[Samba] Problems with winbind, idmap and usrmgr.exe

Mike Brady mike.brady at devnull.net.nz
Tue Apr 22 06:02:54 GMT 2008 

I am trying to get two Samba PDC/Domains setup with a trust between
them.  They are separate domains because they are separate companies
(one is a subsidiary of the other) located in different cites.

I am using Centos 5.1 x86_64 and Samba 3.0.28a packages built by me from
Fedora 8 source RPMs.

Based on what I have read, in order to do the trust thing I need to use
Winbind/idmap to handle the non local SIDS (not that I have got to the
point of trying to do the trust yet).  Correct?

I have set up DOMAs PDC with the following idmap/winbind configuration.
There doesn't seem to be any up to date documentation on this stuff, so
I admit that I have been guessing at this, so it is probably is
completely wrong.

        idmap domains = OTHERDOMAINS DOMA DOMB

        idmap config OTHERDOMAINS:default = yes
        idmap config OTHERDOMAINS:backend = tdb
        idmap config OTHERDOMAINS:range   = 10000 - 20000

        idmap config DOMA:default = no
        idmap config DOMA:backend = tdb
        idmap config DOMA:range   = 20001 - 30000

        idmap config DOMB:default = no
        idmap config DOMB:backend = tdb
        idmap config DOMB:range   = 30001 - 40000

        idmap alloc backend = tdb
        idmap alloc config:range = 40001 - 50000

        winbind separator = \
        winbind enum users = yes
        winbind enum groups = Yes
        winbind nested groups = yes

Are the ranges all supposed to be separate like that?  I was just
following and example that I found some where.

The domain "works" in that the PDC comes up, I can join XP clients to
the domain, login, access shares, Roaming profiles are saved to the
server, etc.  But when I try to use usrmgr.exe to manage users I just
get a "The specified local group does not exist" error.  Not a very
helpful error message, but after setting the log level to 10 in Samba
and searching through the logs I found that windbind seems to be failing
to resolve the Builtin groups to a gid, so am assuming that the Builtin
groups are the "local group" being referred to.

[2008/04/22 17:42:52, 10]
passdb/lookup_sid.c:check_dom_sid_to_level(681)
  Accepting SID S-1-5-32 in level 1
[2008/04/22 17:42:52, 10] passdb/lookup_sid.c:lookup_sid(959)
  Sid S-1-5-32-549 -> BUILTIN\Server Operators(4)
[2008/04/22 17:42:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/04/22 17:42:52, 10] passdb/lookup_sid.c:sid_to_gid(1468)
  winbind failed to find a gid for sid S-1-5-32-549
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_debug(84)
  000000 samr_io_r_open_alias
[2008/04/22 17:42:52, 6] rpc_parse/parse_prs.c:prs_debug(84)
      000000 smb_io_pol_hnd pol
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint32(710)
          0000 handle_type: 00000000
[2008/04/22 17:42:52, 7] rpc_parse/parse_prs.c:prs_debug(84)
          000004 smb_io_uuid uuid
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint32(710)
              0004 data   : 00000000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint16(681)
              0008 data   : 0000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint16(681)
              000a data   : 0000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint8s(857)
              000c data   : 00 00
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint8s(857)
              000e data   : 00 00 00 00 00 00
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_ntstatus(769)
      0014 status: NT_STATUS_NO_SUCH_ALIAS

The Builtin groups all exist and show up in net groupmap list output
correctly.  

[root at domapdc samba]# net groupmap list
Server Operators (S-1-5-32-549) -> BUILTIN server operators
Replicator (S-1-5-32-552) -> BUILTIN replicator
Guests (S-1-5-32-546) -> BUILTIN guests
RAS Servers (S-1-5-32-553) -> BUILTIN ras servers
Power Users (S-1-5-32-547) -> BUILTIN power users
Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
Print Operators (S-1-5-32-550) -> BUILTIN print operators
Administrators (S-1-5-32-544) -> BUILTIN administrators
Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> BUILTIN pre-windows
2000 compatible access
Account Operators (S-1-5-32-548) -> BUILTIN account operators
Backup Operators (S-1-5-32-551) -> BUILTIN backup operators
Users (S-1-5-32-545) -> BUILTIN users
Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers

The Administrators and Users Builtins were created automatically by
winbind.  The others were created with net sam createbuiltingroup.

If I stop the winbind service, with out any other changes, usrmgr.exe
starts correctly and I can add users, change group memberships, etc.

net groupmap list with winbind stopped shows:

[root at domapdc samba]# net groupmap list
Server Operators (S-1-5-32-549) -> 10083
Replicator (S-1-5-32-552) -> 10110
Guests (S-1-5-32-546) -> 10080
RAS Servers (S-1-5-32-553) -> 10111
Power Users (S-1-5-32-547) -> 10081
Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
Print Operators (S-1-5-32-550) -> 10084
Administrators (S-1-5-32-544) -> 10000
Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> 10112
Account Operators (S-1-5-32-548) -> 10082
Backup Operators (S-1-5-32-551) -> 10085
Users (S-1-5-32-545) -> 10001
Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers

Let me know if any other information is required.  Any help with this
will be appreciated.

Thanks

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20080422/84b234ed/attachment.bin

More information about the samba mailing list