[Samba] SID problem with working samba - Samba

This is a discussion on [Samba] SID problem with working samba - Samba ; hello, i have 1 PDC and 1 BDC using smbldap, and now i'm adding a server (as a domain member, not BDC) that will have shares to be mounted by the clients. this server also uses smbldap and, at this ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: [Samba] SID problem with working samba

  1. [Samba] SID problem with working samba

    hello,

    i have 1 PDC and 1 BDC using smbldap, and now i'm adding a server (as a
    domain member, not BDC) that will have shares to be mounted by the
    clients.

    this server also uses smbldap and, at this moment, the service is
    working almost normally.

    the problem seems to be the typical SID problem, but my new samba
    reports to have the same SID that the PDC and BDC have, and users can
    log into the domain and map shares. however, when mapping shares log
    file prints these lines:

    [2008/01/22 21:06:13, 0, effective(0, 0), real(0, 0)]
    passdb/passdb.c:lookup_global_sam_name(596) User nobody with invalid
    SID S-1-5-21-3094878921-2476751602-3662942323-501 in passdb
    [2008/01/22 21:06:56, 0, effective(0, 0), real(0, 0)]
    passdb/passdb.c:lookup_global_sam_name(596) User USER with invalid
    SID S-1-5-21-3094878921-2476751602-3662942323-12534 in passdb

    also, smbclient -L also gives the same error.

    i'm guessing that these error introduces latency, so shares are not
    mounted as fast as i would like.

    system ldap is working and samba check user credentials correctly
    against ldap, with a valid SID also...

    where can be the problem? any ideas?

    thanks in advance,

    toni garcia
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] SID problem with working samba

    hi,

    i will respond myself, so i've discovered that my samba server responds
    incorrectly when i issue a 'pdbedit -L -v user'

    the domain and Primary Group SID are not the same which report the PDC
    or BDC

    if samba is getting acount data from ldap, and ldap server is the same
    for both server, what i'm missing?

    thanks,

    toni


    El Tue, 22 Jan 2008 21:22:28 +0100
    toni ha escrit:

    > hello,
    >
    > i have 1 PDC and 1 BDC using smbldap, and now i'm adding a server (as
    > a domain member, not BDC) that will have shares to be mounted by the
    > clients.
    >
    > this server also uses smbldap and, at this moment, the service is
    > working almost normally.
    >
    > the problem seems to be the typical SID problem, but my new samba
    > reports to have the same SID that the PDC and BDC have, and users can
    > log into the domain and map shares. however, when mapping shares log
    > file prints these lines:
    >
    > [2008/01/22 21:06:13, 0, effective(0, 0), real(0, 0)]
    > passdb/passdb.c:lookup_global_sam_name(596) User nobody with invalid
    > SID S-1-5-21-3094878921-2476751602-3662942323-501 in passdb
    > [2008/01/22 21:06:56, 0, effective(0, 0), real(0, 0)]
    > passdb/passdb.c:lookup_global_sam_name(596) User USER with invalid
    > SID S-1-5-21-3094878921-2476751602-3662942323-12534 in passdb
    >
    > also, smbclient -L also gives the same error.
    >
    > i'm guessing that these error introduces latency, so shares are not
    > mounted as fast as i would like.
    >
    > system ldap is working and samba check user credentials correctly
    > against ldap, with a valid SID also...
    >
    > where can be the problem? any ideas?
    >
    > thanks in advance,
    >
    > toni garcia

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. [Samba] Re: SID problem with working samba

    "toni" wrote in message
    news:20080122212228.5b9c62cb@gamma...
    > hello,
    >
    > i have 1 PDC and 1 BDC using smbldap, and now i'm adding a server (as a
    > domain member, not BDC) that will have shares to be mounted by the
    > clients.
    >
    > this server also uses smbldap and, at this moment, the service is
    > working almost normally.
    >
    > the problem seems to be the typical SID problem, but my new samba
    > reports to have the same SID that the PDC and BDC have, and users can
    > log into the domain and map shares. however, when mapping shares log
    > file prints these lines:


    I would not expect you to need smbldap on a member server. Typically,
    member servers authenticate against a pdc or bdc. They do not authenticate
    locally.

    One option is to load ldap on the server. Load Samba so it can configure
    against ldap.

    You can then configure the machine to use the ldap on the pdc for
    authentication.

    Chapter 7 of Samba by Example shows a few options re: setting up a member
    server to authenticate against a pdc.



    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Re: SID problem with working samba

    hi,

    El Wed, 23 Jan 2008 07:54:57 -0500
    Jamrock ha escrit:

    > "toni" wrote in message
    > news:20080122212228.5b9c62cb@gamma...
    > > hello,
    > >
    > > i have 1 PDC and 1 BDC using smbldap, and now i'm adding a server
    > > (as a domain member, not BDC) that will have shares to be mounted
    > > by the clients.
    > >
    > > this server also uses smbldap and, at this moment, the service is
    > > working almost normally.
    > >
    > > the problem seems to be the typical SID problem, but my new samba
    > > reports to have the same SID that the PDC and BDC have, and users
    > > can log into the domain and map shares. however, when mapping
    > > shares log file prints these lines:

    >
    > I would not expect you to need smbldap on a member server.
    > Typically, member servers authenticate against a pdc or bdc. They do
    > not authenticate locally.


    i'm getting a correct behaviour with a passdb backend ldapsam, but also
    a 40-60 seconds timeout when connecting to shares and the following
    lines in the log file:

    [2008/01/23 18:43:27, 0, effective(0, 0), real(0, 0)]
    passdb/passdb.c:lookup_global_sam_name(596)
    User USER with invalid SID
    S-1-5-21-3094878921-2476751602-3662942323-12534 in passdb


    i've read the documentation, chapter 7 as you suggested, and i've
    removed the ldap* configuration options and added the option
    "winbind trusted domains only = yes"

    with this new configuration, the 'invalid SID' lines are not shown but
    i'm getting the annoying timeout when connecting to shares. also, now,
    "pdbedit -L USER" can't find users and "smbclient -L -U USER%passwd" do
    a timeout after 20 seconds (this is the same as before)

    now, my smb.conf contains:

    [global]
    netbios name = SERVERNAME
    workgroup = DOMAIN
    security = domain
    local master = no
    password server = *
    winbind trusted domains only = yes
    mangling method = hash2
    encrypt passwords = yes
    ; wins is the PDC
    wins server = 10.0.2.1


    > One option is to load ldap on the server. Load Samba so it can
    > configure against ldap.
    >
    > You can then configure the machine to use the ldap on the pdc for
    > authentication.


    this server has also a ldap server to resolve system users (via
    nsswitch), and the contents are replicated from a master ldap in the
    PDC (i think this is what you are proposing, isn't it?)

    >
    > Chapter 7 of Samba by Example shows a few options re: setting up a
    > member server to authenticate against a pdc.
    >


    thanks for your help
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. [Samba] Re: Re: SID problem with working samba


    "toni" wrote in message
    news:20080123201746.45b21417@gamma...

    > this server has also a ldap server to resolve system users (via
    > nsswitch), and the contents are replicated from a master ldap in the
    > PDC (i think this is what you are proposing, isn't it?)


    Not really. On a Windows 2003 domain, there are a few domain controllers
    that contain Active Directory. Active Directory is not loaded on member
    servers. No replication takes place there.

    The member server is configured to redirect all authentication requests to a
    domain controller.

    Chapter 7 discusses the various ways that Samba member servers can be
    configured to redirect authentication requests to a single database of
    usernames and passwords.

    You can use NSS/LDAP. You can use NSS and Winbind. You can use an adduser
    script if you don't want to use NSS.

    The common factor in all three approaches is the fact that the pdc contains
    the authoritative list of usernames and passwords. Member servers query
    that list.

    The member server will cache the data it sees on the pdc but the pdc is the
    definitive source.

    Look at the smb.conf file in example 7.1.. It simply tells the member
    server to look to the ldap installation on the pdc when it needs to
    authenticate users. The /etc/nsswitch.conf is configured to use ldap for
    authentication. The only difference here is that the ldap is stored on
    another machine.

    I am not looking at my member server now, but I think your /etc/ldap.conf
    file should also point to the pdc.




    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. Re: [Samba] Re: Re: SID problem with working samba

    hi again,

    El Thu, 24 Jan 2008 05:49:20 -0500
    Jamrock ha escrit:

    >
    > "toni" wrote in message
    > news:20080123201746.45b21417@gamma...
    >
    > > this server has also a ldap server to resolve system users (via
    > > nsswitch), and the contents are replicated from a master ldap in the
    > > PDC (i think this is what you are proposing, isn't it?)

    >
    > Not really. On a Windows 2003 domain, there are a few domain
    > controllers that contain Active Directory. Active Directory is not
    > loaded on member servers. No replication takes place there.
    >
    > The member server is configured to redirect all authentication
    > requests to a domain controller.
    >
    > Chapter 7 discusses the various ways that Samba member servers can be
    > configured to redirect authentication requests to a single database of
    > usernames and passwords.
    >
    > You can use NSS/LDAP. You can use NSS and Winbind. You can use an
    > adduser script if you don't want to use NSS.


    i would like to use nss/ldap, because BDC and PDC use it, for
    simplicity. this is what i'm trying

    >
    > The common factor in all three approaches is the fact that the pdc
    > contains the authoritative list of usernames and passwords. Member
    > servers query that list.
    >
    > The member server will cache the data it sees on the pdc but the pdc
    > is the definitive source.
    >

    yes, this is what i'm doing, ldap server on BDC and member server is
    replicated from PDC and synchronized using slurpd. however i've changed
    my ldap.conf and smb.conf to check directly against ldap on the PDC

    > Look at the smb.conf file in example 7.1.. It simply tells the member
    > server to look to the ldap installation on the pdc when it needs to
    > authenticate users. The /etc/nsswitch.conf is configured to use ldap
    > for authentication. The only difference here is that the ldap is
    > stored on another machine.


    i have same configuration (as far as i can understand) that example 7.1
    shows, but with winbindd started i can't mount shares from clients and
    log file shows:

    [2008/01/24 17:13:32, 0, effective(0, 0), real(0, 0)] rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2362 )
    cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED

    if i stop winbindd, i can mount shres but i must wait the 60
    seconds timeout.


    i'm trying to figure out where the problem is, regards to the nss/ldap
    configuration, and i think the problem is Primary Group SID, when
    winbindd runs, pdbedit shows the correct value, but when it's stopped,
    it shows an incorrect value (i think it causes the timeout)

    thanks for your help!


    my smb.conf now (complete):

    [global]
    netbios name = SERVER
    workgroup = DOMAIN
    local master = no
    security = domain
    password server = *
    mangling method = hash2
    encrypt passwords = yes
    passdb backend = ldapsam:"ldaps://pdc ldap://localhost"
    idmap backend = ldap:"ldaps://pdc ldap://localhost"
    ldap suffix = dc=domain,dc=intranet
    ldap admin dn = cn=Manager,dc=domain,dc=intranet
    ldap ssl = yes
    ldap machine suffix = ou=Machines
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap passwd sync = Yes
    ldap delete dn = Yes
    add user script = /opt/smbldap_tools-0.9.1/smbldap-useradd -a '%u'
    delete user script = /opt/smbldap_tools-0.9.1/smbldap-userdel '%u'
    add group script = /opt/smbldap_tools-0.9.1/smbldap-groupadd -p '%g'
    delete group script = /opt/smbldap_tools-0.9.1/smbldap-groupdel '%g'
    add user to group script
    = /opt/smbldap_tools-0.9.1/smbldap-groupmod -m '%u' '%g' delete user
    from group script = /opt/smbldap_tools-0.9.1/smbldap-groupmod -x '%u'
    '%g' set primary group script
    = /opt/smbldap_tools-0.9.1/smbldap-usermod -g '%g' '%u' add machine
    script = /opt/smbldap_tools-0.9.1/smbldap-useradd -w '%u' passwd
    program = /opt/smbldap_tools-0.9.1/smbldap-passwd '%u' passwd chat =
    *ew*password* %n\n *new*password* %n\n passwd chat debug = Yes socket
    options = SO_KEEPALIVE TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
    SO_SNDBUF=8192 interfaces = eth0 name resolve order = hosts wins
    lmhosts bcast dos charset = CP850
    unix charset = ISO8859-1
    wins server = 10.0.2.11
    time server = yes
    log file = /var/log/samba/samba.%m.log
    log level = 0
    max log size = 100000
    debug uid = yes
    load printers = yes
    printing = cups
    printcap name = cups
    cups server = 10.0.2.22
    enable privileges = yes
    nt acl support = yes
    inherit acls = Yes
    unix password sync = no
    unix extensions = no
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread