[Samba] Domain authentification problem with LDAP

Craig White craigwhite at azapple.com
Mon Mar 20 18:39:46 GMT 2006 

On Mon, 2006-03-20 at 12:55 -0500, Daniel Tousignant wrote:
> Craig White <craigwhite at azapple.com> a écrit:
> >On Fri, 2006-03-17 at 16:14 -0500, Daniel Tousignant wrote:
> >> Craig White <craigwhite at azapple.com> a écrit:
> >> >On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote:
> >> >> The objectclass sambaSAMAccount and subsequent fields have been
> >> >> created. We are using the standard perl script tools that are
> >installed
> >> >> with
> >> >> the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6).
> >> >> What I really do not understand is that if I put a user in the
> >standard
> >> >> ldap
> >> >> group "Domain Admins" (gid=512), the user is able to logon to the
> >> >domain,
> >> >> but not 
> >> >> when it is in the "Domain Users" group (gid=513). What is the big
> >> >> difference for Samba
> >> >> between the two's ? Can it be an ACL problems ?
> >> >----
> >> >not very likely to be an ACL problem.
> >> >
> >> >net groupmap list|grep Domain
> >> 
> >> Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) -> Domain
> >> Users
> >> Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) -> Domain
> >> Guests
> >> Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) -> Domain
> >> Admins
> >> Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) ->
> >Domain
> >> Machines
> >> >
> >> >
> >> >net getlocalsid
> >> 
> >> [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494)
> >>   Can't fetch domain SID for name: HIPPOLYTE
> >----
> >this is a MAJOR problem...it should look like
> >
> >dn: sambaDomainName=EXAMPLE,dc=example,dc=net
> >sambaAlgorithmicRidBase: 1000
> >structuralObjectClass: sambaDomain
> >objectClass: sambaDomain
> >objectClass: sambaUnixIdPool
> >sambaSID: S-1-5-21-89274850-471284788-6498272
> >sambaDomainName: EXAMPLE
> >gidNumber: 1021
> >uidNumber: 1095
> >
> >and should have been created either by hand or by idealx 'populate'
> >script if you followed someones directions somewhere.
> >
> >Craig
> 
> Here is what I have now :
> 
> [root at hippolyte openldap]# net groupmap list | grep Domain
> Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) -> Domain
> Users
> Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) -> Domain
> Guests
> Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) -> Domain
> Admins
> Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) -> Domain
> Machines
> [root at hippolyte openldap]# net getlocalsid
> SID for domain HIPPOLYTE is: S-1-5-21-3194588850-3670737847-3710085093
> 
>  ... but I still cannot join an xp workstation to the domain, and a domain
> user on
> windows 98 cannot logon to the domain, althought a domain admin can.
> By the way, HIPPOLYTE is the name of the server; the domain name is INTAIR.
> Why is the command "net getlocalsid" returning "SID for domain HIPPOLYTE"
----
can you edit it with some type of GUI editor like phpldapmin or gq?

can you fetch it with ldapsearch, modify it with ldapmodify?

can you delete it and then fix it by running smbldap-populate again?
(assuming that you have smbldap-tools configuration file fixed)

Craig

More information about the samba mailing list