Re: User invalid SID with home directory - Bueller?

> The first part of any SID is the domain portion.  It should be pretty
> constant throughout your domain as I understand things.  When dealing
> with users and groups, the bit after the last dash is the RID or
> relative ID and it must be unique within the domain.  Really really
> unique!  If samba created your user & group sids the groups will be
> odd-numbered and users will be even-numbered.
>
> So, for example, the domain SID for my domain looks somewhat like this:
>
> SID for domain DARKAGES is: S-1-5-21-267844371-1268535915-2638854549
>
> And the SID for my PDC and BDCs are exactly the same, although other
> servers (that are not either PDCs or BDCs) have their own unique SIDs.
>
> My personal SID looks like this:  S-1-5-21-267844371-1268535915-2638854549-1802
>
> Notice my RID of 1802 on the end there?  I have a uidNumber of 401 on
> the POSIX side.  The beginning bit seems to define my domain
> membership, though.
>
> If I change the domain SID on my PDC with "net setlocalsid" I can no
> longer log in using my own account, apparently because I do not have
> the right SID.  There are ways to get around that involving winbind
> and/or domain trust accounts - but I can't explain those things
> because I don't understand them either.  My knowledge of CIFS and
> samba is pretty shallow.
>
> We may be off in the weeds here, though - you should check out samba's
> automagical [homes] share and see if you can make it do what you want
> without having to do the %U thing.
>
> --Charlie
>
> On Wed, May 14, 2008 at 6:23 PM, Wes Modes <wmodes@...> wrote:
>  
>> It does not. But then the SID of each user doesn't match those of each other
>> either.  I've seen that asked before, but are you sure the machine's SID and
>> every user SID should be the same?
>>
>> W.
>>
>> Charlie wrote:
>>
>> If you do a "net getlocalsid" at your shell prompt on the samba server
>> that hosts the share, does the preamble of the SID returned match that
>> of the SID you see in your error messages?
>>
>> I'm betting not...
>>
>> --Charlie
>>
>> On Tue, May 13, 2008 at 2:39 PM, Wes Modes <wmodes@...> wrote:
>>
>>
>> So even though I see this popping up in tons of posts, no one has
>> encountered it and successfully solved the problem or can illuminate the
>> issue?
>>
>>  Here's what I did not knowing what else to do:
>>
>>   1. Deleted the account.  (smbldap-userdel)
>>   2. Recreated the account  (smbldap-useradd)
>>   3. Searched for any files owned by the old user, and chown'd them to
>>      the new user
>>
>>  It is not an elegant solution, but it is the only one I have now.  So far I
>> haven't gotten any accounts that have had the problem reoccur.  But I'm
>> waiting to see.
>>
>>  Wes
>>
>>
>>  Wes Modes wrote:
>>
>>
>>
>> I'm having the problem in which users can access their group shares, but
>>
>>
>> not their home shares.  These two shares are defined thusly in smb.conf:
>>
>>
>>   [seref]
>>           comment = Science & Engineering Reference Section
>>           path = /data/group/seref
>>           valid users = @seref, @seref-read, @admin
>>           read list = @seref-read
>>           write list = @seref, @admin
>>           force group = seref
>>           create mask = 0664
>>           directory mask = 0770
>>
>>   [home]
>>           comment = %u's Personal Share Directory
>>           path = /data/home/%U
>>           valid users = %U, @admin
>>           write list = %U, @admin
>>           create mask = 0600
>>           directory mask = 0700
>>           browseable = No
>>
>>
>> It seems that the %U variable, causes Samba to do a lookup_global_sam_name
>>
>>
>> which fails.
>>
>>
>>   [root@fileserver]# smbclient -Ujoeblow
>>   '\\edgar.library.ucsc.edu\home' xxxxxxxx
>>          tree connect failed: NT_STATUS_ACCESS_DENIED
>>
>>
>> Here's the relevant section of the log:
>>
>>   passdb/pdb_ldap.c:init_sam_from_ldap(545)
>>       init_sam_from_ldap: Entry found for user: joeblow
>>   passdb/pdb_ldap.c:init_group_from_ldap(2158)
>>       init_group_from_ldap: Entry found for group: 30023
>>   passdb/passdb.c:lookup_global_sam_name(596)
>>       User joeblow with invalid SID
>>   S-1-5-21-2642364908-3785178431-1037763545-61756 in passdb
>>   passdb/pdb_ldap.c:init_group_from_ldap(2158)
>>     init_group_from_ldap: Entry found for group: 1001
>>   smbd/service.c:make_connection_snum(616)
>>       user 'joeblow' (from session setup) not permitted to access this
>>   share (home)
>>
>>
>> Please note that I am not using the ADS security model, nor do I care to
>>
>>
>> at the moment.  Here's the significant part of my smb.conf:
>>
>>
>>   ### Basic information for server
>>           workgroup = MCHSTAFF
>>           netbios name = EDGAR
>>           server string = Library Samba Server
>>           hosts allow = 169.233.
>>           hosts allow = 128.114.
>>           enable privileges = yes
>>           security = user
>>           encrypt passwords = yes
>>           preferred master = yes
>>           domain master = yes
>>           domain logons = yes
>>           local master = yes
>>           username map = /etc/samba/smbusers
>>           logon path =
>>           wins support = yes
>>           dns proxy = no
>>
>> So why I am I getting the failure "User joeblow with invalid SID"?
>>
>> Wes
>>
>>
>>
>>
>>
>>  --
>>
>>  Wes Modes
>>  Server Administrator & Programmer Analyst
>>  McHenry Library
>>  Computing & Network Services
>>  Information and Technology Services
>>  459-5208
>>  --
>>  To unsubscribe from this list go to the following URL and read the
>>  instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
>> --
>>
>> Wes Modes
>> Server Administrator & Programmer Analyst
>> McHenry Library
>> Computing & Network Services
>> Information and Technology Services
>> 459-5208
>>