[Samba] Problems with winbind, idmap and usrmgr.exe
Mike Brady
mike.brady at devnull.net.nz
Tue Apr 22 06:02:54 GMT 2008
I am trying to get two Samba PDC/Domains setup with a trust between
them. They are separate domains because they are separate companies
(one is a subsidiary of the other) located in different cites.
I am using Centos 5.1 x86_64 and Samba 3.0.28a packages built by me from
Fedora 8 source RPMs.
Based on what I have read, in order to do the trust thing I need to use
Winbind/idmap to handle the non local SIDS (not that I have got to the
point of trying to do the trust yet). Correct?
I have set up DOMAs PDC with the following idmap/winbind configuration.
There doesn't seem to be any up to date documentation on this stuff, so
I admit that I have been guessing at this, so it is probably is
completely wrong.
idmap domains = OTHERDOMAINS DOMA DOMB
idmap config OTHERDOMAINS:default = yes
idmap config OTHERDOMAINS:backend = tdb
idmap config OTHERDOMAINS:range = 10000 - 20000
idmap config DOMA:default = no
idmap config DOMA:backend = tdb
idmap config DOMA:range = 20001 - 30000
idmap config DOMB:default = no
idmap config DOMB:backend = tdb
idmap config DOMB:range = 30001 - 40000
idmap alloc backend = tdb
idmap alloc config:range = 40001 - 50000
winbind separator = \
winbind enum users = yes
winbind enum groups = Yes
winbind nested groups = yes
Are the ranges all supposed to be separate like that? I was just
following and example that I found some where.
The domain "works" in that the PDC comes up, I can join XP clients to
the domain, login, access shares, Roaming profiles are saved to the
server, etc. But when I try to use usrmgr.exe to manage users I just
get a "The specified local group does not exist" error. Not a very
helpful error message, but after setting the log level to 10 in Samba
and searching through the logs I found that windbind seems to be failing
to resolve the Builtin groups to a gid, so am assuming that the Builtin
groups are the "local group" being referred to.
[2008/04/22 17:42:52, 10]
passdb/lookup_sid.c:check_dom_sid_to_level(681)
Accepting SID S-1-5-32 in level 1
[2008/04/22 17:42:52, 10] passdb/lookup_sid.c:lookup_sid(959)
Sid S-1-5-32-549 -> BUILTIN\Server Operators(4)
[2008/04/22 17:42:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/04/22 17:42:52, 10] passdb/lookup_sid.c:sid_to_gid(1468)
winbind failed to find a gid for sid S-1-5-32-549
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_debug(84)
000000 samr_io_r_open_alias
[2008/04/22 17:42:52, 6] rpc_parse/parse_prs.c:prs_debug(84)
000000 smb_io_pol_hnd pol
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint32(710)
0000 handle_type: 00000000
[2008/04/22 17:42:52, 7] rpc_parse/parse_prs.c:prs_debug(84)
000004 smb_io_uuid uuid
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint32(710)
0004 data : 00000000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint16(681)
0008 data : 0000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint16(681)
000a data : 0000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint8s(857)
000c data : 00 00
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint8s(857)
000e data : 00 00 00 00 00 00
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_ntstatus(769)
0014 status: NT_STATUS_NO_SUCH_ALIAS
The Builtin groups all exist and show up in net groupmap list output
correctly.
[root at domapdc samba]# net groupmap list
Server Operators (S-1-5-32-549) -> BUILTIN server operators
Replicator (S-1-5-32-552) -> BUILTIN replicator
Guests (S-1-5-32-546) -> BUILTIN guests
RAS Servers (S-1-5-32-553) -> BUILTIN ras servers
Power Users (S-1-5-32-547) -> BUILTIN power users
Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
Print Operators (S-1-5-32-550) -> BUILTIN print operators
Administrators (S-1-5-32-544) -> BUILTIN administrators
Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> BUILTIN pre-windows
2000 compatible access
Account Operators (S-1-5-32-548) -> BUILTIN account operators
Backup Operators (S-1-5-32-551) -> BUILTIN backup operators
Users (S-1-5-32-545) -> BUILTIN users
Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers
The Administrators and Users Builtins were created automatically by
winbind. The others were created with net sam createbuiltingroup.
If I stop the winbind service, with out any other changes, usrmgr.exe
starts correctly and I can add users, change group memberships, etc.
net groupmap list with winbind stopped shows:
[root at domapdc samba]# net groupmap list
Server Operators (S-1-5-32-549) -> 10083
Replicator (S-1-5-32-552) -> 10110
Guests (S-1-5-32-546) -> 10080
RAS Servers (S-1-5-32-553) -> 10111
Power Users (S-1-5-32-547) -> 10081
Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
Print Operators (S-1-5-32-550) -> 10084
Administrators (S-1-5-32-544) -> 10000
Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> 10112
Account Operators (S-1-5-32-548) -> 10082
Backup Operators (S-1-5-32-551) -> 10085
Users (S-1-5-32-545) -> 10001
Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers
Let me know if any other information is required. Any help with this
will be appreciated.
Thanks
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20080422/84b234ed/attachment.bin
More information about the samba
mailing list