samba - Mar 2004 - Samba 3.0.2a - kerberos problem : not the same SIDs !

Hello list,

I ran into a very strange problem with samba 3.0.2a and kerberos on a debian
stable OS, member of a Windows 2000 AD domain.

First of all, sory for the length of this mail, but the explanation is not
simple, and the configuration files hare huge.

The problem is the following :
I have configured the samba server to share printers. The printers are all
well shared, and can be accessed by people. But some people cannot connect
to these printers.
So, I checked the samba log. Here is a bit of the log which interest us :

[2004/03/16 17:23:35, 3]
rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(447)
  Setting printer type=\\printsrv2\HP_2100_Extension
[2004/03/16 17:23:35, 3] lib/util_seaccess.c:se_access_check(251)
[2004/03/16 17:23:35, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is
S-1-5-21-1971762055-1354219083-452636680-21098
  se_access_check: also S-1-5-21-1971762055-1354219083-452636680-21001
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-861567501-1844237615-1417001333-513
  se_access_check: also S-1-5-21-861567501-1844237615-1417001333-1436
[2004/03/16 17:23:35, 3]
rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex(1764)
  access DENIED for printer open


The HP_2100_Extension is a shared printer, and printsrv2 is the samba
server.

I ran the command

rpcclient -U <user> printsrv2

to get lookupsids S-1-5-21-1971762055-1354219083-452636680-21098

The result is :

lsa_io_sec_qos: length c does not match size 8
S-1-5-21-1971762055-1354219083-452636680-21098 PRINTSRV2\D_IRCAD+<AD user>
(1)

D_IRCAD is the netbios name of our Win2000 domain, and <AD user> is an AD
user which should have access to the printer.

Here comes my first question : why is the name prefixed with the netbios
samba server name ?

I connected to the AD domain controller (through rpcclient) to get the SID
of the <AD user>, and I got :

<AD user> S-1-5-21-861567501-1844237615-1417001333-1548 (User: 1)

which is NOT the same SID than the one found on the print server !

So, here comes the second question :

why does some SIDs differ between the samba server and the AD controller ?

Thanks in advance !


Here you will find my configuration :

- samba 3.0.2a
- libkrb53 (1.2.4-5woody4)
- libkrb5-dev (1.2.4-5woody4)

- /etc/krb5.conf :

[logging]
  default = FILE:/var/log/krb5/libs.log
  kdc = FILE:/var/log/krb5/kdc.log
  admin_server = FILE:/var/log/krb5/admin.log

[libdefaults]
  ticket_lifetime = 24000
  default_realm = IRCAD.FR
  default_tgs_enctypes = des-cbc-crc des-cbc-md5
  default_tkt_enctypes = des-cbc-crc des-cbc-md5
  forwardable = true
  proxiable = true
  dns_lookup_realm = true
  dns_lookup_kdc = true

[realms]
  IRCAD.FR = {
    kdc = ircadsrv.ircad.fr:88
    default_domain = ircad.fr
  }

[domain_realm]
   .ircad.fr = IRCAD.FR
   ircad.fr = IRCAD.FR

[kdc]
   profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false




- /etc/samba/smb.conf :

[global]

   workgroup = D_IRCAD
   netbios name = PRINTSRV2
   client use spnego = yes
   server string = %h server (Samba %v)
   wins support = no
   wins server = 192.168.0.1
   dns proxy = no
   log file = /var/log/samba/log.%m
   log level = 3
   max log size = 1000
   syslog = 0

  winbind separator = +
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  winbind enum users = yes
  winbind enum groups = yes
  template homedir = /home/%D/%U
  template shell = /bin/bash

   security = ads
   password server = IRCADSRV
   realm = IRCAD.FR
   encrypt passwords = yes
   passdb backend = tdbsam guest

   invalid users = root
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .

   load printers = yes
   printing = cups
   printcap name = cups
   printer admin = @ntadmin,root,d_ircad+chaessig

   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[homes]
   comment = Home Directories
#   browseable = no

[smblog]
        comment = samba page log result
        browsable = no
        writable = no
        path = /var/log/smblog
        public = no
        guest ok = no

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   public = yes
   writable = no
   guest ok = yes
   printer admin = root, d_ircad+chaessig, @ntadmin
   create mode = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/drivers
   browseable = yes
   read only = no
   guest ok = yes
   write list = root, d_ircad+chaessig, @ntadmin



Christian Haessig
IRCAD/EITS
Tel : +33. (0)3.88.11.90.76
Fax : +33. (0)3.88.11.90.99
mailto:christian.haessig@ircad.u-strasbg.fr