PDC Functions

Mike Miller temp6453 at hotmail.com
Fri Aug 8 14:41:25 GMT 2003 

What I'm attempting to do is get services for unix working on a win2k box, 
running off of a samba PDC.   I am having great difficulty doing so.  I have 
added a trust relationship and added the 2k server into the domain.  I then 
try and change ownership to anyone in the domain without luck.  It always 
gives me that the Sid Lookup Failed.  Microsoft said the following and 
basically told me to use an NT/2k PDC.  I completely trust the machine in 
every way, so I'm not too worried about security of the machine, however I 
want it to work on these RPC calls to get the SIDs.  For some reason, it 
doesn't seem to be giving me any SIDs.  Any ideas?

--- START M$ ANSWER ---
No. The NFS server running on your file server will need the mapped domain
user's SID in order to impersonate him while accessing files. The DC will
not give out that SID unless the NFS subauthentication DLL (aka Server for
NFS Authentication) is installed on it.

In other words, you will have to migrate the DC first, and install Server
for NFS Auth on it if you need to use mapped domain users...Further, the DC
should be running pre-Win2k compat mode if the mapping server (running as
local service on a member server) is to be able to get the list of users.
--- END M$ ANSWER ---

-Mike

>From: "Gerald (Jerry) Carter" <jerry at samba.org>
>To: Mike Miller <temp6453 at hotmail.com>
>CC: samba-technical at lists.samba.org
>Subject: Re: PDC Functions
>Date: Thu, 7 Aug 2003 23:32:02 -0500 (CDT)
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Fri, 8 Aug 2003, Mike Miller wrote:
>
> > Hi,
> >   I am trying to set up Samba as a PDC on our network and having some
> > difficulty.  I established a trusted machine account and added it to the
> > domain.  Samba will however not release the SIDs needed by our servers
> > working off of it.  I get the following message when trying to do a 
>gpresult
> > [microsoft resource kit]
> >
> > LookupAccountSid failed with 1789
>
>from winerror.h:
>
>#define ERROR_TRUSTED_RELATIONSHIP_FAILURE 1789L
>
>Somethings messed up on the client's account it appears.
>
> > I did a grep through samba 2.2.8b and samba 3.0.0b3 sources and couldn't
> > even pull up that 'AccountSid' command.  Is this not supported at all?  
>Will
> > I be forced to enter the depths of Windows as a PDC?
>
>It is supported in 2.2 and 3.0
>
> > It doesn't seem too complicated to release the SIDs to trusted machines
> > [such as the one which does our user map services]... isn't that what 
>I'm
> > trying to do here?
>
>
>
>cheers, jerry
>
>  ----------------------------------------------------------------------
>  Hewlett-Packard            ------------------------- http://www.hp.com
>  SAMBA Team                 ---------------------- http://www.samba.org
>  GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
>  "You can never go home again, Oatman, but I guess you can shop there."
>                             --John Cusack - "Grosse Point Blank" (1997)
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.1 (GNU/Linux)
>Comment: For info see http://quantumlab.net/pine_privacy_guard/
>
>iD8DBQE/MyfFIR7qMdg1EfYRAuTnAJ40qBInHRA6FGyC5yFOUP9Q60ayZgCeLm7x
>IfQYEcvK6zdjWnQ2GmuVeMY=
>=XoWt
>-----END PGP SIGNATURE-----
>

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus

More information about the samba-technical mailing list