[Samba] OK,I'm In Trouble

Cybionet cybionet at videotron.ca
Thu Mar 16 00:46:38 GMT 2006

Greeting Yang,

  Surely the simpless way to to this is to export your DIT (or a section 
of DIT) in a LDIF format file. Make a find/replace of the mismatch SID 
in the LDIF file. Delete your DIT (or the section) in LDAP Directory and 
reimport the 'new one'. Be sure to have a backup of the original DIT.

I have made the same mistake with phpldapadmin, when I have forgot to 
change the domain SID in the configuration. I have a samba PDC with a 
domain SID and populate my LDAP with samba user with another domain SID lol.


>>Hi Everyone,
>>I've been getting this error when trying to login from an XP box to a Samba
>>3 + LDAP PDC, but failed.
>>[2006/03/15 17:48:12, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(766)
>>  _net_sam_logon: user Domain\user has user sid
>>   but group sid S-1-5-21-790863915-1833833965-864709722-513.
>>  The conflicting domain portions are not supported for NETLOGON calls
>>I did some research and found this is due to SID mismatch as it is shown
>>with the user sid and group sid
>>net getlocalsid on the dc shows S-1-5-21-3570476861-1302945835-1904156257
>>and net getlocalsid DOMAIN shows S-1-5-21-3570476861-1302945835-1904156257
>>as well.
>>but, net groupmap list shows
>>Domain Admins (S-1-5-21-790863915-1833833965-864709722-512) -> Domain Admins
>>Domain Users (S-1-5-21-790863915-1833833965-864709722-513) -> Domain Users
>>Domain Guests (S-1-5-21-790863915-1833833965-864709722-514) -> Domain Guests
>>Domain Computers (S-1-5-21-790863915-1833833965-864709722-515) -> Domain
>>Administrators (S-1-5-32-544) -> Administrators
>>Account Operators (S-1-5-32-548) -> Account Operators
>>Print Operators (S-1-5-32-550) -> Print Operators
>>Backup Operators (S-1-5-32-551) -> Backup Operators
>>Replicators (S-1-5-32-552) -> Replicators
>>systems (S-1-5-21-3570476861-1302945835-1904156257-3003) -> systems
>>development (S-1-5-21-3570476861-1302945835-1904156257-3005) -> development
>>analytics (S-1-5-21-3570476861-1302945835-1904156257-3007) -> analytics
>>and most of my user/machine accounts have sids like this
>>but the smbldap.conf says the sid is set to
>>then according to LDAP
>>dn: sambaDomainName=Domain,dc=Domain,dc=com
>>sambaSID: S-1-5-21-3570476861-1302945835-1904156257
>>so this is a certified bloody mess, my question is, does this mean I have to
>>change every instance of sid that's
>>S-1-5-21-790863915-1833833965-864709722-xxxx in LDAP? what's a good way of
>>doing this?
>>Many thanks!
>>- Yang
>>smb.conf & slapd.conf attached

More information about the samba mailing list