[Samba] primary gid of user [desires] is not a Domain group !

C.Lee Taylor leet at leenx.co.za
Mon Feb 16 20:43:07 GMT 2004 

Greetings ...

    I have left in the parts that matter ... I beleive all my SID's are 
mapped, that is why I am confused ... as you can see believe, plus I 
added the group resolution ...

> |>>    On my Samba server ( 3.0.2rc2 ) I am getting ...
> |>>
> |>> Feb  9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0]
> |>> rpc_server/srv_pipe.c:api_pipe_netsec_process(1371)
> |>> Feb  9 17:31:21 eastrand smbd[2113]:   failed to decode PDU
> |>> Feb  9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0]
> |>> rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
> |>> Feb  9 17:31:21 eastrand smbd[2113]:   process_request_pdu: failed to
> |>> do schannel processing.
> |>> Feb  9 17:31:26 eastrand smbd[2113]: [2004/02/09 17:31:26, 0]
> |>> rpc_server/srv_util.c:get_domain_user_groups(372)
> |>> Feb  9 17:31:26 eastrand smbd[2113]:   get_domain_user_groups:
> |>> primary gid of user [desires] is not a Domain group !
> |>> Feb  9 17:31:26 eastrand smbd[2113]:   get_domain_user_groups: You
> |>> should fix it, NT doesn't like that
> |>>
> |>>    But if I do ...
> |>>
> |>> [root at eastrand root]# pdbedit -L -v -u desires
> |>> Unix username:        desires
> |>> NT username:          desires
> |>> Account Flags:        [UX         ]
> |>> User SID:             S-1-5-21-3795178988-3942151060-2329322268-44008
> |>> Primary Group SID:    S-1-5-21-3795178988-3942151060-2329322268-513
> |>> Full Name:            Desire Steyn
> |>> Home Directory:       \\eastrand\desires
> |>> HomeDir Drive:        l:
> |>> Logon Script:         login.bat
> |>> Profile Path:         \\eastrand\desires\profile
> |>> Domain:               XXXXX-ZA-DM
> |>> Account desc:
> |>> Workstations:
> |>> Munged dial:
> |>> Logon time:           0
> |>> Logoff time:          Fri, 13 Dec 1901 22:45:51 GMT
> |>> Kickoff time:         Fri, 13 Dec 1901 22:45:51 GMT
> |>> Password last set:    Thu, 13 Feb 2003 13:24:06 GMT
> |>> Password can change:  0
> |>> Password must change: Fri, 13 Dec 1901 22:45:51 GMT
> |>> [root at eastrand root]#
> |>>
> |>>    Now I have an LDAP passdb, and I have done a
> |>> [root at eastrand root]# net groupmap list
> |>> Domain Users (S-1-5-21-3795178988-3942151060-2329322268-513) -> 
> ntusers
> |>> Domain Computers (S-1-5-21-3795178988-3942151060-2329322268-515) ->
> |>> machines
> |>> Domain Admins (S-1-5-21-3795178988-3942151060-2329322268-512) -> 
> ntadmin
> |>> Domain Guests (S-1-5-21-3795178988-3942151060-2329322268-514) -> 
> nobody
> |>>
> |>> [root at eastrand root]# getent passwd |grep -i des
> |>> desires:x:21504:10000:Desire:/home/users/desires:/sbin/nologin

    Forgot to add ...
[root at eastrand root]# getent group | grep -i users
users:x:100:
ntusers:x:10000:leet

>
> I've had a strange problem: Windows98 and 2000 clients refused to
> implement the policy defined for groups, but implemented those defined
> for users and computers. In the same time I've found similar entries in
> the logs (My production systems are Samba3.0.1.pre1+some patches with
> ldapsam backend).  I decided to set up a small test system: Samba3.0.2
> with tdbsam backend. And found that the problem is related to one of the
> ~ users attributes called sambaPrimaryGroupSID in LDAP or Primary Group
> SID if you look at it with pdbedit -L -v username_here. I've fixed, half
> an hour ago, and now everything is working well.
> The sollution is simple, but can be a big lot of work if you have a lot
> of users and groups; take care, that sambaPrimaryGroupSID for any of
> your users is a valid SID of an existing ntgroup. Best if it the
> ntgroup, which corespond to your users primary unixgroup.

    So all my stuff should work ... I don't understand why it does not ...

Thanks
Mailed
Lee

More information about the samba mailing list