[Samba] primary gid of user [desires] is not a Domain group !
Wendell Wilson
wendell at qx.net
Wed Feb 18 19:06:03 GMT 2004
This should mean that, while you have the group mappings, there is some
other problem with this making it 'onto the wire.' I'm no expert on
this, at all, but it seems like the part of samba that is setting up the
group mappings works OK, but the part that actually does the network
communication isn't on the same page.
Perhaps use tdbs instead of ldap for a bit, just to test things? It
seems like your problem might be on the ldap end, or the part where
samba talks to ldap to get group info. I am using tdb files. So far, its
been working for about a day with over a dozen users, no errors. I found
another thread about the PDU issues... its nothing to worry about for
the moment, it seems.
Doing a plain ` net rpc info ` had never worked for me. I am forced to
specify the domain controller's name, even though it is a local domain.
For me, ` net rpc info -S DC ` where DC is the domain's controller, for
example, is what clued me in something was getting lost between 'net
groupmap' and what was actually being advertised on the wire. Does that
make sense? It seems weird that the user list can make it from ldap (or
tdbs) for authentication, but even with fixed SIDs in ldap-- it doesn't
make it from there, for some reason.
The short version for those paying attention to the thread is: Using
something like the "pdbedit -r -u <user> -G <domain GID> " command to
add domain users to domain groups works in at least one scenario that
wasn't working otherwise, and use a "net rpc" command to verify you're
actually associating the users with groups. net groupmap doesn't always
automagically work.
(agreed?)
Wendell
C.Lee Taylor wrote:
> Greetings ...
>
> Let's keep the list in on this, other people might be able to get
> info from this too ...
>
> Wendell Wilson wrote:
>
>> Still more clues! Partially 'fixed.'
>
>
> Okay ...
>
>> doing ` net rpc user -S <domain name> info <user name> `
>
>
> I can't get this to work ... it just does not return any thing, so
> I tried a few other things, which also did not give me anything, but ...
>
> [root at nasrec root]# net rpc info
> Domain Name: XXXXX-ZA-DM
> Domain SID: S-1-5-21-3795178988-3942151060-2329322268
> Sequence number: 1077004228
> Num users: 159
> Num domain groups: 0
> Num local groups: 0
>
> Which is wierd, showing that I have no groups ... but my net
> groupmap list shows four maps, why would I not have any groups ...
>
>> I see that bob only belongs to only Domain Users. Yet, doing pdbedit
>> -L -v -u bob ... shows the primary GID that matches the GID when I do
>> `net groupmap list ` (same as you).
>>
>> Then, I ran ` pdbedit -u bob --group SID=" < domain admins SID > " `
>> ... and the net rpc command shows the user belongs to both groups.
>
>
> Just to be correct, it would be `pdbedit -r -u bob --group SID=" <
> domain admins SID > "`, you should not forget the '-r' when modifing ...
>
>> I am no longer getting the 'nt doesn't like it / fix it' message in
>> my logs, but I still see the 'failed to decode PDU' message and
>> 'failed to do schannel1 processing' when the user logs in.
>
>
> I went through my LDAP DB and manual fixed all the funny RID's for
> the Primary Group SID, but I am still seeing my "fix P G SID" error ...
>
>> Does this help you any?
>
>
> A little, I am looking further into this ...
>
>> If so, do you still get the PDU messages when someone logs in?
>
>
> Still, but not as much as before, will keep an eye open on this ...
>
>>>>> Feb 9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0]
>>>>> rpc_server/srv_pipe.c:api_pipe_netsec_process(1371)
>>>>> Feb 9 17:31:21 eastrand smbd[2113]: failed to decode PDU
>>>>> Feb 9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0]
>>>>> rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
>>>>> Feb 9 17:31:21 eastrand smbd[2113]: process_request_pdu: failed
>>>>> to do schannel processing.
>>>>> Feb 9 17:31:26 eastrand smbd[2113]: [2004/02/09 17:31:26, 0]
>>>>> rpc_server/srv_util.c:get_domain_user_groups(372)
>>>>> Feb 9 17:31:26 eastrand smbd[2113]: get_domain_user_groups:
>>>>> primary gid of user [desires] is not a Domain group !
>>>>> Feb 9 17:31:26 eastrand smbd[2113]: get_domain_user_groups: You
>>>>> should fix it, NT doesn't like that
>>>>>
>>>>> But if I do ...
>>>>>
>>>>> [root at eastrand root]# pdbedit -L -v -u desires
>>>>> Unix username: desires
>>>>> NT username: desires
>>>>> Account Flags: [UX ]
>>>>> User SID: S-1-5-21-3795178988-3942151060-2329322268-44008
>>>>> Primary Group SID: S-1-5-21-3795178988-3942151060-2329322268-513
>>>>> Full Name: Desire Steyn
>>>>> Home Directory: \\eastrand\desires
>>>>> HomeDir Drive: l:
>>>>> Logon Script: login.bat
>>>>> Profile Path: \\eastrand\desires\profile
>>>>> Domain: XXXXX-ZA-DM
>>>>> Account desc:
>>>>> Workstations:
>>>>> Munged dial:
>>>>> Logon time: 0
>>>>> Logoff time: Fri, 13 Dec 1901 22:45:51 GMT
>>>>> Kickoff time: Fri, 13 Dec 1901 22:45:51 GMT
>>>>> Password last set: Thu, 13 Feb 2003 13:24:06 GMT
>>>>> Password can change: 0
>>>>> Password must change: Fri, 13 Dec 1901 22:45:51 GMT
>>>>> [root at eastrand root]#
>>>>>
>>>>> Now I have an LDAP passdb, and I have done a
>>>>> [root at eastrand root]# net groupmap list
>>>>> Domain Users (S-1-5-21-3795178988-3942151060-2329322268-513) ->
>>>>> ntusers
>>>>> Domain Computers (S-1-5-21-3795178988-3942151060-2329322268-515)
>>>>> -> machines
>>>>> Domain Admins (S-1-5-21-3795178988-3942151060-2329322268-512) ->
>>>>> ntadmin
>>>>> Domain Guests (S-1-5-21-3795178988-3942151060-2329322268-514) ->
>>>>> nobody
>>>>>
>>>>> And
>>>>>
>>>>> [root at eastrand root]# getent passwd |grep -i des
>>>>> desires:x:21504:10000:Desire:/home/users/desires:/sbin/nologin
>>>>
>>>>
>
>
More information about the samba
mailing list