If you have configured IBM Spectrum Scale with LDAP authentication and then encounter NT_STATUS_INVALID_SID error while accessing IBM Spectrum Scale samba shares, then ensure your cluster netbios sambaSID is part of LDAP user sambaSID. An example to illustrate the failure and proposed solution.
1. Cluster configured with LDAP File Authentication.
$ mmuserauth service create --data-access-method file --type ldap --servers ldapkdc --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --pwd-file ldap.pwdfile --netbios-name testcluster
File authentication configuration completed successfully.
2. sambaSID for netbios name is not part of sambaSID for LDAP user.
Cluster netbios sambaSID: S-1-5-21-2824773955-2879828300-3619840358
LDAP user ldapuser3 sambaSID: S-1-5-21-2648479386-31017536-2378919642-3004
$ ldapsearch -x -D "cn=Manager,dc=example,dc=com" -w Passw0rd -b "dc=example,dc=com" sambaDomainName=TESTCLUSTER sambaSID
...
# TESTCLUSTER, example.com
dn: sambaDomainName=TESTCLUSTER,dc=example,dc=com
sambaSID: S-1-5-21-2824773955-2879828300-3619840358
$ ldapsearch -x -D "cn=Manager,dc=example,dc=com" -w Passw0rd -b "dc=example,dc=com" cn=ldapuser3 sambaSID
...
# ldapuser3, People, example.com
dn: uid=ldapuser3,ou=People,dc=example,dc=com
sambaSID: S-1-5-21-2648479386-31017536-2378919642-3004
3. When I tried to access samba shares using LDAP user ldapuser3, NT_STATUS_INVALID_SID error was thrown.
$ smbclient -L testcluster -U ldapuser3%Passw0rd -m SMB3
session setup failed: NT_STATUS_INVALID_SID
4. Corrected the sambaSID for netbios name.
$ cat changesid.ldif
dn: sambaDomainName=TESTCLUSTER,dc=example,dc=com
changetype: modify
replace: sambaSID
sambaSID: S-1-5-21-2648479386-31017536-2378919642
$ ldapmodify -x -D cn=manager,dc=example,dc=com -w Passw0rd -f changesid.ldif
modifying entry "sambaDomainName=TESTCLUSTER,dc=example,dc=com"
5. Verify netbios name sambaSID (S-1-5-21-2648479386-31017536-2378919642) is part of LDAP user ldapuser3 sambaSID (S-1-5-21-2648479386-31017536-2378919642-3004).
$ ldapsearch -x -D "cn=Manager,dc=example,dc=com" -w Passw0rd -b "dc=example,dc=com" sambaDomainName=TESTCLUSTER sambaSID
# TESTCLUSTER, example.com
dn: sambaDomainName=TESTCLUSTER,dc=example,dc=com
sambaSID: S-1-5-21-2648479386-31017536-2378919642
$ ldapsearch -x -D "cn=Manager,dc=example,dc=com" -w Passw0rd -b "dc=example,dc=com" cn=ldapuser3 sambaSID
# ldapuser3, People, example.com
dn: uid=ldapuser3,ou=People,dc=example,dc=com
sambaSID: S-1-5-21-2648479386-31017536-2378919642-3004
6. Try to access Samba share using the same LDAP user e.g. ldapuser3 here. It succeeded.
$ smbclient -L testcluster -U ldapuser3%Passw0rd -m SMB2
Domain=[TESTCLUSTER] OS=[] Server=[]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (IBM NAS)
smbexp1 Disk
smbexp3 Disk
smbexp_fset1 Disk
Domain=[TESTCLUSTER] OS=[] Server=[]
Server Comment
--------- ---- -------
Workgroup Master
--------- ---- -------
crk10.wordpress.com 