[Samba] Re: Samba Problem seen on 24help

Paul Gienger pgienger at ae-solutions.com
Thu Mar 3 13:44:29 GMT 2005 

>i've seen your posts on this forum
>
>http://www.24help.info/showthread.php?t=155267
>  
>
Bringing this on list so that someone else can drop in some wisdom if I 
miss...  Good logs btw.

Could we get some sysinfo here?  What passdb backend are you using?  OS 
and Samba version too if you don't mind, for posterity.

>seems that i've quite the same problem, but i can't get what you said,
>or in fact it's me that i don't have enough experience in SID and GID.
>
>Well, i did an net getlocalsid and it gave me the domain SID, but with
>with what should it match match?
>
>here are my logs from the server
>
>[2005/03/03 09:33:24, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(766)
>  _net_sam_logon: user PUISSANCEL\pwyss has user sid
>S-1-5-21-820830119-3499761299-3856101563-3118
>but group sid S-1-5-21-762477992-2481379270-2668450037-513.
>The conflicting domain portions are not supported for NETLOGON calls
>
>my domain SID is
>
>SID for domain PUISSANCELSERVE is:
>S-1-5-21-820830119-3499761299-3856101563
>  
>
Ok, with that information we need to derive what SIDs you've got at work 
here...
1. Your domain wants to run with this:   
S-1-5-21-820830119-3499761299-3856101563
2. The user you're going for is using this SID: 
S-1-5-21-820830119-3499761299-3856101563
   and a RID portion of:  -3118
3. The Domain Users group is resolving to SID:  
S-1-5-21-762477992-2481379270-2668450037
   and RID portion: -513

So with that info we can tell that the group SID is the inconsistant 
one.  The server tells it one thing, and then your user SID matches it.  
Your groupmap confirms some oddity is at work.

>and finally the net groupmap list is: 
>
>System Operators (S-1-5-32-549) -> -1
>Replicators (S-1-5-32-552) -> -1
>Guests (S-1-5-32-546) -> -1
>Domain Users (S-1-5-21-762477992-2481379270-2668450037-513) ->
>participant
>Domain Admins (S-1-5-21-762477992-2481379270-2668450037-512) -> root
>Domain Guests (S-1-5-21-762477992-2481379270-2668450037-514) -> -1
>Power Users (S-1-5-32-547) -> adm
>Print Operators (S-1-5-32-550) -> -1
>Administrators (S-1-5-32-544) -> sys
>Account Operators (S-1-5-32-548) -> -1
>Domain Admins (S-1-5-21-820830119-3499761299-3856101563-512) -> -1
>Domain Guests (S-1-5-21-820830119-3499761299-3856101563-514) -> -1
>Domain Users (S-1-5-21-820830119-3499761299-3856101563-513) -> -1
>Backup Operators (S-1-5-32-551) -> bin
>Users (S-1-5-32-545) -> participant
>  
>
I'm curious how exactly you got to this point... You have all the 
requisite groups here but they aren't quite right.  You should delete 
the entries here that don't match the domain SID, in otherwords, the 
S-blah-blah37-XXX entries that are correctly mapped to unix groups.  IF 
you are running LDAP, which I can't tell, I would guess that you 
populated your passdb with smbldap-populate before configuring the 
parameters properly.  In that case, just delete the samba attributes 
from your posix group objects (participant, etc), the groupmap.tdb (name 
may not be accurate), re-run the populate script and do the groupmap again.


>if you could help me it would be really really nice.
>
>I'm working for days on that samba pdc, and i can't make it work,
>i'm getting mad
>
Post back how this strikes you.

-- 
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger at ae-solutions.com

More information about the samba mailing list