samba - May 2010 - Samba/LDAP share issue -- user with invalid SID

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

  While I've seen this referred to a lot of places, I haven't yet found
a posted solution that works for me.  Testing has been done from a Mac
running OSX 10.5.8 Here's what I have so far:  if anyone can give me a
next step to test, I'd appreciate it.  If anyone can give me a complete
solution, I'd appreciate it even more. 8-)

1) An LDAP server "mv", running Ubuntu 8.04 LTS.  Samba is not
installed.

2) A group file server "sl1", running Ubuntu 8.04 LTS.  LDAP is not
installed.

3) Users can successfully authenticate to sl1 against LDAP when
connecting via SSH.  If their user directory exists (they have logged in
via ssh) they can connect to their home directory through samba by
connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal
network), so I know samba is successfully connecting to the LDAP server.
 Traffic between the file server and the LDAP server is encrypted, as
confirmed with tcpdump.

4) When attempting to access a group share, the connection is refused,
and the following shows up in the samba logs:  the share has users
amckenzie and suzanne.

[2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
  User spalmer with invalid SID
S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb
[2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
  User amckenzie with invalid SID
S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb

5) All connections, successful or not, cause the following messages in
the samba logs on sl1:

[2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792)
  create_builtin_administrators: Failed to create Administrators
[2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758)
  create_builtin_users: Failed to create Users
[2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718)
  Share 'IPC$' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.

6) On sl1, net getdomainsid returns the following:

SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981

7) Users have both user and group SIDs in the form
"S-1-5-21-4167008922-1292391803-4044586981-[unique number]", which is
generated according to the rules the smbldap tools use.

8) testparm on sl1 returns the following:

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[itadmins]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
	workgroup = CHEMBMB
	server string = %h server (Samba, Ubuntu)
	map to guest = Bad User
	obey pam restrictions = Yes
	passdb backend = ldapsam:ldaps://multivac.chem.umass.edu
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	syslog = 255
	log file = /var/log/samba/log.%m
	max log size = 1000
	dns proxy = No
	ldap admin dn = cn=admin,dc=cns
	ldap group suffix = ou=Chemistry groups
	ldap suffix = ou=Chemistry,dc=cns
	ldap ssl = no
	ldap user suffix = ou=Chemistry users
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	invalid users = root

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[itadmins]
	comment = Shared directory for the IT group
	path = /home/itadmins
	valid users = spalmer, amckenzie
	read only = No
	create mask = 0665
	directory mask = 0775



Any advice would be appreciated -- I'm well beyond my understanding of
samba at the moment, and my understanding of samba is well beyond what
it was 48 hours ago.  At the moment neither server is mission critical,
so tests that take them temporarily off-line are possible.  By early
next week things will be authenticating against the LDAP server (we've
got no choice -- the old LDAP server is failing fast), so I won't be
able to take it down for testing.

Thanks in advance,
  Alex McKenzie
  alex at chem.umass.edu


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvjKDIACgkQWFYfIucpZ2OKUQCeLuwQhp1dybJfktYHh3GX375o
eGEAnip1TnApBIi/HqZar0zInN9DrmEO
=hq2A
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So no one has any guesses on this?  I've found nothing new, so any help
at all would be appreciated...

- -Alex

Alex McKenzie wrote:
> Greetings,
> 
>   While I've seen this referred to a lot of places, I haven't yet
found
> a posted solution that works for me.  Testing has been done from a Mac
> running OSX 10.5.8 Here's what I have so far:  if anyone can give me a
> next step to test, I'd appreciate it.  If anyone can give me a complete
> solution, I'd appreciate it even more. 8-)
> 
> 1) An LDAP server "mv", running Ubuntu 8.04 LTS.  Samba is not
installed.
> 
> 2) A group file server "sl1", running Ubuntu 8.04 LTS.  LDAP is
not
> installed.
> 
> 3) Users can successfully authenticate to sl1 against LDAP when
> connecting via SSH.  If their user directory exists (they have logged in
> via ssh) they can connect to their home directory through samba by
> connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal
> network), so I know samba is successfully connecting to the LDAP server.
>  Traffic between the file server and the LDAP server is encrypted, as
> confirmed with tcpdump.
> 
> 4) When attempting to access a group share, the connection is refused,
> and the following shows up in the samba logs:  the share has users
> amckenzie and suzanne.
> 
> [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
>   User spalmer with invalid SID
> S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb
> [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
>   User amckenzie with invalid SID
> S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb
> 
> 5) All connections, successful or not, cause the following messages in
> the samba logs on sl1:
> 
> [2010/05/06 16:31:33, 0]
auth/auth_util.c:create_builtin_administrators(792)
>   create_builtin_administrators: Failed to create Administrators
> [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758)
>   create_builtin_users: Failed to create Users
> [2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718)
>   Share 'IPC$' has wide links and unix extensions enabled. These
> parameters are incompatible. Wide links will be disabled for this share.
> 
> 6) On sl1, net getdomainsid returns the following:
> 
> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
> 
> 7) Users have both user and group SIDs in the form
> "S-1-5-21-4167008922-1292391803-4044586981-[unique number]",
which is
> generated according to the rules the smbldap tools use.
> 
> 8) testparm on sl1 returns the following:
> 
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[itadmins]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
> Press enter to see a dump of your service definitions
> 
> [global]
> 	workgroup = CHEMBMB
> 	server string = %h server (Samba, Ubuntu)
> 	map to guest = Bad User
> 	obey pam restrictions = Yes
> 	passdb backend = ldapsam:ldaps://multivac.chem.umass.edu
> 	pam password change = Yes
> 	passwd program = /usr/bin/passwd %u
> 	passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> 	unix password sync = Yes
> 	syslog = 255
> 	log file = /var/log/samba/log.%m
> 	max log size = 1000
> 	dns proxy = No
> 	ldap admin dn = cn=admin,dc=cns
> 	ldap group suffix = ou=Chemistry groups
> 	ldap suffix = ou=Chemistry,dc=cns
> 	ldap ssl = no
> 	ldap user suffix = ou=Chemistry users
> 	usershare allow guests = Yes
> 	panic action = /usr/share/samba/panic-action %d
> 	invalid users = root
> 
> [homes]
> 	comment = Home Directories
> 	read only = No
> 	browseable = No
> 
> [itadmins]
> 	comment = Shared directory for the IT group
> 	path = /home/itadmins
> 	valid users = spalmer, amckenzie
> 	read only = No
> 	create mask = 0665
> 	directory mask = 0775
> 
> 
> 
> Any advice would be appreciated -- I'm well beyond my understanding of
> samba at the moment, and my understanding of samba is well beyond what
> it was 48 hours ago.  At the moment neither server is mission critical,
> so tests that take them temporarily off-line are possible.  By early
> next week things will be authenticating against the LDAP server (we've
> got no choice -- the old LDAP server is failing fast), so I won't be
> able to take it down for testing.
> 
> Thanks in advance,
>   Alex McKenzie
>   alex at chem.umass.edu
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr
zwCfbXwvHr50j7vZZTuSJxLels7Izv8=58HV
-----END PGP SIGNATURE-----

SNIP
>
>>
>> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
>> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
>>
>> 7) Users have both user and group SIDs in the form
>> "S-1-5-21-4167008922-1292391803-4044586981-[unique number]",
which is
>> generated according to the rules the smbldap tools use.
You have two different domains. And the users are in CHEMBMB and the 
server is a member of SL1.  Why not join SL1 to CHEMBMB?
>
>>
>>
>>
>> 8) testparm on sl1 returns the following:
>>
>> Load smb config files from /etc/samba/smb.conf
>> Processing section "[homes]"
>> Processing section "[itadmins]"
>> Loaded services file OK.
>> Server role: ROLE_STANDALONE
>> Press enter to see a dump of your service definitions
>>
>> [global]
>> workgroup = CHEMBMB
>> server string = %h server (Samba, Ubuntu)
>> map to guest = Bad User
>> obey pam restrictions = Yes
>> passdb backend = ldapsam:ldaps://multivac.chem.umass.edu
>> pam password change = Yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> unix password sync = Yes
>> syslog = 255
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> dns proxy = No
>> ldap admin dn = cn=admin,dc=cns
>> ldap group suffix = ou=Chemistry groups
>> ldap suffix = ou=Chemistry,dc=cns
>> ldap ssl = no
>> ldap user suffix = ou=Chemistry users
>> usershare allow guests = Yes
>> panic action = /usr/share/samba/panic-action %d
>> invalid users = root
>>
>> [homes]
>> comment = Home Directories
>> read only = No
>> browseable = No
>>
>> [itadmins]
>> comment = Shared directory for the IT group
>> path = /home/itadmins
>> valid users = spalmer, amckenzie
>> read only = No
>> create mask = 0665
>> directory mask = 0775
>>
>>
>>
>> Any advice would be appreciated -- I'm well beyond my understanding
of
>> samba at the moment, and my understanding of samba is well beyond what
>> it was 48 hours ago.  At the moment neither server is mission 
>> critical,
>> so tests that take them temporarily off-line are possible.  By early
>> next week things will be authenticating against the LDAP server
(we've
>> got no choice -- the old LDAP server is failing fast), so I won't
be
>> able to take it down for testing.
>>
>> Thanks in advance,
>> Alex McKenzie
>> alex at chem.umass.edu
>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr
> zwCfbXwvHr50j7vZZTuSJxLels7Izv8> =58HV
> -----END PGP SIGNATURE-----
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I do have smbldap tools installed and, as far as I can tell, set up.

net join CHEMBMB -U Administrator returns "cannot join as standalone
machine".

The LDAP structure may be the issue... I don't think computer accounts
were ever set up on the current server (the last server was done by the
guy who used to do my job, who left basically no documentation), because
I wasn't aware they were necessary for this.  We're not planning to use
Samba/LDAP for windows authentication (only Mac, which doesn't require
any sort of machine account, and linux, which also doesn't require a
machine account), and if we do decide to do windows auth with Samba, it
won't be using SL1.

SL1 is only a file server -- it's for a small research group, and there
will eventually be a bunch of them, possibly as many as 30-40.  The
system that LDAP runs on will eventually become a PDC, if necessary, but
for now samba isn't even installed.  If that's the issue, I'll feel
stupid, but grateful that someone pointed me in the right direction.
Let me know what to try next... as I said initially, I'm quite out of my
depth.

I haven't been testing with a Windows machine, and I did something to
completely break SL1 yesterday, so I can't test it right now.  (I
changed something in smb.conf, and now samba won't start -- I need to
figure out what that is before I go any further.)

- -Alex

tms3 at tms3.com wrote:
> 
> 
> 
> 
>> How do I get the server to join CHEMBMB? 
> 
> I may have been hasty, but I don't have a proper domain to check at the
> moment.  However:
> 
> 
> Do you have smbldap-tools installed and set up on sl1?
> 
> Did you ever issue
> 
> net join CHEMBMB -U Administrator
> 
> from sl1?
> 
> Check your ldap structure.  You should have a computer with an LDIF that
> looks like this:
> 
> dn: uid=zaphod$, ou=computers, dc=mydomain,dc=com
> sambaPrimaryGroupSID: S-1-5-21-1498823292-3530380933-788562438-515
> sambaDomainName: MYDOMAIN
> displayName: zaphod$
> objectClass: posixAccount
> objectClass: account
> objectClass: sambaSamAccount
> sambaLogonTime: 0
> uid: zaphod$
> uidNumber: 41328
> cn: zaphod$
> sambaLogoffTime: 2147483647
> sambaPwdLastSet: 1267756286
> sambaAcctFlags: [S          ]
> loginShell: /bin/false
> gidNumber: 553
> sambaPwdMustChange: 2147483647
> sambaNTPassword: 3509E1ED1B7398134D9D429474E47386
> sambaPwdCanChange: 0
> sambaSID: S-1-5-21-1498823292-3530380933-788562438-83656
> gecos: Computer
> description: Computer
> homeDirectory: /dev/null
> sambaKickoffTime: 2147483647
> 
> ALSO, I assume you are using some kind of Windows work station for the
> users, so what error does Windows display when the users log in?
> 
> Cheers,
> 
> TMS III
>> I spent about two hours trying
>> to get the two SIDs to be the same, with no success. I assumed that was
>> part of the issue, but I finally gave up on making it work. I assume
>> I'd use "net setlocalsid", which shows the following:
>>
>> root at sl1:~# net getdomainsid
>> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
>> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
>> root at sl1:~# net setlocalsid
S-1-5-21-4167008922-1292391803-4044586981
>> root at schnelllab1:~# net getdomainsid
>> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
>> SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981
>>
>> If there's something else I should be doing, I'd love to know
what it is!
>>
>> - -Alex
>>
>>
>>
>>
>>>>>
>>>>>
>>>>> 8) testparm on sl1 returns the following:
>>>>>
>>>>> Load smb config files from /etc/samba/smb.conf
>>>>> Processing section "[homes]"
>>>>> Processing section "[itadmins]"
>>>>> Loaded services file OK.
>>>>> Server role: ROLE_STANDALONE
>>>>> Press enter to see a dump of your service definitions
>>>>>
>>>>> [global]
>>>>> workgroup = CHEMBMB
>>>>> server string = %h server (Samba, Ubuntu)
>>>>> map to guest = Bad User
>>>>> obey pam restrictions = Yes
>>>>> passdb backend = ldapsam:ldaps://multivac.chem.umass.edu
>>>>> pam password change = Yes
>>>>> passwd program = /usr/bin/passwd %u
>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>>> *Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* .
>>>>> unix password sync = Yes
>>>>> syslog = 255
>>>>> log file = /var/log/samba/log.%m
>>>>> max log size = 1000
>>>>> dns proxy = No
>>>>> ldap admin dn = cn=admin,dc=cns
>>>>> ldap group suffix = ou=Chemistry groups
>>>>> ldap suffix = ou=Chemistry,dc=cns
>>>>> ldap ssl = no
>>>>> ldap user suffix = ou=Chemistry users
>>>>> usershare allow guests = Yes
>>>>> panic action = /usr/share/samba/panic-action %d
>>>>> invalid users = root
>>>>>
>>>>> [homes]
>>>>> comment = Home Directories
>>>>> read only = No
>>>>> browseable = No
>>>>>
>>>>> [itadmins]
>>>>> comment = Shared directory for the IT group
>>>>> path = /home/itadmins
>>>>> valid users = spalmer, amckenzie
>>>>> read only = No
>>>>> create mask = 0665
>>>>> directory mask = 0775
>>>>>
>>>>>
>>>>>
>>>>> Any advice would be appreciated -- I'm well beyond my
understanding of
>>>>> samba at the moment, and my understanding of samba is well
beyond what
>>>>> it was 48 hours ago. At the moment neither server is
mission critical,
>>>>> so tests that take them temporarily off-line are possible.
By early
>>>>> next week things will be authenticating against the LDAP
server (we've
>>>>> got no choice -- the old LDAP server is failing fast), so I
won't be
>>>>> able to take it down for testing.
>>>>>
>>>>> Thanks in advance,
>>>>> Alex McKenzie
>>>>> alex at chem.umass.edu
>>>>>
>>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.8 (Darwin)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>
>>>>
iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr
>>>> zwCfbXwvHr50j7vZZTuSJxLels7Izv8>>>> =58HV
>>>> -----END PGP SIGNATURE-----
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.8 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAkvyk6wACgkQWFYfIucpZ2NCiQCfWaicXsuhA6P01Pbw9xeanUql
>> dqEAn2Z31M+dqjlIKG5uciscBsTB9Rl0
>> =LAsj
>> -----END PGP SIGNATURE-----
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvynSgACgkQWFYfIucpZ2OuBACfQSFJevBKOozQW10vET9q08yK
DKQAnRXbDj34yLU6ctBzWPIEEIiLiOgX
=Z8VF
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This fixed it!

For the record, since I suspect this all gets archived and is
searchable:  here's the output of testparm.


root at sl1:/etc/samba# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[itadmins]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
	workgroup = CHEMBMB
	server string = %h server (Samba, Ubuntu)
	map to guest = Bad User
	obey pam restrictions = Yes
	passdb backend = ldapsam:ldaps://mv.chem.umass.edu
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	domain logons = Yes
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	ldap admin dn = cn=admin,dc=cns
	ldap group suffix = ou=Chemistry groups
	ldap suffix = ou=Chemistry,dc=cns
	ldap ssl = no
	ldap user suffix = ou=Chemistry users
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	invalid users = root

[homes]
	comment = Home Directories
	read only = No
	browseable = No
	valid users = %S

[itadmins]
	comment = Shared directory for the IT group
	path = /home/itadmins
	valid users = amckenzie, jmaher, spalmer, bmbchem
	read only = No
	create mask = 0665
	directory mask = 0775
	browseable = No


net getdomainsid returns:
SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981



This is a standalone server providing file sharing, but not acting as a
domain login controller:  if I ever want that, I'll be building a
different server for it.

Thanks to tms3 for the instructions:  I'd been spinning my wheels for
two weeks before his (her?) advice!

- -Alex McKenzie

tms3 at tms3.com wrote:
> 
> 
> SNIP
>> I do have smbldap tools installed and, as far as I can tell, set up.
>>
>> net join CHEMBMB -U Administrator returns "cannot join as
standalone
>> machine".
> 
> DUHHH!!!!! I'm sorry I'm a moron.  OK, change that to
> 
>          preferred master = Yes
>         domain logons =Yes
>         domain master = Yes   <---if this is the only DC in CHEMBMB.  If
> you have another samba server os PDC in CHEMBMB then set that to
"no"
>>
>>
>> The LDAP structure may be the issue... I don't think computer
accounts
>> were ever set up on the current server (the last server was done by the
>> guy who used to do my job, who left basically no documentation),
because
>> I wasn't aware they were necessary for this. We're not planning
to use
>> Samba/LDAP for windows authentication (only Mac, which doesn't
require
>> any sort of machine account, and linux, which also doesn't require
a
>> machine account), and if we do decide to do windows auth with Samba, it
>> won't be using SL1.
>>
>> SL1 is only a file server -- it's for a small research group, and
there
>> will eventually be a bunch of them, possibly as many as 30-40. The
>> system that LDAP runs on will eventually become a PDC, if necessary,
but
>> for now samba isn't even installed. If that's the issue,
I'll feel
>> stupid, but grateful that someone pointed me in the right direction.
>> Let me know what to try next... as I said initially, I'm quite out
of my
>> depth.
>>
>> I haven't been testing with a Windows machine, and I did something
to
>> completely break SL1 yesterday, so I can't test it right now. (I
>> changed something in smb.conf, and now samba won't start -- I need
to
>> figure out what that is before I go any further.)
>>
>> - -Alex
>>
>> tms3 at tms3.com wrote:
>>>
>>>
>>>
>>>
>>>> How do I get the server to join CHEMBMB?
>>>
>>> I may have been hasty, but I don't have a proper domain to
check at the
>>> moment. However:
>>>
>>>
>>> Do you have smbldap-tools installed and set up on sl1?
>>>
>>> Did you ever issue
>>>
>>> net join CHEMBMB -U Administrator
>>>
>>> from sl1?
>>>
>>> Check your ldap structure. You should have a computer with an LDIF
that
>>> looks like this:
>>>
>>> dn: uid=zaphod$, ou=computers, dc=mydomain,dc=com
>>> sambaPrimaryGroupSID: S-1-5-21-1498823292-3530380933-788562438-515
>>> sambaDomainName: MYDOMAIN
>>> displayName: zaphod$
>>> objectClass: posixAccount
>>> objectClass: account
>>> objectClass: sambaSamAccount
>>> sambaLogonTime: 0
>>> uid: zaphod$
>>> uidNumber: 41328
>>> cn: zaphod$
>>> sambaLogoffTime: 2147483647
>>> sambaPwdLastSet: 1267756286
>>> sambaAcctFlags: [S ]
>>> loginShell: /bin/false
>>> gidNumber: 553
>>> sambaPwdMustChange: 2147483647
>>> sambaNTPassword: 3509E1ED1B7398134D9D429474E47386
>>> sambaPwdCanChange: 0
>>> sambaSID: S-1-5-21-1498823292-3530380933-788562438-83656
>>> gecos: Computer
>>> description: Computer
>>> homeDirectory: /dev/null
>>> sambaKickoffTime: 2147483647
>>>
>>> ALSO, I assume you are using some kind of Windows work station for
the
>>> users, so what error does Windows display when the users log in?
>>>
>>> Cheers,
>>>
>>> TMS III
>>>> I spent about two hours trying
>>>> to get the two SIDs to be the same, with no success. I assumed
that was
>>>> part of the issue, but I finally gave up on making it work. I
assume
>>>> I'd use "net setlocalsid", which shows the
following:
>>>>
>>>> root at sl1:~# net getdomainsid
>>>> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
>>>> SID for domain CHEMBMB is:
S-1-5-21-4167008922-1292391803-4044586981
>>>> root at sl1:~# net setlocalsid
S-1-5-21-4167008922-1292391803-4044586981
>>>> root at schnelllab1:~# net getdomainsid
>>>> SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
>>>> SID for domain CHEMBMB is:
S-1-5-21-4167008922-1292391803-4044586981
>>>>
>>>> If there's something else I should be doing, I'd love
to know what
>>>> it is!
>>>>
>>>> - -Alex
>>>>
>>>>
>>>>
>>>>
>>>>>>>
>>>>>>>
>>>>>>> 8) testparm on sl1 returns the following:
>>>>>>>
>>>>>>> Load smb config files from /etc/samba/smb.conf
>>>>>>> Processing section "[homes]"
>>>>>>> Processing section "[itadmins]"
>>>>>>> Loaded services file OK.
>>>>>>> Server role: ROLE_STANDALONE
>>>>>>> Press enter to see a dump of your service
definitions
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = CHEMBMB
>>>>>>> server string = %h server (Samba, Ubuntu)
>>>>>>> map to guest = Bad User
>>>>>>> obey pam restrictions = Yes
>>>>>>> passdb backend = ldapsam:ldaps://mv.chem.umass.edu
>>>>>>> pam password change = Yes
>>>>>>> passwd program = /usr/bin/passwd %u
>>>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>>>>> *Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* .
>>>>>>> unix password sync = Yes
>>>>>>> syslog = 255
>>>>>>> log file = /var/log/samba/log.%m
>>>>>>> max log size = 1000
>>>>>>> dns proxy = No
>>>>>>> ldap admin dn = cn=admin,dc=cns
>>>>>>> ldap group suffix = ou=Chemistry groups
>>>>>>> ldap suffix = ou=Chemistry,dc=cns
>>>>>>> ldap ssl = no
>>>>>>> ldap user suffix = ou=Chemistry users
>>>>>>> usershare allow guests = Yes
>>>>>>> panic action = /usr/share/samba/panic-action %d
>>>>>>> invalid users = root
>>>>>>>
>>>>>>> [homes]
>>>>>>> comment = Home Directories
>>>>>>> read only = No
>>>>>>> browseable = No
>>>>>>>
>>>>>>> [itadmins]
>>>>>>> comment = Shared directory for the IT group
>>>>>>> path = /home/itadmins
>>>>>>> valid users = spalmer, amckenzie
>>>>>>> read only = No
>>>>>>> create mask = 0665
>>>>>>> directory mask = 0775
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Any advice would be appreciated -- I'm well
beyond my
>>>>>>> understanding of
>>>>>>> samba at the moment, and my understanding of samba
is well beyond
>>>>>>> what
>>>>>>> it was 48 hours ago. At the moment neither server
is mission
>>>>>>> critical,
>>>>>>> so tests that take them temporarily off-line are
possible. By early
>>>>>>> next week things will be authenticating against the
LDAP server
>>>>>>> (we've
>>>>>>> got no choice -- the old LDAP server is failing
fast), so I won't be
>>>>>>> able to take it down for testing.
>>>>>>>
>>>>>>> Thanks in advance,
>>>>>>> Alex McKenzie
>>>>>>> alex at chem.umass.edu
>>>>>>>
>>>>>>>
>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v1.4.8 (Darwin)
>>>>>> Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
>>>>>>
>>>>>>
iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr
>>>>>> zwCfbXwvHr50j7vZZTuSJxLels7Izv8>>>>>>
=58HV
>>>>>> -----END PGP SIGNATURE-----
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL
and read the
>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.8 (Darwin)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>
>>>>
iEYEARECAAYFAkvyk6wACgkQWFYfIucpZ2NCiQCfWaicXsuhA6P01Pbw9xeanUql
>>>> dqEAn2Z31M+dqjlIKG5uciscBsTB9Rl0
>>>> =LAsj
>>>> -----END PGP SIGNATURE-----
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.8 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAkvynSgACgkQWFYfIucpZ2OuBACfQSFJevBKOozQW10vET9q08yK
>> DKQAnRXbDj34yLU6ctBzWPIEEIiLiOgX
>> =Z8VF
>> -----END PGP SIGNATURE-----
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvyrvAACgkQWFYfIucpZ2OzuwCfTmDflTO1srMh5lOEd9jz/p8b
xSwAnRA3AjDxPKck45zIQhlpagQklgmt
=7Z7C
-----END PGP SIGNATURE-----