[Samba] Domain authentification problem with LDAP

Daniel Tousignant daniel_tousignant at travelcom.com
Mon Mar 20 17:55:42 GMT 2006 

Craig White <craigwhite at azapple.com> a écrit:
>On Fri, 2006-03-17 at 16:14 -0500, Daniel Tousignant wrote:
>> Craig White <craigwhite at azapple.com> a écrit:
>> >On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote:
>> >> The objectclass sambaSAMAccount and subsequent fields have been
>> >> created. We are using the standard perl script tools that are
>installed
>> >> with
>> >> the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6).
>> >> What I really do not understand is that if I put a user in the
>standard
>> >> ldap
>> >> group "Domain Admins" (gid=512), the user is able to logon to the
>> >domain,
>> >> but not 
>> >> when it is in the "Domain Users" group (gid=513). What is the big
>> >> difference for Samba
>> >> between the two's ? Can it be an ACL problems ?
>> >----
>> >not very likely to be an ACL problem.
>> >
>> >net groupmap list|grep Domain
>> 
>> Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) -> Domain
>> Users
>> Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) -> Domain
>> Guests
>> Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) -> Domain
>> Admins
>> Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) ->
>Domain
>> Machines
>> >
>> >
>> >net getlocalsid
>> 
>> [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494)
>>   Can't fetch domain SID for name: HIPPOLYTE
>----
>this is a MAJOR problem...it should look like
>
>dn: sambaDomainName=EXAMPLE,dc=example,dc=net
>sambaAlgorithmicRidBase: 1000
>structuralObjectClass: sambaDomain
>objectClass: sambaDomain
>objectClass: sambaUnixIdPool
>sambaSID: S-1-5-21-89274850-471284788-6498272
>sambaDomainName: EXAMPLE
>gidNumber: 1021
>uidNumber: 1095
>
>and should have been created either by hand or by idealx 'populate'
>script if you followed someones directions somewhere.
>
>Craig

Here is what I have now :

[root at hippolyte openldap]# net groupmap list | grep Domain
Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) -> Domain
Users
Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) -> Domain
Guests
Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) -> Domain
Admins
Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) -> Domain
Machines
[root at hippolyte openldap]# net getlocalsid
SID for domain HIPPOLYTE is: S-1-5-21-3194588850-3670737847-3710085093

 ... but I still cannot join an xp workstation to the domain, and a domain
user on
windows 98 cannot logon to the domain, althought a domain admin can.
By the way, HIPPOLYTE is the name of the server; the domain name is INTAIR.
Why is the command "net getlocalsid" returning "SID for domain HIPPOLYTE"

Daniel Tousignant
Support informatique
Intair Transit
Courriel : daniel_tousignant at travelcom.com
Telephone : (514) 286-8515 poste 3326

More information about the samba mailing list