[Samba] Coule really use some help (Samba PDC)

Tony Earnshaw tonye at billy.demon.nl
Mon Mar 21 23:12:18 GMT 2005


John Zakhar:

> First email was rejected due to size so the log files are inline in the
> msg now..
>
> I have NEVER had so much trouble with a
> samba PDC before. I need to turn in my unix admin license, this is
> pathetic...

Hey wait a minute, we all get fits like that now and again. Have to admit
that mine mostly come with Windows, I can always get Unix/Linux to work ;)

This could take some time, I live in Europe, it's near my bedtime, I'm
licked for today and I need sleep. What's more, I'm a modem person at home
and am only connected a couple of times a day.

Anyway: I have a 75+ PDC running "at work", with Samba 3.0.11 and OpenLDAP
2.2.23. on RHAS3, so ...

> Anyway, I am here. When trying to join a domain with the administrator
> account I get "no mapping between account name and security ID's was done"
>  And the joining fails...
>
>
> All the needed files are attached, from the ldap log. to the samba.conf
> to the ldifs of the machine, root and admin account. Trying with the root
> account nets me the same error

There's too much shit there. You're getting hung up in the details. And I
didn't see any LDAP log, even if I had, it probably would have been
useless. You need to do a 'tail -f' on it (-d 256) while things are
happening to get any sense from it.

Your local SIDs are all messed up for a start. You have:

S-1-5-21-1391849139-953726148-1374988380
and
S-1-5-21-3107161993-1039155829-3332455197

all mixed up together.

And the following SIDs can surely not be right:

Administrators (S-1-5-32-544) -> Administrators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators

Get all that sorted out before you go on.

Your smb.conf looks more or less o.k. (didn't dwell on it)

You're using the Idealx crap without understanding LDAP or what you're
doing. Use GQ 1.0beta1 for managing your Your mappings are all wrong. Look
at the alternative Appendix A method of using LDAP in Samba in the Samba
HOWTO. Here are my mappings up to now at my production site (sorry about
the wrapping, I decided to use SquirrelMail for this mail and it always
breaks at 76 chars):

Domain Admins (S-1-5-21-2520587299-2798274336-2978297563-512) -> domadmin
Domain Guests (S-1-5-21-2520587299-2798274336-2978297563-514) -> domguest
Domain Users (S-1-5-21-2520587299-2798274336-2978297563-513) -> domuser
Leden van Personeel (S-1-5-21-2520587299-2798274336-2978297563-8001) ->
personeel
Leden van Docenten (S-1-5-21-2520587299-2798274336-2978297563-1001) ->
docenten
Leden van Leerlingen (S-1-5-21-2520587299-2798274336-2978297563-2001) ->
leerlingen
Leden van Directie (S-1-5-21-2520587299-2798274336-2978297563-10001) ->
directie
Administratie (S-1-5-21-2520587299-2798274336-2978297563-15007) ->
administratie

Never mind that you don't know what the Dutch words mean. See that I map
from NT IDs to Unix IDs where the Unix IDs are Posix IDs? See that the
domain SIDs are all the same?

The secrets are in Appendix A of the Samba HOWTO and in getting things
working with GQ.

Get those right, and I'll see if I can come back tomorrow ;)

Best,

--Tonni

--
mail: tonye at billy.demon.nl
http://www.billy.demon.nl



More information about the samba mailing list