[Samba] LDAP different Group SID -- not supported for NETLOGON calls

Cesar Amaya csar at 123.com.sv
Tue Apr 1 00:58:04 GMT 2008

Hello list,
I have two Samba-LDAP DC's each in different networks, domain AMECC_SAL 
( and domain AMECC_GUA (192.168.42./24). I have 
established a inter-domain trust relationship in both directions. My 
problem comes when I try to log into a machine in the AMECC_SAL domain 
using any user from the AMECC_GUA domain. The machine´s name in which I 
want to sign in is cc03.

The log for the machine account says:
# tail -f cc03.log
[2008/03/31 16:55:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
  init_group_from_ldap: Entry found for group: 515
[2008/03/31 16:55:35, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [ricky] -> [ricky] -> 
[ricky] succeeded
[2008/03/31 16:55:35, 1] 
  _net_sam_logon: user AMECC_GUA\ricky has user sid 
   but group sid S-1-5-21-3360583363-2600074294-2199971840-513.
  The conflicting domain portions are not supported for NETLOGON calls

Part of the pdbedit -L -v says:
Unix username:        ricky
NT username:          ricky
Account Flags:        [U          ]
User SID:             S-1-5-21-2494724867-3922152549-500773586-3022
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
Primary Group SID:    S-1-5-21-2494724867-3922152549-500773586-513

from this output we can tell that Primary Group SID is different from 
that group sid of cc03.log file:  
I am using the following software: FreeBSD 7.0 Release, samba-3.0.28,1, 
openldap-2.3.41 and smbldap-tools-0.9.4_2.

Please can any one give some help???
Thank you very much.

More information about the samba mailing list