Jonathan,
Any chance there could be a duplicate user?
getent passwd|grep /user/ would narrow the list down.
Dale
Jonathon Doran wrote:> I am obviously confused about something, and feel like I am chasing
> ghosts. Any help or clarification would be appreciated.
>
> When a user logs in we get messages about corrupt recycle bins.
> Setting the logging to level 2 for that client, we have errors like:
>
> open_directory: unable to create user/Desktop. Error was
> NT_STATUS_OBJECT_NAME_COLLISION.
>
> OK, the folder already exists in the profile. Why try to create it?
>
> I can use smbclient and connect to the profile share as the user, and
> I have no trouble reading or writing files. The root account can
> access the raw folders without any problem. I expected that the
> existing profile would be read and used. And it sort of is, since a
> folder on the desktop is preserved across sessions.
>
> When I up the logging to 4, I see messages like
>
> get_privileges: No privileges assigned to SID
> [S-1-5-21-1786355187-4025355074-2784741737-501]
>
> Hmm. That RID doesn't look correct. This user is in two groups,
> Domain Users (513) and a local lab group (3011). Slapcat does not
> show that SID, nor does "net groupmap list". I looked this up,
and it
> appears to be a guest account. OK, maybe not a problem. As you might
> be able to tell, the slightest thing sets me off.
>
> The login continues with accesses using user nobody (uid=99,gid=99),
> and the
> user is authenticated.
>
> I saw this in the log:
> [2009/07/06 16:33:33, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1613)
> ldapsam_getsampwsid: Unable to locate SID
> [S-1-5-21-1786355187-4025355074-2784741737-513] count=0
> [2009/07/06 16:33:34, 2] passdb/pdb_ldap.c:init_group_from_ldap(2348)
> init_group_from_ldap: Entry found for group: 513
>
> RID 513 is in the group map. "getent group Domain\ Users"
returns a
> bunch of names. So maybe _this_ isn't an error either.
>
> Then I see:
> [2009/07/06 16:33:34, 3] lib/privileges.c:get_privileges(63)
> get_privileges: No privileges assigned to SID
> [S-1-5-21-1786355187-4025355074-2784741737-3110]
> [2009/07/06 16:33:34, 3] lib/privileges.c:get_privileges(63)
> get_privileges: No privileges assigned to SID
> [S-1-5-21-1786355187-4025355074-2784741737-513]
>
> (the two groups which this user should be a member).
>
> A bit further down:
> ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11))
>
> That SID does not show up in the group map, and I have no idea where
> it comes from. All of my SIDS seem to start with S-1-5-21. So that
> looks bad. But...
>
> init_group_from_ldap: Entry found for group: 1005
>
> Well, that is good. Group 1005 is the group with RID 3011, in case
> that was
> confusing. A VUID is registered later. And a connection is
> made to the profdata service (uid=1055, gid = 513).
>
> The user's main group is 1005, but the user is not showing up in group
> 513. By that I mean that "getent group Domain\ Users" shows a
list of
> users, but does not include this user. Nor does "groups user".
> Sounds like a big problem. But slapcat shows the user in the group,
> and LdapAdmin shows the user in the group. /etc/nsswitch.conf has
> "group: compat ldap". I have rebooted the system, and this
problem
> persists. Removing the user from "Domain Users" in LdapAdmin,
and
> then readding them did nothing. Although slapcat did reflect the
> removal.
>
> I'm guessing that this is at the root of most of my problems. Where
> in the world is getent getting its information, if not from LDAP?