[Samba] The conflicting domain portions are not supported forNETLOGON calls

José M. Fandiño samba at fadesa.es
Fri Apr 15 11:59:11 GMT 2005 

Bruno Guerreiro wrote:
> 
> Hi there,
> Your users sid should be something like
> S-1-5-21-528226156-890416033-2029241632-xxxx.

 My current understanding is that they are created 
algorithmically by samba.

> I think your user ldap entry may have some problem.

possibly :)

> Another thing, do you have any trust account in place?

Yes, "add machine script" is working and the user info250$
was created on the fly by smbldap-tools.

http://195.55.55.164/tests/samba/info250.ldif.txt

Also I'm using "enable privileges" if this makes any difference.

> If not, then something is really wrong, because you're not supposed to have
> two completely diferente domain SID's in net groupmap listing
> 
> S-1-5-21-528226156-890416033-2029241632 and
> S-1-5-21-2403845858-3771094018-3344062789

well, S-1-5-21-2403845858-3771094018-3344062789 was an
old domain, but I think it isn't interfering with this.
Anyway I removed all ldap entries with that SID and
the problem persists.

# net groupmap list
Usuarios Basicos (S-1-5-21-528226156-890416033-2029241632-100) -> users
usuarios de samba (S-1-5-21-528226156-890416033-2029241632-717) -> usuarios
Domain Admins (S-1-5-21-528226156-890416033-2029241632-512) -> domadmin
Domain Users (S-1-5-21-528226156-890416033-2029241632-513) -> domusers
Domain Guests (S-1-5-21-528226156-890416033-2029241632-514) -> domguests

> What's the output of the net getlocalsid?

# net getlocalsid
SID for domain ORA9I is: S-1-5-21-528226156-890416033-2029241632

> It should match the SambaSID value in the SambaDomainName ldap entry.

[2005/04/15 13:40:36, 10] auth/auth_util.c:debug_nt_user_token(490)
  NT user token of user S-1-5-21-528226156-890416033-2029241632
  contains 8 SIDs
  SID[  0]: S-1-5-21-528226156-890416033-2029241632
  SID[  1]: S-1-5-21-528226156-890416033-2029241632-513
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-528226156-890416033-2029241632-3001
  SID[  6]: S-1-5-21-528226156-890416033-2029241632-512
  SID[  7]: S-1-5-21-528226156-890416033-2029241632-2431
  SE_PRIV  0x10 0x0 0x0 0x0
[2005/04/15 13:40:36, 5] auth/auth_util.c:make_server_info_sam(862)
  make_server_info_sam: made server info for user usuario1 -> usuario1
[2005/04/15 13:40:36, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: sam authentication for user [usuario1] succeeded
[2005/04/15 13:40:36, 5] auth/auth.c:check_ntlm_password(292)
  check_ntlm_password:  PAM Account for user [usuario1] succeeded
[2005/04/15 13:40:36, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [usuario1] -> [usuario1] -> [usuario1] succeeded
[2005/04/15 13:40:36, 5] auth/auth_util.c:free_user_info(1380)
  attempting to free (and zero) a user_info structure
[2005/04/15 13:40:36, 10] auth/auth_util.c:free_user_info(1383)
  structure was created for usuario1
[2005/04/15 13:40:36, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(766)
  _net_sam_logon: user BETA\usuario1 has user sid S-1-5-21-528226156-890416033-2029241632
   but group sid S-1-5-21-528226156-890416033-2029241632-513.
  The conflicting domain portions are not supported for NETLOGON calls

full log:
http://195.55.55.164/tests/samba/log.smb.txt


> -----Original Message-----
> From: José M. Fandiño [mailto:samba at fadesa.es]
> Sent: sexta-feira, 15 de Abril de 2005 10:08
> To: samba at lists.samba.org
> Subject: [Samba] The conflicting domain portions are not supported for
> NETLOGON calls
> 
> Hello list,
> 
>  When I try to log in a samba 3.0.13 server from a XP Pro
> machine, I get this error:
> 
> [2005/04/15 10:57:00, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(766)
>   _net_sam_logon: user BETA\usuario1 has user sid
> S-1-5-21-528226156-890416033-2029241632
>    but group sid S-1-5-21-528226156-890416033-2029241632-513.
>   The conflicting domain portions are not supported for NETLOGON calls
> 
> What can this mean?
> 
> Thank you.
> 
> http://195.55.55.164/tests/samba/smb.conf.txt
> http://195.55.55.164/tests/samba/log.smb.txt
> 
> # net groupmap list
> Usuarios Basicos (S-1-5-21-2403845858-3771094018-3344062789-100) -> users
> usuarios de samba (S-1-5-21-2403845858-3771094018-3344062789-717) ->
> usuarios
> NT Admins (S-1-5-21-2403845858-3771094018-3344062789-719) -> ntadmin
> Domain Admins (S-1-5-21-528226156-890416033-2029241632-512) -> domadmin
> Domain Users (S-1-5-21-528226156-890416033-2029241632-513) -> domusers
> Domain Guests (S-1-5-21-528226156-890416033-2029241632-514) -> domguests

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------

More information about the samba mailing list