[Samba] OK,I'm In Trouble
Craig White
craigwhite at azapple.com
Wed Mar 15 22:05:46 GMT 2006
On Wed, 2006-03-15 at 16:20 -0500, Yang Xiao wrote:
> Hi Everyone,
> I've been getting this error when trying to login from an XP box to a Samba
> 3 + LDAP PDC, but failed.
>
> [2006/03/15 17:48:12, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(766)
> _net_sam_logon: user Domain\user has user sid
> S-1-5-21-3570476861-1302945835-1904156257-3004
> but group sid S-1-5-21-790863915-1833833965-864709722-513.
> The conflicting domain portions are not supported for NETLOGON calls
>
> I did some research and found this is due to SID mismatch as it is shown
> with the user sid and group sid
>
> net getlocalsid on the dc shows S-1-5-21-3570476861-1302945835-1904156257
> and net getlocalsid DOMAIN shows S-1-5-21-3570476861-1302945835-1904156257
> as well.
>
> but, net groupmap list shows
>
> Domain Admins (S-1-5-21-790863915-1833833965-864709722-512) -> Domain Admins
> Domain Users (S-1-5-21-790863915-1833833965-864709722-513) -> Domain Users
> Domain Guests (S-1-5-21-790863915-1833833965-864709722-514) -> Domain Guests
> Domain Computers (S-1-5-21-790863915-1833833965-864709722-515) -> Domain
> Computers
> Administrators (S-1-5-32-544) -> Administrators
> Account Operators (S-1-5-32-548) -> Account Operators
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> systems (S-1-5-21-3570476861-1302945835-1904156257-3003) -> systems
> development (S-1-5-21-3570476861-1302945835-1904156257-3005) -> development
> analytics (S-1-5-21-3570476861-1302945835-1904156257-3007) -> analytics
>
> and most of my user/machine accounts have sids like this
> S-1-5-21-790863915-1833833965-864709722-xxxx.
> but the smbldap.conf says the sid is set to
> SID="S-1-5-21-3570476861-1302945835-1904156257"
>
> then according to LDAP
> dn: sambaDomainName=Domain,dc=Domain,dc=com
> sambaSID: S-1-5-21-3570476861-1302945835-1904156257
>
> so this is a certified bloody mess, my question is, does this mean I have to
> change every instance of sid that's
> S-1-5-21-790863915-1833833965-864709722-xxxx in LDAP? what's a good way of
> doing this?
>
> Many thanks!
>
> - Yang
>
> smb.conf & slapd.conf attached
----
# net groupmap help
net groupmap add
Create a new group mapping
net groupmap modify
Update a group mapping
net groupmap delete
Remove a group mapping
net groupmap addmem
Add a foreign alias member
net groupmap delmem
Delete a foreign alias member
net groupmap listmem
List foreign group members
net groupmap memberships
List foreign group memberships
net groupmap list
List current group map
net groupmap set
Set group mapping
net groupmap cleanup
Remove foreign group mapping entries
hmm...that last one seems interesting...
Craig
More information about the samba
mailing list