[Samba] primary gid of user [desires] is not a Domain group !

Wendell Wilson wendell at qx.net
Wed Feb 18 19:06:03 GMT 2004

This should mean that, while you have the group mappings, there is some 
other problem with this making it 'onto the wire.' I'm no expert on 
this, at all, but it seems like the part of samba that is setting up the 
group mappings works OK, but the part that actually does the network 
communication isn't on the same page.

Perhaps use tdbs instead of ldap for a bit, just to test things? It 
seems like your problem might be on the ldap end, or the part where 
samba talks to ldap to get group info. I am using tdb files. So far, its 
been working for about a day with over a dozen users, no errors. I found 
another thread about the PDU issues... its nothing to worry about for 
the moment, it seems.

Doing a plain ` net rpc info ` had never worked for me. I am forced to 
specify the domain controller's name, even though it is a local domain. 
For me, ` net rpc info -S DC ` where DC is the domain's controller, for 
example, is what clued me in something was getting lost between 'net 
groupmap' and what was actually being advertised on the wire. Does that 
make sense? It seems weird that the user list can make it from ldap (or 
tdbs) for authentication, but even with fixed SIDs in ldap-- it doesn't 
make it from there, for some reason.

The short version for those paying attention to the thread is: Using 
something like the  "pdbedit -r -u <user> -G <domain GID> " command to 
add domain users to domain groups works in at least one scenario that 
wasn't working otherwise, and use a "net rpc" command to verify you're 
actually associating the users with groups. net groupmap doesn't always 
automagically work.


C.Lee Taylor wrote:

> Greetings ...
>    Let's keep the list in on this, other people might be able to get 
> info from this too ...
> Wendell Wilson wrote:
>> Still more clues! Partially 'fixed.'
>    Okay ...
>> doing  ` net rpc user -S <domain name> info <user name> `
>    I can't get this to work ... it just does not return any thing, so 
> I tried a few other things, which also did not give me anything, but ...
> [root at nasrec root]# net rpc info
> Domain Name: XXXXX-ZA-DM
> Domain SID: S-1-5-21-3795178988-3942151060-2329322268
> Sequence number: 1077004228
> Num users: 159
> Num domain groups: 0
> Num local groups: 0
>    Which is wierd, showing that I have no groups ... but my net 
> groupmap list shows four maps, why would I not have any groups ...
>> I see that bob only belongs to only Domain Users. Yet, doing pdbedit 
>> -L -v -u bob ... shows the primary GID that matches the GID when I do 
>> `net groupmap list `  (same as you).
>> Then, I ran ` pdbedit -u bob --group SID=" < domain admins SID > " `  
>> ... and the net rpc command shows the user belongs to both groups.
>    Just to be correct, it would be `pdbedit -r -u bob --group SID=" < 
> domain admins SID > "`, you should not forget the '-r' when modifing ...
>> I am no longer getting the 'nt doesn't like it / fix it' message in 
>> my logs, but I still see the 'failed to decode PDU' message and 
>> 'failed to do schannel1 processing'  when the user logs in.
>    I went through my LDAP DB and manual fixed all the funny RID's for 
> the Primary Group SID, but I am still seeing my "fix P G SID" error ...
>> Does this help you any?
>    A little, I am looking further into this ...
>> If so, do you still get the PDU messages when someone logs in?
>    Still, but not as much as before, will keep an eye open on this ...
>>>>> Feb  9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0] 
>>>>> rpc_server/srv_pipe.c:api_pipe_netsec_process(1371)
>>>>> Feb  9 17:31:21 eastrand smbd[2113]:   failed to decode PDU
>>>>> Feb  9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0] 
>>>>> rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
>>>>> Feb  9 17:31:21 eastrand smbd[2113]:   process_request_pdu: failed 
>>>>> to do schannel processing.
>>>>> Feb  9 17:31:26 eastrand smbd[2113]: [2004/02/09 17:31:26, 0] 
>>>>> rpc_server/srv_util.c:get_domain_user_groups(372)
>>>>> Feb  9 17:31:26 eastrand smbd[2113]:   get_domain_user_groups: 
>>>>> primary gid of user [desires] is not a Domain group !
>>>>> Feb  9 17:31:26 eastrand smbd[2113]:   get_domain_user_groups: You 
>>>>> should fix it, NT doesn't like that
>>>>>    But if I do ...
>>>>> [root at eastrand root]# pdbedit -L -v -u desires
>>>>> Unix username:        desires
>>>>> NT username:          desires
>>>>> Account Flags:        [UX         ]
>>>>> User SID:             S-1-5-21-3795178988-3942151060-2329322268-44008
>>>>> Primary Group SID:    S-1-5-21-3795178988-3942151060-2329322268-513
>>>>> Full Name:            Desire Steyn
>>>>> Home Directory:       \\eastrand\desires
>>>>> HomeDir Drive:        l:
>>>>> Logon Script:         login.bat
>>>>> Profile Path:         \\eastrand\desires\profile
>>>>> Domain:               XXXXX-ZA-DM
>>>>> Account desc:
>>>>> Workstations:
>>>>> Munged dial:
>>>>> Logon time:           0
>>>>> Logoff time:          Fri, 13 Dec 1901 22:45:51 GMT
>>>>> Kickoff time:         Fri, 13 Dec 1901 22:45:51 GMT
>>>>> Password last set:    Thu, 13 Feb 2003 13:24:06 GMT
>>>>> Password can change:  0
>>>>> Password must change: Fri, 13 Dec 1901 22:45:51 GMT
>>>>> [root at eastrand root]#
>>>>>    Now I have an LDAP passdb, and I have done a
>>>>> [root at eastrand root]# net groupmap list
>>>>> Domain Users (S-1-5-21-3795178988-3942151060-2329322268-513) -> 
>>>>> ntusers
>>>>> Domain Computers (S-1-5-21-3795178988-3942151060-2329322268-515) 
>>>>> -> machines
>>>>> Domain Admins (S-1-5-21-3795178988-3942151060-2329322268-512) -> 
>>>>> ntadmin
>>>>> Domain Guests (S-1-5-21-3795178988-3942151060-2329322268-514) -> 
>>>>> nobody
>>>>>    And
>>>>> [root at eastrand root]# getent passwd |grep -i des
>>>>> desires:x:21504:10000:Desire:/home/users/desires:/sbin/nologin

More information about the samba mailing list