[Samba] Coule really use some help (Samba PDC)

Mon Mar 21 23:31:50 GMT 2005

On Tue, 2005-03-22 at 00:12 +0100, Tony Earnshaw wrote:
> John Zakhar:
> 
> > First email was rejected due to size so the log files are inline in the
> > msg now..
> >
> > I have NEVER had so much trouble with a
> > samba PDC before. I need to turn in my unix admin license, this is
> > pathetic...
> 
> Hey wait a minute, we all get fits like that now and again. Have to admit
> that mine mostly come with Windows, I can always get Unix/Linux to work ;)
> 
> This could take some time, I live in Europe, it's near my bedtime, I'm
> licked for today and I need sleep. What's more, I'm a modem person at home
> and am only connected a couple of times a day.
> 
> Anyway: I have a 75+ PDC running "at work", with Samba 3.0.11 and OpenLDAP
> 2.2.23. on RHAS3, so ...
> 
> > Anyway, I am here. When trying to join a domain with the administrator
> > account I get "no mapping between account name and security ID's was done"
> >  And the joining fails...
> >
> >
> > All the needed files are attached, from the ldap log. to the samba.conf
> > to the ldifs of the machine, root and admin account. Trying with the root
> > account nets me the same error
> 
> There's too much shit there. You're getting hung up in the details. And I
> didn't see any LDAP log, even if I had, it probably would have been
> useless. You need to do a 'tail -f' on it (-d 256) while things are
> happening to get any sense from it.
> 
> Your local SIDs are all messed up for a start. You have:
> 
> S-1-5-21-1391849139-953726148-1374988380
> and
> S-1-5-21-3107161993-1039155829-3332455197
> 
> all mixed up together.
----
yeah - this is a problem for sure
----
> 
> And the following SIDs can surely not be right:
> 
> Administrators (S-1-5-32-544) -> Administrators
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
----
actually - these are considered to be 'local groups' and not domain
groups so these would be correct
----
> 
> Get all that sorted out before you go on.
> 
> Your smb.conf looks more or less o.k. (didn't dwell on it)
> 
> You're using the Idealx crap without understanding LDAP or what you're
> doing. Use GQ 1.0beta1 for managing your Your mappings are all wrong. Look
> at the alternative Appendix A method of using LDAP in Samba in the Samba
> HOWTO. Here are my mappings up to now at my production site (sorry about
> the wrapping, I decided to use SquirrelMail for this mail and it always
> breaks at 76 chars):
> 
> Domain Admins (S-1-5-21-2520587299-2798274336-2978297563-512) -> domadmin
> Domain Guests (S-1-5-21-2520587299-2798274336-2978297563-514) -> domguest
> Domain Users (S-1-5-21-2520587299-2798274336-2978297563-513) -> domuser
> Leden van Personeel (S-1-5-21-2520587299-2798274336-2978297563-8001) ->
> personeel
> Leden van Docenten (S-1-5-21-2520587299-2798274336-2978297563-1001) ->
> docenten
> Leden van Leerlingen (S-1-5-21-2520587299-2798274336-2978297563-2001) ->
> leerlingen
> Leden van Directie (S-1-5-21-2520587299-2798274336-2978297563-10001) ->
> directie
> Administratie (S-1-5-21-2520587299-2798274336-2978297563-15007) ->
> administratie
> 
> Never mind that you don't know what the Dutch words mean. See that I map
> from NT IDs to Unix IDs where the Unix IDs are Posix IDs? See that the
> domain SIDs are all the same?
> 
> The secrets are in Appendix A of the Samba HOWTO and in getting things
> working with GQ.
> 
> Get those right, and I'll see if I can come back tomorrow ;)
----
there was too much to sift through in the first post

Craig