[Samba] Help cleaning up domain SID mess...
Bjoern Tore Sund
bjorn.sund at it.uib.no
Mon Jul 30 05:45:01 GMT 2007
Phil Burrow wrote:
> Bjørn Tore Sund wrote:
> >
> > I have four SLES 10 servers working as Samba servers on the same domain
> > with an LDAP account backend. Relevant smb.conf entries are:
> > [global]
> > workgroup = UNIX
> > realm = UNIX.UIB.NO
> > server string = ukl-samba
> > netbios name = ukl-samba
> > security = user
> > allow trusted domains = yes
> > domain master = yes
> > local master = yes
> > encrypt passwords = yes
> >
> >
> > Only one of the servers is set as domain and local master, server string
> > and netbios name obviously differ while workgroup and realm are set to
> > the same. When I first set them up (smbpasswd -w, etc.) they created
> > seperate sambaDomain entries in the LDAP root, with separate SIDs. the
> > sambaDomain entries are named after each server. The user SIDs we
> > simply set to be based on the SID of the first server we set up.
>
> > effectively broken. On startup, every single user (all 35.0000 of
> > them...) would get a line in /var/log/messages:
> > ukl-samba smbd[16336]: User <SNIP> with invalid SID <SNIP> in passdb
> >
> > Nobody could get at the Samba shares until I edited the LDAP tree to
> > switch the SIDs between this server and the server with the SID the user
> > SIDs were based on.
> >
> > start. I was hoping someone here had an answer which saved me the
> > trouble of setting up a full test domain with LDAP and Samba-servers...
> > Can I just set the same SID on all four domains? Or delete three of the
> > four domains and rename the one with the correct SID to the _domain_
> > name in sted of the server name?
> >
> > Thanks,
> >
> > Bjørn
> >
>
> Hi Bjørn,
>
> From what you mention here it sounds like you have four
> sambaDomainName=UNIX entries (objectClass: sambaDomain) with different
> sambaSID attributes. Effectively 4 different domains, on 4 different
> servers all with the same name.
Thanks, but no: my sambaDomainnames are named after the servers, not the
domain. So I have a sambaDomainname=ukl-samba for the server I quote
from above, and similary for the other three. I gather this isn't what
should have happened when the servers automatically registered
themselves in the LDAP backend, but it did.
> Users have a sambaSID entry in their LDAP record, and the first portion
> of this needs to be the same as the sambaSID for the *domain* they are
> logging on to. If it's not then it wont work.
It did work with 3.0.21. I found the fine new code snippet which means
it won't work with 3.0.24, and I don't disagree with the principle as
long as my mess can be sorted out despite of it. :)
> In answer to your point at the end, yes you can do this and it is what
> you are "supposed" to do, as far as I know.
That was my assumption. Now for gathering up courage...
> If you do "net getlocalsid" on each of your SLES machines, the SID that
> is returned should be the same for all of them if you want them all to
> be controllers on your domain. If it's not, pick the SID you want - i.e.
> the sambaSID all your users have in their LDAP records - then "net
> setlocalsid MYDOMAINSID" on the servers you wish to change to that SID.
> (NB: On a domain, "net getlocalsid" and "net getlocalsid MYDOMAIN"
> should return the same.)
>
> Then go into your LDAP directory and delete all but one of the
> sambaDomainName=UNIX entries, and ensure the remaining one has sambaSID
> set to MYDOMAINSID.
>
> That is probably all you need to do.
Thanks a lot. The last remaining quiestion is then what happens when I
rename sambaDomainname=ukl-samba to sambaDomainname=unix and proceed
from there?
-BT
--
Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
More information about the samba
mailing list