PDC Functions

Anderson, Brandie brandie.anderson at ttu.edu
Fri Aug 8 15:12:35 GMT 2003 

Mike,
I can tell you from extensive testing of SFU (and this is difficult to
say - I bleed blue) that the only product MS ever released that was as
bad as this was Windows ME. Religion aside, SFU doesn't want Samba to be
the PDC, their whole premise of SFU is migration not coexistence. This
is why they cannot help you if you do not meet their flowchart product
implementation. As for the NFS subauthorization piece - nfssa.dll must
be installed on every MS domain controller PDC or BDC regardless of the
full SFU presence or user authentication/access WILL fail on the MS
side. What exactly are you trying to do with the SID's? I may have
missed that part. Authentication - NFS access control??? 
Just as a side note the SFU beta 3.5 is out to test - I am currently
beating it up at the same time as Samba 3 beta 3.

Brandie Anderson, MCSE, CNA
Security Manager
Texas Tech University
brandie.anderson at ttu.edu


-----Original Message-----
From: Mike Miller [mailto:temp6453 at hotmail.com] 
Sent: Friday, August 08, 2003 9:41 AM
To: jerry at samba.org
Cc: samba-technical at lists.samba.org
Subject: Re: PDC Functions

What I'm attempting to do is get services for unix working on a win2k
box, 
running off of a samba PDC.   I am having great difficulty doing so.  I
have 
added a trust relationship and added the 2k server into the domain.  I
then 
try and change ownership to anyone in the domain without luck.  It
always 
gives me that the Sid Lookup Failed.  Microsoft said the following and 
basically told me to use an NT/2k PDC.  I completely trust the machine
in 
every way, so I'm not too worried about security of the machine, however
I 
want it to work on these RPC calls to get the SIDs.  For some reason, it

doesn't seem to be giving me any SIDs.  Any ideas?

--- START M$ ANSWER ---
No. The NFS server running on your file server will need the mapped
domain
user's SID in order to impersonate him while accessing files. The DC
will
not give out that SID unless the NFS subauthentication DLL (aka Server
for
NFS Authentication) is installed on it.

In other words, you will have to migrate the DC first, and install
Server
for NFS Auth on it if you need to use mapped domain users...Further, the
DC
should be running pre-Win2k compat mode if the mapping server (running
as
local service on a member server) is to be able to get the list of
users.
--- END M$ ANSWER ---

-Mike

>From: "Gerald (Jerry) Carter" <jerry at samba.org>
>To: Mike Miller <temp6453 at hotmail.com>
>CC: samba-technical at lists.samba.org
>Subject: Re: PDC Functions
>Date: Thu, 7 Aug 2003 23:32:02 -0500 (CDT)
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Fri, 8 Aug 2003, Mike Miller wrote:
>
> > Hi,
> >   I am trying to set up Samba as a PDC on our network and having
some
> > difficulty.  I established a trusted machine account and added it to
the
> > domain.  Samba will however not release the SIDs needed by our
servers
> > working off of it.  I get the following message when trying to do a 
>gpresult
> > [microsoft resource kit]
> >
> > LookupAccountSid failed with 1789
>
>from winerror.h:
>
>#define ERROR_TRUSTED_RELATIONSHIP_FAILURE 1789L
>
>Somethings messed up on the client's account it appears.
>
> > I did a grep through samba 2.2.8b and samba 3.0.0b3 sources and
couldn't
> > even pull up that 'AccountSid' command.  Is this not supported at
all?  
>Will
> > I be forced to enter the depths of Windows as a PDC?
>
>It is supported in 2.2 and 3.0
>
> > It doesn't seem too complicated to release the SIDs to trusted
machines
> > [such as the one which does our user map services]... isn't that
what 
>I'm
> > trying to do here?
>
>
>
>cheers, jerry
>
>
----------------------------------------------------------------------
>  Hewlett-Packard            -------------------------
http://www.hp.com
>  SAMBA Team                 ----------------------
http://www.samba.org
>  GnuPG Key                  ----
http://www.plainjoe.org/gpg_public.asc
>  "You can never go home again, Oatman, but I guess you can shop
there."
>                             --John Cusack - "Grosse Point Blank"
(1997)
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.1 (GNU/Linux)
>Comment: For info see http://quantumlab.net/pine_privacy_guard/
>
>iD8DBQE/MyfFIR7qMdg1EfYRAuTnAJ40qBInHRA6FGyC5yFOUP9Q60ayZgCeLm7x
>IfQYEcvK6zdjWnQ2GmuVeMY=
>=XoWt
>-----END PGP SIGNATURE-----
>

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus

More information about the samba-technical mailing list