[Samba] Winbind, pdbedit - does not belong to our domain

J. Pilfold-Bagwell jpb at bordengrammar.kent.sch.uk
Sat Feb 19 05:56:38 MST 2011

Hi all,

I have a problem that started last week with winbind on a member 
server.  The network consists of the following:

Openldap/Bind/DHCP Server (No Samba)
PDC - CentOS Linux - Samba 3-3.5.6-43.el5 (sernet package)
BDC - CentOS Linux - Samba 3-3.0.31-36
Proxy Server (with NTLM Auth) - Mandriva Linux - Samba 3.5.3-3.1mdv2010.1

All of these work fine but the proxy needs replacing so I've put a new 
server together (CentOS 5.5 Sernet/Samba 3-3.5.6-43.el5) with and this 
is where it gets interesting.  I've followed the same procedure I've 
used on the above 4 machines but I keep getting error messages in 
pdbedit as below:

smbldap_search_domain_info: Searching 
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_paged: base => [dc=bordengrammar,dc=kent,dc=sch,dc=uk], 
filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], 
pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-2387947558-1535987125-4294967295-1000 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2998 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2000 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2002 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2004 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2006 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-3000 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-3004 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-3006 does not belong to 
our domain

The first part suggests that the LDAP connection succeeded and the 
domain name and the SIDS are correct. The first SID appears to be the 
local root user but the rest are OK.

Getent passwd works and returns all domain users.

Getent group returns all groups correctly.

Net group map list works and returns correctly mapped groups.

Wbinfo -t returns "checking the trust secret for domain BGS via RPC 
calls succeeded".

wbinfo --own-domain returns the correct NT domain name

In short, everything seems to work OK until you run wbinfo -u or -g at 
which point it sits there until it times out.  Smb.conf is the same as 
the other member servers, the net rpc join command  returned success and 
a machine account was successfully created in the LDAP directory. The 
smb.conf file is here:


workgroup = BGS
netbios name = PROXY
password server =
server string = "Proxy"
wins server =
log file = /var/log/samba/%m.log
max log size = 50
security = domain
smb ports = 139
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
dns proxy = no
dos charset = 850
unix charset = ISO8859-1
log level = 3
idmap uid = 10000-200000
idmap gid = 10000-200000
winbind use default domain = yes
local master = no
os level = 10
domain master = no
preferred master = no
name resolve order = wins bcast lmhosts
domain logons = no

ldap ssl = no
passdb backend = ldapsam:ldap://
idmap backend = ldap:ldap://
ldap admin dn = cn=Manager,dc=bordengrammar,dc=kent,dc=sch,dc=uk
ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
ldap machine suffix = ou=Users
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap

Any suggestions gratefully received.



More information about the samba mailing list