[Samba] Winbind, pdbedit - does not belong to our domain
J. Pilfold-Bagwell
jpb at bordengrammar.kent.sch.uk
Sat Feb 19 05:56:38 MST 2011
Hi all,
I have a problem that started last week with winbind on a member
server. The network consists of the following:
Openldap/Bind/DHCP Server (No Samba)
PDC - CentOS Linux - Samba 3-3.5.6-43.el5 (sernet package)
BDC - CentOS Linux - Samba 3-3.0.31-36
Proxy Server (with NTLM Auth) - Mandriva Linux - Samba 3.5.3-3.1mdv2010.1
All of these work fine but the proxy needs replacing so I've put a new
server together (CentOS 5.5 Sernet/Samba 3-3.5.6-43.el5) with and this
is where it gets interesting. I've followed the same procedure I've
used on the above 4 machines but I keep getting error messages in
pdbedit as below:
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=PROXY))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_paged: base => [dc=bordengrammar,dc=kent,dc=sch,dc=uk],
filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2],
pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-2387947558-1535987125-4294967295-1000 does not belong to
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2998 does not belong to
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2000 does not belong to
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2002 does not belong to
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2004 does not belong to
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2006 does not belong to
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-3000 does not belong to
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-3004 does not belong to
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-3006 does not belong to
our domain
The first part suggests that the LDAP connection succeeded and the
domain name and the SIDS are correct. The first SID appears to be the
local root user but the rest are OK.
Getent passwd works and returns all domain users.
Getent group returns all groups correctly.
Net group map list works and returns correctly mapped groups.
Wbinfo -t returns "checking the trust secret for domain BGS via RPC
calls succeeded".
wbinfo --own-domain returns the correct NT domain name
In short, everything seems to work OK until you run wbinfo -u or -g at
which point it sits there until it times out. Smb.conf is the same as
the other member servers, the net rpc join command returned success and
a machine account was successfully created in the LDAP directory. The
smb.conf file is here:
[global]
workgroup = BGS
netbios name = PROXY
password server = 172.20.5.254
server string = "Proxy"
wins server = 172.20.5.254
log file = /var/log/samba/%m.log
max log size = 50
security = domain
smb ports = 139
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
dns proxy = no
dos charset = 850
unix charset = ISO8859-1
log level = 3
idmap uid = 10000-200000
idmap gid = 10000-200000
winbind use default domain = yes
local master = no
os level = 10
domain master = no
preferred master = no
name resolve order = wins bcast lmhosts
domain logons = no
ldap ssl = no
passdb backend = ldapsam:ldap://172.20.5.253
idmap backend = ldap:ldap://172.20.5.253
ldap admin dn = cn=Manager,dc=bordengrammar,dc=kent,dc=sch,dc=uk
ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
ldap machine suffix = ou=Users
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
Any suggestions gratefully received.
Thanks,
Julian
More information about the samba
mailing list