators'
[2004/11/29 23:45:24, 5] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(266)
init_lsa_trans_names: found
[2004/11/29 23:45:24, 10] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(285)
init_lsa_trans_names: added user 'BUILTIN\Account Operators' to referenced
list.
[2004/11/29 23:45:24, 5] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(259)
init_lsa_trans_names: looking up sid S-1-5-32-549

then another really long delay before

[2004/11/29 23:45:40, 10] passdb/lookup_sid.c:lookup_sid(98)
lookup_sid: winbind lookup for SID S-1-5-32-549 failed - trying local.
[2004/11/29 23:45:40, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(167)
map_domain_sid_to_name: S-1-5-32
[2004/11/29 23:45:40, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-21-2447010516-1360269415-922591102
[2004/11/29 23:45:40, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-21-2447010516-1360269415-922591102
[2004/11/29 23:45:40, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-32
[2004/11/29 23:45:40, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(177)
map_domain_sid_to_name: found 'BUILTIN'
[2004/11/29 23:45:40, 5] passdb/util_sam_sid.c:lookup_known_rid(207)
lookup_builtin_rid: rid = 549, domain = 'BUILTIN', user = 'Server
Operators'
[2004/11/29 23:45:40, 5] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(266)
init_lsa_trans_names: found
[2004/11/29 23:45:40, 10] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(285)
init_lsa_trans_names: added user 'BUILTIN\Server Operators' to referenced
list.
[2004/11/29 23:45:40, 5] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(259)
init_lsa_trans_names: looking up sid S-1-5-32-550

another delay, then

[2004/11/29 23:45:56, 10] passdb/lookup_sid.c:lookup_sid(98)
lookup_sid: winbind lookup for SID S-1-5-32-550 failed - trying local.
[2004/11/29 23:45:56, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(167)
map_domain_sid_to_name: S-1-5-32
[2004/11/29 23:45:56, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-21-2447010516-1360269415-922591102
[2004/11/29 23:45:56, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-21-2447010516-1360269415-922591102
[2004/11/29 23:45:56, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-32
[2004/11/29 23:45:56, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(177)
map_domain_sid_to_name: found 'BUILTIN'
[2004/11/29 23:45:56, 5] passdb/util_sam_sid.c:lookup_known_rid(207)
lookup_builtin_rid: rid = 550, domain = 'BUILTIN', user = 'Print
Operators'
[2004/11/29 23:45:56, 5] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(266)
init_lsa_trans_names: found
[2004/11/29 23:45:56, 10] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(285)
init_lsa_trans_names: added user 'BUILTIN\Print Operators' to referenced
list.
[2004/11/29 23:45:56, 5] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(259)
init_lsa_trans_names: looking up sid S-1-5-32-553

and one more delay...

[2004/11/29 23:46:12, 10] passdb/lookup_sid.c:lookup_sid(98)
lookup_sid: winbind lookup for SID S-1-5-32-553 failed - trying local.
[2004/11/29 23:46:12, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(167)
map_domain_sid_to_name: S-1-5-32
[2004/11/29 23:46:12, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-21-2447010516-1360269415-922591102
[2004/11/29 23:46:12, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-21-2447010516-1360269415-922591102
[2004/11/29 23:46:12, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(174)
map_domain_sid_to_name: compare: S-1-5-32
[2004/11/29 23:46:12, 5] passdb/util_sam_sid.c:map_domain_sid_to_name(177)
map_domain_sid_to_name: found 'BUILTIN'
[2004/11/29 23:46:12, 5] passdb/util_sam_sid.c:lookup_known_rid(207)
lookup_builtin_rid: rid = 553, domain = 'BUILTIN', user = 'RAS Servers'
[2004/11/29 23:46:12, 5] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(266)
init_lsa_trans_names: found
[2004/11/29 23:46:12, 10] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(285)
init_lsa_trans_names: added user 'BUILTIN\RAS Servers' to referenced list.
[2004/11/29 23:46:12, 3] smbd/sec_ctx.cop_sec_ctx(386)
pop_sec_ctx (1561, 513) - sec_ctx_stack_ndx = 0
[2004/11/29 23:46:12, 5] rpc_parse/parse_prs.crs_debug(82)
000000 lsa_io_r_lookup_sids
[2004/11/29 23:46:12, 5] rpc_parse/parse_prs.crs_uint32(635)
0000 ptr_dom_ref: 00000001
[2004/11/29 23:46:12, 6] rpc_parse/parse_prs.crs_debug(82)
000004 lsa_io_dom_r_ref dom_ref
(... more stuff cut...)

Then the printer properties page appears as one would expect. It is also
possible to print, similar delays are experienced but the page ultimately
prints.

I obviously have a problem looking up sids. Not sure what these are
exactly - I think they're a windows equivalent of a unix uid ? Not sure
how/why they're used ?

I'm not sure what I'm doing wrong , please help!!

Much appreciated, John.
Please reply to the group or e-mail (usenet at jelmail dot com)


My smb.conf is shown below:
[global]
workgroup = MYSERVER
netbios name = PDC-SRV
server string = SAMBA-LDAP PDC Server

preferred master = Yes
domain master = Yes
preferred master = Yes
local master = Yes

security = user
encrypt passwords = yes
domain logons = Yes
logon script = STARTUP.BAT

os level = 65
time server = yes

#a separate log file for each machine that connects
log level = 1
log file = /var/log/samba/%m.log

#unix password sync = Yes
#passwd program = /usr/local/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
password*" %n\n"
ldap passwd sync = Yes

; SAMBA-LDAP declarations
passdb backend = ldapsam:ldap://blfs.myserver.com/
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
#ldap admin dn = cn=samba,dc=myserver,dc=com
ldap admin dn = cn=samba,ou=DSA,dc=myserver,dc=com
ldap suffix = dc=myserver,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap ssl = start_tls

add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

Dos charset = 850
Unix charset = ISO8859-1

load printers = yes
printing = cups
printcap name = cups

[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
write list = ntadmin

[homes]
comment = Home Directories
valid users = %U
read only = No
create mask = 0664
directory mask = 0775
browseable = No

[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U @"Domain Admins"


[doc]
path=/usr/share/doc
public=yes
writable=no
read only=no
create mask = 0750
guest ok = Yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
guest ok = yes
writable = no
printable = yes
printer admin = root, @ntadmins
valid users = %U

[print$]
#dir for print drivers
path = /usr/share/cups/drivers
guest ok = yes
browseable = yes
#read only = yes
read only = no
#members of sys group wheel can install drivers
write list = root, @"Domain Admins", john, administrator
printer admin = root, @"Domain Admins", john, administrator