samba - Nov 2008 - string_to_sid: Sid MYDOMAIN\mygroup does not start with 'S-'.

I've been struggling for almost 2 weeks to get Samba working on two new
servers.

When I try to open a Samba share from a Windows 2003 computer, I always
get a logon challenge. I always get the following lot message

[2008/11/13 16:05:06,  3] lib/util_sid.c:string_to_sid(228)
  string_to_sid: Sid MYDOMAIN\mygroup does not start with 'S-'.
[2008/11/13 16:05:06,  2] smbd/service.c:make_connection_snum(732)
  user 'MYDOMAIN\user' (from session setup) not permitted to access this
share (ftp_site001)
[2008/11/13 16:05:06,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/reply.c(662) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED

The following code snippet shows where this error is coming from:


<snip_start>

bool string_to_sid(DOM_SID *sidout, const char *sidstr)
{
        const char *p;
        char *q;
        /* BIG NOTE: this function only does SIDS where the identauth is
not >= 2^32 */
        uint32 conv;

        if ((sidstr[0] != 'S' && sidstr[0] != 's') ||
sidstr[1] != '-')
{
                DEBUG(3,("string_to_sid: Sid %s does not start with
'S-'.\n", sidstr));
                return False;
        }

<snip_end>

QUESTION: It looks to me as though this function is designed to convert
a string such as MYDOMAIN\user into a SID starting with S-. Obviously
the string it is supposed to convert FROM would not start with "S-"
because that's what the string is supposed to be converted TO. So why
would it complain that the string does not start with an "S-" even
before it attempts to convert it?



--
Eric Robinson



Disclaimer - November 13, 2008 
This email and any files transmitted with it are confidential and intended
solely for samba. If you are not the named addressee you should not disseminate,
distribute, copy or alter this email. Any views or opinions presented in this
email are solely those of the author and might not represent those of . Warning:
Although  has taken reasonable precautions to ensure no viruses are present in
this email, the company cannot accept responsibility for any loss or damage
arising from the use of this email or attachments.
This disclaimer was added by Policy Patrol: http://www.policypatrol.com/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robinson, Eric wrote:
> I've been struggling for almost 2 weeks to get Samba working on two new
> servers.
> 
> When I try to open a Samba share from a Windows 2003 computer, I always
> get a logon challenge. I always get the following lot message
> 
> [2008/11/13 16:05:06,  3] lib/util_sid.c:string_to_sid(228)
>   string_to_sid: Sid MYDOMAIN\mygroup does not start with 'S-'.
> [2008/11/13 16:05:06,  2] smbd/service.c:make_connection_snum(732)
>   user 'MYDOMAIN\user' (from session setup) not permitted to access
this
> share (ftp_site001)
> [2008/11/13 16:05:06,  3] smbd/error.c:error_packet_set(61)
>   error packet at smbd/reply.c(662) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
> 
> The following code snippet shows where this error is coming from:
> 
> 
> <snip_start>
> 
> bool string_to_sid(DOM_SID *sidout, const char *sidstr)
> {
....
> 
> QUESTION: It looks to me as though this function is designed to convert
> a string such as MYDOMAIN\user into a SID starting with S-. 
No. it is to convert a SID char * string (S-1-....) to a binary SID
representation.  What does your smb.conf look like?







cheers, jerry
- --
====================================================================Samba       
------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJIs7XIR7qMdg1EfYRAosVAJ9Ycg67m7fz6E4QA2M3QQFBYwARNgCfbNbK
42ooYNnJQzYEts1yai3sLp8=vVUm
-----END PGP SIGNATURE-----

>> QUESTION: It looks to me as though this function is designed to 
>> convert a string such as MYDOMAIN\user into a SID starting with S-.
> No. it is to convert a SID char * string (S-1-....) to a binary 
> SID representation.  What does your smb.conf look like?
I figured that out after posting. :-)

The error condition remains, though, and I still can't access shares.

smb.conf 

#======================= Global Settings
====================================[global]
   unix charset = LOCALE
   workgroup = MYDOMAIN
   netbios name = HA03
   realm = MYDOMAIN.MD
   server string = Linux Server
   security = ADS
   username map = /etc/samba/smbusers
   log level = 3
   syslog = 0
   log file = /var/log/samba/%m.log
   max log size = 50
   printcap name = /etc/printcap
   ldap ssl = no
   allow trusted domains = no

   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431

   winbind nested groups = yes

;  template primary group = "Domain Users"
;  template shell = /bin/bash

   template shell = /bin/false
   template homedir = /home/%U
   winbind use default domain = no

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
   hosts allow = 192.168.5. 192.168.10. 192.168.15. 172.16. 127. 10.

;  load printers = yes
   cups options = raw
   hide dot files = yes
   short preserve case = no

;   printing = cups
;   encrypt passwords = yes
;   smb passwd file = /etc/samba/smbpasswd
;   unix password sync = Yes
;   passwd program = /usr/bin/passwd %u
;   include = /etc/samba/smb.conf.%m
;   interfaces = 192.168.12.2/24 192.168.13.2/24
;   remote browse sync = 192.168.3.25 192.168.5.255
;   remote announce = 192.168.1.255 192.168.2.44
;   local master = no
;   os level = 33
;   domain master = yes
;   preferred master = yes
;   domain logons = yes
;   logon script = %m.bat
;   logon script = %U.bat
;   logon path = \\%L\Profiles\%U
;   name resolve order = wins lmhosts bcast
;   wins support = yes
;   wins server = w.x.y.z
;   wins proxy = yes
;   preserve case = no
;   default case = lower
;   case sensitive = no
;   passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
%n\n *passwd:*all*authentication*tokens*updated*successfully*

#============================ Share Definitions
=============================
[admin]
    path = /
    valid users = "MYDOMAIN\Domain Admins"
    public = no
    writeable = yes
    printable = no

[site001]
    path = /ha_ftp/site001
    valid users = "MYDOMAIN\site001_group"
    public = no
    writeable = yes
    printable = no


Disclaimer - November 18, 2008 
This email and any files transmitted with it are confidential and intended
solely for Gerald (Jerry) Carter,samba. If you are not the named addressee you
should not disseminate, distribute, copy or alter this email. Any views or
opinions presented in this email are solely those of the author and might not
represent those of . Warning: Although  has taken reasonable precautions to
ensure no viruses are present in this email, the company cannot accept
responsibility for any loss or damage arising from the use of this email or
attachments.
This disclaimer was added by Policy Patrol: http://www.policypatrol.com/