[Samba] Root can't login to domain workstations

Paul Gienger pgienger at ae-solutions.com
Tue Mar 15 19:34:13 GMT 2005 

>>>>I'm pretty sure i added root to samba database, but i tried it again in
>>>>other machine , first thing i did was smbpasswd -a root , but still get
>>>>the same strange error:
>>>>"The system cannot log you on due to the following error :
>>>>A device attached to the system is not functioning."
>>>>
>>>This is the error log from the machine where i was trying to log in:
>>>      
>>>
>>I've chopped out all but this one line from your logs
>>
>>    
>>
>>>[2005/03/15 17:35:52, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(766)
>>> _net_sam_logon: user REMAXPRAIA\root has user sid S-1-5-21-1916702674-2089629516-631066457-1000
>>>  but group sid S-1-5-21-378043444-2358454591-1624186084-512.
>>> The conflicting domain portions are not supported for NETLOGON calls
>>>      
>>>
>>If you notice, there's a SID conflict going on here.  It's specifically 
>>complaining about the user and group sids, which I don't know if that's 
>>enough to force a failed login, but it's a place to start looking.
>>
>>Run a net getlocalsid on the server to find out what the server thinks 
>>is it's SID should be, you need to make this number match out everyplace 
>>that it is incorrect.  Make sure your smbldap-tools set is configured 
>>with the right value for a start.  I think you can go in and replace the 
>>portion of the SID on any users/groups that don't have the right data, 
>>just by editing your LDAP data, but I'd entertain some confirmation of 
>>that idea.
>>
>>See if that doesn't help things.
>>    
>>
>
>
>Thanks for the reply Paul, i'm not using LDAP.
>  
>
Ok, my bad, thought I had read you did.

>net getlocalsid gives me:
>SID for DOMAIN PRAIASERVER S-1-5-21-1916702674-2089629516-631066457
>
>I don't no if this is correct but in my smb.conf i have:
>workgroup=REMAXPRAIA
>netbios name = PRAIASERVER
>
>shouldn't the net getlocalsid retrieve the SID for DOMAIN REMAXPRAIA ??
>  
>
Well, in my setup it says the server name, which seems to work fine.  
The value is the one that is listed in my domain object.  Check your 
groupmaps then (net groupmap) and see if the SIDs are right there.  
You'll have to delete and recreate any broken ones.  Again, not sure if 
this will fail a login, but it's something to check.

-- 
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger at ae-solutions.com

More information about the samba mailing list