[Samba] primary gid of user [desires] is not a Domain group !

Gémes Géza geza at kzsdabas.sulinet.hu
Mon Feb 16 19:33:38 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

C.Lee Taylor írta:
| Wendell Wilson wrote:
|
|> Precisely the same thing is happening to me! There have been a couple
|> other threads with others having more or less the same problem... but
|> I haven't seen any fixes that work for me, yet.
|>
|> I have 3.0.1, at the moment. Did you upgrade from 2.2.x? or from an
|> earlier version of 3.x? Or did this just start out of the blue? I am
|> not using LDAP, at this point, or even winbind to handle user/group
|> mappings. What sort of setup do you have?
|
|
|    Currently using 3.0.2, at least the ones FC1 just shiped over the
| weekend ...
|
|    I did a clean installation and converted my LDAP ldif file to from
| Samba2 to Samba3 ... I have made all sorts of changes and can't get this
| to go away, so I don't know what the problem is ...
|
|    At first I through that my posix accounts primary gid how to be
| mapped to an NT one, then I modified the Primary SID for each users and
| still got it ... so I really don't know ...
|
|
| Mailed
| Lee
|
|>
|> Wendell
|>
|> C.Lee Taylor wrote:
|>
|>> Greetings ...
|>>
|>>    I hope somebody can explain this to me, or give me a help to fix
|>> this problem ...
|>>
|>>    On my Samba server ( 3.0.2rc2 ) I am getting ...
|>>
|>> Feb  9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0]
|>> rpc_server/srv_pipe.c:api_pipe_netsec_process(1371)
|>> Feb  9 17:31:21 eastrand smbd[2113]:   failed to decode PDU
|>> Feb  9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0]
|>> rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
|>> Feb  9 17:31:21 eastrand smbd[2113]:   process_request_pdu: failed to
|>> do schannel processing.
|>> Feb  9 17:31:26 eastrand smbd[2113]: [2004/02/09 17:31:26, 0]
|>> rpc_server/srv_util.c:get_domain_user_groups(372)
|>> Feb  9 17:31:26 eastrand smbd[2113]:   get_domain_user_groups:
|>> primary gid of user [desires] is not a Domain group !
|>> Feb  9 17:31:26 eastrand smbd[2113]:   get_domain_user_groups: You
|>> should fix it, NT doesn't like that
|>>
|>>    But if I do ...
|>>
|>> [root at eastrand root]# pdbedit -L -v -u desires
|>> Unix username:        desires
|>> NT username:          desires
|>> Account Flags:        [UX         ]
|>> User SID:             S-1-5-21-3795178988-3942151060-2329322268-44008
|>> Primary Group SID:    S-1-5-21-3795178988-3942151060-2329322268-513
|>> Full Name:            Desire Steyn
|>> Home Directory:       \\eastrand\desires
|>> HomeDir Drive:        l:
|>> Logon Script:         login.bat
|>> Profile Path:         \\eastrand\desires\profile
|>> Domain:               XXXXX-ZA-DM
|>> Account desc:
|>> Workstations:
|>> Munged dial:
|>> Logon time:           0
|>> Logoff time:          Fri, 13 Dec 1901 22:45:51 GMT
|>> Kickoff time:         Fri, 13 Dec 1901 22:45:51 GMT
|>> Password last set:    Thu, 13 Feb 2003 13:24:06 GMT
|>> Password can change:  0
|>> Password must change: Fri, 13 Dec 1901 22:45:51 GMT
|>> [root at eastrand root]#
|>>
|>>    Now I have an LDAP passdb, and I have done a
|>> [root at eastrand root]# net groupmap list
|>> Domain Users (S-1-5-21-3795178988-3942151060-2329322268-513) -> ntusers
|>> Domain Computers (S-1-5-21-3795178988-3942151060-2329322268-515) ->
|>> machines
|>> Domain Admins (S-1-5-21-3795178988-3942151060-2329322268-512) -> ntadmin
|>> Domain Guests (S-1-5-21-3795178988-3942151060-2329322268-514) -> nobody
|>>
|>>    And
|>>
|>> [root at eastrand root]# getent passwd |grep -i des
|>> desires:x:21504:10000:Desire:/home/users/desires:/sbin/nologin
|>>
|>>    Has anyone got an idea of what I am missing ...
|>>
|>> Mailed
|>> Lee
|>>
|>>
|>
|>
|>
|>
|
Just in time!

I've had a strange problem: Windows98 and 2000 clients refused to
implement the policy defined for groups, but implemented those defined
for users and computers. In the same time I've found similar entries in
the logs (My production systems are Samba3.0.1.pre1+some patches with
ldapsam backend).  I decided to set up a small test system: Samba3.0.2
with tdbsam backend. And found that the problem is related to one of the
~ users attributes called sambaPrimaryGroupSID in LDAP or Primary Group
SID if you look at it with pdbedit -L -v username_here. I've fixed, half
an hour ago, and now everything is working well.
The sollution is simple, but can be a big lot of work if you have a lot
of users and groups; take care, that sambaPrimaryGroupSID for any of
your users is a valid SID of an existing ntgroup. Best if it the
ntgroup, which corespond to your users primary unixgroup.


Hope it helps.

Cheers

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAMRsS/PxuIn+i1pIRAsgKAKC6Hcatrtdk6KFamlYcNGvRDxvDpACglOSb
e6Us9tIYTC6L3csR5GH0zTU=
=2T8G
-----END PGP SIGNATURE-----



More information about the samba mailing list