[Samba] Messed up SIDs: How to change machine SID?
Marcus Mundt
marcus.mundt at forsa.de
Mon Jul 15 07:24:46 MDT 2013
I could fix the SID issues. However the other errors and warinings remain. Struggeling hard to find the cause for not being able to join a domain, getting "Access Denied"
SMB log:
[2013/07/12 15:48:03.439574, 2] auth/auth.c:309(check_ntlm_password)
check_ntlm_password: authentication for user [admin] -> [admin] -> [admin] succeeded
[2013/07/12 15:48:03.442335, 3] groupdb/mapping.c:772(pdb_create_builtin_alias)
pdb_create_builtin_alias: Could not get a gid out of winbind
[2013/07/12 15:48:03.442450, 2] auth/token_util.c:455(finalize_local_nt_token)
WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids?
[2013/07/12 15:48:03.444454, 3] groupdb/mapping.c:772(pdb_create_builtin_alias)
pdb_create_builtin_alias: Could not get a gid out of winbind
[2013/07/12 15:48:03.444555, 2] auth/token_util.c:479(finalize_local_nt_token)
WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
...
[2013/07/12 15:48:03.191990, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate: no challenge sent to client N666
...
[2013/07/12 15:48:03.587205, 3] smbd/connection.c:35(yield_connection)
Yielding connection to IPC$
[2013/07/12 15:48:03.589351, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
Questions:
Is it mandatory that
Domain Admins
Domain Users
Domain Guests
Domain Computers
are spelled exactly like that. In GOsa I'm only allowed to use lower case letters and no spaces. Hence I got
domainadmins... and so forth. I don't know how to change the windows group name only.
Is a root user mandatory or may I use "admin"? Since I got no root in LDAP, but tried it last week, didn't help.
Which of the domain and builtin groups are mandatory? As far as I know only
Domain Admins 512
Domain Users 513
Domain Guests 514
and
>From the builtin domain (didn't know that there is a built in domain until now)
Administrators 544
Users 545
Guests 546
Thanks for any help in advance! Setting up a PDC seems not too hard, but I have to use our existing LDAP directory and operate on a production system :(
Cheers,
Marcus
> I have an LDAP backend.
>
> In LDAP, the machine accounts for my windows and linux clients so show
> the same base SID as the domain SID (ie.. all but the last digits.)
>
> However I also have the mismatch with "net getdomainsid" - which
> definately explains why they don't behave as I would expect. You may
> want to try fixing this with "net setlocalsid." I guess when you joing
> unix or linux member server to the domain the localsid is not updated.
>
> Re the BUILTIN groups you may want to explicitly map these to unix
> groups rather than relying on winbind to do it
>
>
> e.g. I created unix groups
>
> #getent group ....
> Builtin Admins::544:
> Builtin Users::545:
> Builtin Guests::546:
>
> Then mapped the well know built-in Windows groups to the unix groups
>
>
> #net groupmap add ntgroup="Administrators" unixgroup=544
> sid=S-1-5-32-544 type=builtin
> #net groupmap add ntgroup="Users" unixgroup=545 sid=S-1-5-32-545
> type=builtin
> #net groupmap add ntgroup="Guests" unixgroup=546 sid=S-1-5-32-546
> type=builtin
>
> # net groupmap list | grep -i builtin
>
> Administrators (S-1-5-32-544) -> Builtin Admins
> Users (S-1-5-32-545) -> Builtin Users
> Guests (S-1-5-32-546) -> Builtin Guests
>
>
>
> The linux samba member servers I use mostly for IT use anyway so I never
> shook out all the bugs.
>
>
>
>
> On 07/03/13 11:49, Marcus Mundt wrote:
> > Dear Samba Gurus,
> >
> > I got the following errors:
> > tail -f /var/log/samba/log.wb-DOM1
> > [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid)
> > name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
> >
> > log.smbd
> > [2013/07/02 15:40:51.809516, 2]
> auth/token_util.c:455(finalize_local_nt_token)
> > WARNING: Failed to create BUILTIN\Administrators group! Can Winbind
> allocate gids?
> > [2013/07/02 15:40:51.811330, 2]
> auth/token_util.c:479(finalize_local_nt_token)
> > WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
> >
> >
> > I guess the reason might be this:
> > net getdomainsid
> > SID for local machine M1 is: S-1-5-21-3981825222-1828954701-2606613544
> > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449
> >
> > net getdomainsid
> > SID for local machine M2 is: S-1-5-21-2913448378-2543514743-1508345481
> > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449
> >
> >
> > Shouldn't the SIDs be the same except the last digits???
> >
> > Cheers,
> > Marcus
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list