[Samba] Samba PDC, v3.0.25b, tdbsam: winbindd seems to be broken...

Chris Hall chris.hall at halldom.com
Sun Jul 15 14:31:54 GMT 2007 

On Wed, 11 Jul 2007 John Drescher (John Drescher <drescherjm at gmail.com>) 
wrote
>I had the same issue going to 3.0.25a but I do not remember the
>solution. I do remember though I had to make changes in my smb.conf
>file.

It seems I had made a mistake...  I had been running winbind on my PDC, 
which one is not supposed to do ?  [I guess winbindd is a client, not a 
server ?]

Stopping winbind didn't solve the problem, however.  I struggle for some 
time trying to see what was actually going wrong -- winding up logging, 
doing things and then trawling logs for plausible looking error 
messages.  All to no avail.

So... I resorted to Voodoo and deleted samba from my PDC and started 
again from scratch.

It took a couple of attempts to recreate both the machine and domain SID 
(on PDC these seem to be set to be the same thing, by default).  net 
setlocalsid will set the machine SID in secrets.tdb, but not the domain 
SID...  The tick appears to be to delete secrets.tdb, do a net 
setlocalsid and then do the net groupmap things you need, which puts the 
domain SID into secrets.tdb as a side effect.

I struggled and failed to get pdbedit to recreate a new passdb.tdb with 
the same SIDs as per previous installation.  The -U parameter seems to 
be ignored with -a or at least -am.  Can use -r and -U together, but 
that fails to update the key that maps RID to User Name -- leaving the 
passdb broken.  Solution for that was to export the passdb.tdb to 
sbmpaswwd form and then import it again !

After the complete reinstall and reconfigure exercise, things are 
working again.  I only wish I could see why !!

One thing I noted, however: I have root (UID 0) as one of the Domain 
Administrators (RID 512); I had a group (GID 200) mapped to Domain 
Administrators; root is a member of Groups GID 0 and GID 200; pdbedit 
kept whinging that the primary group for user root was a local group not 
a domain group; I have now mapped group GID 0 to Domain Administrators; 
pdbedit has stopped whinging.  However, I have no idea if this is the 
reason that things are now working.

------------------------------------------------------------------------

I note that in smb.conf "valid users" and other such settings have 
changed in 3.0.23b.  The release notes give the example:

   valid users = +"DOMAIN\Linux Admins" +srvadmin

I assume the first is an NT Group name ?  Since this is implicitly a 
group, does it need the '+'.  Does it make any difference if one uses 
'@' ?  I tried various combinations when I was trying to make things 
work, without success... [I'm reluctant now to touch a working config ! 
Which uses "@DOMAIN\Domain Admins" etc.]

I assume the second is a UNIX Group name ?

Now, I have groups mapped as follows:

   net groupmap add ntgroup="Domain Users" rid=513 unixgroup=SMB_USER \
         type=d

My guess was that:

   valid users = +"DOMAIN\Domain Users"

and:

   valid users = +SMB_USER

would mean the same thing...  but I'm not convinced that it does.

FWIW it would really make things clearer if the documentation was 
careful to point out when a name is an NT name or a UNIX name.  Examples 
showing a UNIX Group with the name "Domain Admins" seems to me to be 
muddying the waters !

------------------------------------------------------------------------

Finally, I'm still puzzling about the machine SID and the domain SID on 
my PDC...  it really seems to me that these should be different ?

Chris

>On 7/11/07, Chris Hall <chris.hall at halldom.com> wrote:
>>
>> Help...
>>
>> I'm running Samba v3.0.25b, recently upgraded from v3.0.23a.
>>
>> I use tdbsam, winbindd etc.
>>
>> Winbind appears to be broken.  When I do:
>>
>>    * getent passwd
>>
>>      none of the DOMAIN\xxxx users are listed
>>
>>    * getent group
>>
>>      the BUILTIN\administrators and BUILTIN\users groups are listed,
>>
>>      but none of the DOMAIN\xxxx groups
>>
>>    * wbinfo -u
>>
>>      gives an enigmatic "Error looking up domain users"
>>
>>    * wbinfo -g
>>
>>      gives just the BUILTIN\administrators and BUILTIN\users groups
>>
>> I have wound up the logging, but have not been able to see anything
>> obviously related to the above...
>>
>> ...where do I start looking, please ??
>>
>> Thanks,
>>
>> Chris
>> --
>> Chris Hall   @ Home                                  +44 (0)7970 277 383
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
-- 
Chris Hall   @ Home                                  +44 (0)7970 277 383

More information about the samba mailing list