[Samba] PDC forgot it was part of domain... "official" (ha!) samba hack around to fix...

Linda Walsh samba at tlinx.org
Thu Aug 18 13:33:49 MDT 2011 



Michael Wood wrote:
>
>> I didn't get the benefit of '*' added to my wbinfo...
>>     
>
> I don't understand what you mean by this.
>   
Just saw this note by Bendikt Schindler:

>   
>> Of course, as noted earlier, my wbinfo also doesn't seem to know about
>> builtin SID's either .. so am having to add them...
>>     


-------- Original Message --------
Subject: 	samba 3.6: "autorid" has no domain order
Date: 	Fri, 12 Aug 2011 18:23:14 +0200
From: 	Benedikt Schindler <BeniSchindler at gmx.de>
To: 	samba at lists.samba.org


[snip & noting multiple future snips @ random! ]

I first tried autorid with a config like this:

        winbind enum users = yes
        winbind enum groups = yes

        idmap backend = autorid
        idmap gid = 100000-1499999
        idmap gid = 100000-1499999
        allow trusted domains = yes

... then later

I also read the mail about the new idmapping so i also tried these
configuration:

        winbind enum users = yes
        winbind enum groups = yes
        allow trusted domains = yes

        idmap config A : backend     = rid
        idmap config A : range       = 100000 - 199999
        idmap config A : base_rid    = 1000

        idmap config B : backend  = rid
        idmap config B : range    = 200000 - 299999
        idmap config B : base_rid = 1000
-----

Then next note he says:
if i use this config:


> >         winbind enum users = yes
> >         winbind enum groups = yes
> >         allow trusted domains = yes
> >
> >        idmap config * : backend     = tdb
> >        idmap config * : range       = 70000-99999
> >
> >         idmap config A : backend     = rid
> >         idmap config A : range       = 100000 - 199999
> >         idmap config A : base_rid    = 1000
> >
> >         idmap config B : backend  = rid
> >         idmap config B : range    = 200000 - 299999
> >         idmap config B : base_rid = 1000
>   
i get folowing message from a SID of domain A: server3:~ # wbinfo -S 
S-1-5-21-1004336348-920026266-682003330-1113 failed to call wbcSidToUid: 
WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid 
S-1-5-21-1004336348-920026266-682003330-1113 to uid i change this line
> >         allow trusted domains = no
>   
server3:~ # wbinfo -S S-1-5-21-1004336348-920026266-682003330-1113 
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert 
sid S-1-5-21-1004336348-920026266-682003330-1113 to uid it does not 
work. i change this line
> >        idmap config * : backend     = rid
>   
server3:~ # wbinfo -S S-1-5-21-1004336348-920026266-682003330-1113 100113

so it "works" ... but "getent passwd" still does not show any user.
 so there is still a long way to go.

if i delete all the "idmap config * " parts it won't work again.
   ----------------------------------^^^^

But also if it does work.... i need trusted domain support. the only 
config that realy works right now, is the new "autorid".


Alot of the error he is describing I saw as well, but I didn't see the email
about the new idmapping that told about '*'...(or that it was needed.


My server thought there was 2 domains due to the case-change problem -- 
that's
why it kept looking for *, which I am guessing is supposed to be some 
type of domain locator addres.

My DB, since I'd only ever had 1 never had entries setup for 2, but when 
the name
got changed by NMB -- suddenly there 2 servers -- and calls coming in 
for Domain,
were getting refused on "DOMAIN"....

That's my best explanation yet, as to what happened...

More information about the samba mailing list