[Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble

Scott Gross SGross at newsgroupwest.com
Fri Mar 5 17:45:26 GMT 2004


The machine accounts will show with the users they will be suffixed with a
$.  In the LDAP backend I have an SID for the domain name and an SID for the
server itself which is not contained in LDAP.  Then each computer and each
user had two SID's (sambaSID and sambaPrimaryGroupSID) and the groups only
have one SID (sambaSID).  My discrepancy was in the domain name SID which
was different than the servers SID. The groups and users matched the servers
SID but the computers matched both the servers SID (sambaPrimaryGroupSID)
and the wrong domain name SID from the LDAP entry (sambaSID). When I made
all match the servers SID everything started working.  I haven't worked with
the smbpasswd as a PDC so I'm not sure where all the SID's are stored.

> -----Original Message-----
> From: Stumpfl Markus [mailto:htl.traun.kustos at eduhi.at]
> Sent: Wednesday, March 03, 2004 11:30 PM
> To: 'Scott Gross'
> Cc: MailingList_Samba
> Subject: AW: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble
> 
> Oh, so you are using ldap..., well I'm still working with smbpasswd as
> backend :-(
> 
> Anyway, I tried 'net getlocalsid' for the domain-sid -> ok
> Next 'net usersidlist' which should show me the user-sids -> didn't
> work: "[2004/03/04 06:40:05, 0, pid=31232, effective(0, 0), real(0, 0)]
> utils/net_rpc.c:net_usersidlist(2158)
>   Could not get the user/sid list"
> 
> So used 'net user' instead, which then gave me the user list!?
> 
> What am I missing here? And is there a way to see the machine sids too?
> Or are they included in the users?
> 
> Thanks in advance,
> 
> Markus
> 
> 
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Scott Gross [mailto:SGross at newsgroupwest.com]
> > Gesendet: Mittwoch, 03. März 2004 18:29
> > An: Stumpfl Markus
> > Betreff: RE: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble
> > Wichtigkeit: Hoch
> >
> > I use a little windows gui program called LDAP browser to look at my
> LDAP
> > entries and I was just looking through the entries at the SID's since
> > someone suggested it might be an SID problem and noticed the
> discrepancy
> > on
> > the domain name entry.  I changed it to match all the others just to
> see
> > if
> > it would have any effect and wallah it worked.
> >
> > > -----Original Message-----
> > > From: Stumpfl Markus [mailto:htl.traun.kustos at eduhi.at]
> > > Sent: Tuesday, March 02, 2004 10:52 PM
> > > To: 'Scott Gross'
> > > Subject: AW: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble
> > >
> > > Thx, but how did you find out? With what commands? Sry for the
> stupid
> > > questions, but I'm kinda knew to samba.
> > >
> > > Thanks in advance,
> > >
> > > Stumpfl Markus
> > >
> > >
> > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: Scott Gross [mailto:SGross at newsgroupwest.com]
> > > > Gesendet: Dienstag, 02. März 2004 18:14
> > > > An: Stumpfl Markus; Scott Gross
> > > > Betreff: RE: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble
> > > >
> > > > I got mine working it was SID mismatch. The Domain name SID was
> > > different
> > > > from the server and the users.
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Stumpfl Markus [mailto:htl.traun.kustos at eduhi.at]
> > > > > Sent: Monday, March 01, 2004 11:22 PM
> > > > > To: 'Scott Gross'
> > > > > Subject: AW: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble
> > > > >
> > > > > Do you get the problem (when trying domain logon): "invalid
> password
> > > or
> > > > > domain"?
> > > > > I've got the same prob...
> > > > >
> > > > > I'll tell you, when it's working and vice versa, hopefully ;-)
> > > > >
> > > > > Stumpfl Markus
> > > > >
> > > > >
> > > > >
> > > > > > -----Ursprüngliche Nachricht-----
> > > > > > Von: samba-bounces+htl.traun.kustos=eduhi.at at lists.samba.org
> > > > > >
> [mailto:samba-bounces+htl.traun.kustos=eduhi.at at lists.samba.org]
> > > Im
> > > > > > Auftrag von Scott Gross
> > > > > > Gesendet: Freitag, 27. Februar 2004 18:25
> > > > > > An: samba at lists.samba.org
> > > > > > Betreff: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble
> > > > > >
> > > > > > I have a Samba 3 PDC running with an LDAP backend on Red Hat
> 8.
> > > All
> > > > > > authentication appears to be working correctly but I can't
> login
> > > to
> > > > > the
> > > > > > domain from a W2K or WXP Pro workstation after I have
> successfully
> > > > > joined
> > > > > > them to the domain.  If I login locally to the workstation I
> can
> > > > > browse
> > > > > > the
> > > > > > Samba shares just fine.  I have checked the schannel and sign
> or
> > > seal
> > > > > > settings on both the workstations and the server and made sure
> > > they
> > > > > were
> > > > > > set
> > > > > > to disable but still no luck.  Can anyone give me any ideas on
> how
> > > to
> > > > > > solve
> > > > > > this problem.
> > > > > >
> > > > > >
> > > > > >
> > > > > > TIA
> > > > > >
> > > > > > Scott
> > > > > >
> > > > > >
> > > > > >
> > > > > > Smb.conf
> > > > > >
> > > > > > # Samba config file created using SWAT
> > > > > >
> > > > > > # from 0.0.0.0 (0.0.0.0)
> > > > > >
> > > > > > # Date: 2003/11/25 10:42:04
> > > > > >
> > > > > >
> > > > > >
> > > > > > # Global parameters
> > > > > >
> > > > > > [global]
> > > > > >
> > > > > >         workgroup = FIFEDEV
> > > > > >
> > > > > >         netbios name = Dev
> > > > > >
> > > > > >         null passwords = Yes
> > > > > >
> > > > > >         passdb backend = ldapsam
> > > > > >
> > > > > >         passwd program = /usr/local/bin/smbldap-passwd.pl -o
> %u
> > > > > >
> > > > > >         passwd chat = *new*password* %n\n *new*password:* %n\
> > > > > > *successfully*
> > > > > >
> > > > > >         passwd chat debug = Yes
> > > > > >
> > > > > >         log file = /var/log/samba/%m.log
> > > > > >
> > > > > >         socket options = TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
> > > > > >
> > > > > >         add user script = /usr/local/sbin/smbldap-useradd.pl
> -a
> > > "%u"
> > > > > >
> > > > > >         delete user script =
> /usr/local/sbin/smbldap-useradd.pl -d
> > > > > "%u"
> > > > > >
> > > > > >         add group script = /usr/local/sbin/smbldap-useradd.pl
> -a
> > > -g
> > > > > "%g%
> > > > > >
> > > > > >         delete group script =
> /usr/local/sbin/smbldap-useradd.pl
> > > -d -g
> > > > > > "%g"
> > > > > >
> > > > > >         add user to group script =
> > > /usr/local/sbin/smbldap-useradd.pl
> > > > > -j -
> > > > > > u
> > > > > > "%u" -g "%g"
> > > > > >
> > > > > >         delete user from group script =
> > > > > /usr/local/sbin/smbldap-useradd.pl
> > > > > > -j -u "%u" -g "%g"
> > > > > >
> > > > > >         set primary group script =
> > > /usr/local/sbin/smbldap-useradd.pl
> > > > > -m -
> > > > > > u
> > > > > > "%u" -gid "%g"
> > > > > >
> > > > > >         add machine script =
> /usr/local/sbin/smbldap-useradd.pl -a
> > > -w
> > > > > "%m"
> > > > > >
> > > > > >         logon script = logon.bat
> > > > > >
> > > > > >         logon path =
> > > > > >
> > > > > >         logon drive =
> > > > > >
> > > > > >         domain logons = Yes
> > > > > >
> > > > > >         os level = 22
> > > > > >
> > > > > >         preferred master = Yes
> > > > > >
> > > > > >         domain master = Yes
> > > > > >
> > > > > >         wins support = Yes
> > > > > >
> > > > > >         wins proxy = No
> > > > > >
> > > > > >         ldap suffix = dc=test,dc=com
> > > > > >
> > > > > >         ldap machine suffix = ou=_COMPUTERS_
> > > > > >
> > > > > >         ldap user suffix = ou=_USERS_
> > > > > >
> > > > > >         ldap group suffix = ou=_GROUPS_
> > > > > >
> > > > > >         ldap admin dn = "cn=Manager,dc=test,dc=com"
> > > > > >
> > > > > >         ldap ssl = No
> > > > > >
> > > > > >         ldap passwd sync = yes
> > > > > >
> > > > > >         comment = Samba-PDC Server
> > > > > >
> > > > > >         public = No
> > > > > >
> > > > > >         browseable = Yes
> > > > > >
> > > > > >         writable = No
> > > > > >
> > > > > >         client schannel = No
> > > > > >
> > > > > >         server schannel = No
> > > > > >
> > > > > >         client signing = No
> > > > > >
> > > > > >         server signing = No
> > > > > >
> > > > > >
> > > > > >
> > > > > > [netlogon]
> > > > > >
> > > > > >         path = /usr/local/samba/lib/netlogon
> > > > > >
> > > > > >         read only = Yes
> > > > > >
> > > > > >         write list = ntadmin
> > > > > >
> > > > > >         locking = No
> > > > > >
> > > > > >
> > > > > >
> > > > > > [tmp]
> > > > > >
> > > > > >         path = /tmp
> > > > > >
> > > > > >         guest ok = Yes
> > > > > >
> > > > > >         read only = Yes
> > > > > >
> > > > > >
> > > > > >
> > > > > > [profiles]
> > > > > >
> > > > > >         path = /profiles
> > > > > >
> > > > > >         read only = No
> > > > > >
> > > > > >         writable = Yes
> > > > > >
> > > > > >         create mask = 0600
> > > > > >
> > > > > >         directory mask = 0700
> > > > > >
> > > > > >
> > > > > >
> > > > > > [homes]
> > > > > >
> > > > > >         comment = Home Directories
> > > > > >
> > > > > >         browsable = no
> > > > > >
> > > > > >         writeable = yes
> > > > > >
> > > > > >         valid users = %S
> > > > > >
> > > > > >         create mask = 0700
> > > > > >
> > > > > >         directory mask = 0700
> > > > > >
> > > > > >         hide dot files = yes
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > To unsubscribe from this list go to the following URL and read
> the
> > > > > > instructions:  http://lists.samba.org/mailman/listinfo/samba


More information about the samba mailing list