[Samba] PDC forgot it was part of domain... "official" (ha!) samba hack around to fix...

Michael Wood esiotrot at gmail.com
Thu Aug 18 03:15:18 MDT 2011


On 3 August 2011 08:59, Linda Walsh <samba at tlinx.org> wrote:
> Among various problems since I upgraded to 3.6 (none of which got answered
> really, -- so I backgraded to 3.5.10 and started debugging from there,
> considering 3.6.0 too unstable/too incompatible for 'whatever' reason...
> One of the probs I had was 'root' couldn't use "net rpc" <anything> --
> kept getting auth failures.

Was this with 3.6.0 or after you downgraded again to 3.5.10?

> Wasn't the passwd, -- could reset it via smbpasswd, no prob, and my
> normal UID could do an rpc user, but didn't have the auth to the
> local files to read them (so got no results back).
> Steps...
> 1) add self to group root
> 2) in /var/lib/samba and /etc/samba:
> find . -gid 0 -print0|xargs -0 chmod g+rw
> find . -gid 0 -type d|xargs -0 chmod g+xs

You're missing a -print0 on the second one there, but I assume that's
just a copy/paste error or something.

> Then I noted that my 'user' could no longer auth either!
> Bonus!
> turned on -d10 on net rpc cmd,
> Noted, it was trying to look up '*' for a pw server,
> '*' doesn't resolve so well on my DNS server.

What was the actual log message?  Did you find out where this '*' was
coming from?

> My domain name does, but it was trying to contact '*' for
> a pw server instead of using itself  (this used to work before
> I tried upgrading to 3.6, FWIW)...
> Anyway, explicit hackaround:
> added:
>    passwd server=localhost
> to my smb.conf.
> Now the PDC is smart enough to know to look up passwords on
> itself rather than going out and looking for '*', which
> "wbinfo" REALLY didn't like --
> lots of "*" not found messages from wbinfo...
> Along with the idmap tdb format becoming incompat, (or maybe that's
> the only one involved), apparently during the 'upgrade'[sic],

I'm (obviously) not one of the Samba developers, but it seems unlikely
to me that they would have made the idmap tdb in 3.6 incompatible with
the one in 3.5 unless perhaps there was an automatic upgrade when you
run 3.6.  I haven't read the release notes carefully enough, but I
don't remember something like that being mentioned.  It would be nice
if one of the Samba developers could clarify this, though :)

> I didn't get the benefit of '*' added to my wbinfo...

I don't understand what you mean by this.

> Of course, as noted earlier, my wbinfo also doesn't seem to know about
> builtin SID's either .. so am having to add them...

That's really weird.

> (writing script ...)
> </tmp/domsid perl -e 'while (<>) {
> printf "net groupmap add %s",$_;
> }
> '

It seems to me that finding out why there are no builtin SIDs might
have been a better idea than manually adding them.  But I suppose if
your idmap tdb was suspect then maybe this was indeed the best thing
to do.

> /tmp/domsid:
> "Administrators" sid="S-1-5-32-544" type=builtin
> "Users" sid="S-1-5-32-545" type=builtin
> "Domain Controllers" sid="S-1-5-32-516" type=builtin
> "Guests" sid="S-1-5-32-546" type=builtin
> "Power Users" sid="S-1-5-32-547" type=builtin
> "Account Operators" sid="S-1-5-32-552" type=builtin
> ....


Michael Wood <esiotrot at gmail.com>

More information about the samba mailing list