[Samba] OK,I'm In Trouble

Craig White craigwhite at azapple.com
Wed Mar 15 22:05:46 GMT 2006 

On Wed, 2006-03-15 at 16:20 -0500, Yang Xiao wrote:
> Hi Everyone,
> I've been getting this error when trying to login from an XP box to a Samba
> 3 + LDAP PDC, but failed.
> 
> [2006/03/15 17:48:12, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(766)
>   _net_sam_logon: user Domain\user has user sid
> S-1-5-21-3570476861-1302945835-1904156257-3004
>    but group sid S-1-5-21-790863915-1833833965-864709722-513.
>   The conflicting domain portions are not supported for NETLOGON calls
> 
> I did some research and found this is due to SID mismatch as it is shown
> with the user sid and group sid
> 
> net getlocalsid on the dc shows S-1-5-21-3570476861-1302945835-1904156257
> and net getlocalsid DOMAIN shows S-1-5-21-3570476861-1302945835-1904156257
> as well.
> 
> but, net groupmap list shows
> 
> Domain Admins (S-1-5-21-790863915-1833833965-864709722-512) -> Domain Admins
> Domain Users (S-1-5-21-790863915-1833833965-864709722-513) -> Domain Users
> Domain Guests (S-1-5-21-790863915-1833833965-864709722-514) -> Domain Guests
> Domain Computers (S-1-5-21-790863915-1833833965-864709722-515) -> Domain
> Computers
> Administrators (S-1-5-32-544) -> Administrators
> Account Operators (S-1-5-32-548) -> Account Operators
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> systems (S-1-5-21-3570476861-1302945835-1904156257-3003) -> systems
> development (S-1-5-21-3570476861-1302945835-1904156257-3005) -> development
> analytics (S-1-5-21-3570476861-1302945835-1904156257-3007) -> analytics
> 
> and most of my user/machine accounts have sids like this
> S-1-5-21-790863915-1833833965-864709722-xxxx.
> but the smbldap.conf says the sid is set to
> SID="S-1-5-21-3570476861-1302945835-1904156257"
> 
> then according to LDAP
> dn: sambaDomainName=Domain,dc=Domain,dc=com
> sambaSID: S-1-5-21-3570476861-1302945835-1904156257
> 
> so this is a certified bloody mess, my question is, does this mean I have to
> change every instance of sid that's
> S-1-5-21-790863915-1833833965-864709722-xxxx in LDAP? what's a good way of
> doing this?
> 
> Many thanks!
> 
> - Yang
> 
> smb.conf & slapd.conf attached
----
# net groupmap help
net groupmap add
  Create a new group mapping
net groupmap modify
  Update a group mapping
net groupmap delete
  Remove a group mapping
net groupmap addmem
  Add a foreign alias member
net groupmap delmem
  Delete a foreign alias member
net groupmap listmem
  List foreign group members
net groupmap memberships
  List foreign group memberships
net groupmap list
  List current group map
net groupmap set
  Set group mapping
net groupmap cleanup
  Remove foreign group mapping entries

hmm...that last one seems interesting...

Craig

More information about the samba mailing list