[Samba] Messed up SIDs: How to change machine SID?

Marcus Mundt marcus.mundt at forsa.de
Mon Jul 15 07:24:46 MDT 2013 

I could fix the SID issues. However the other errors and warinings remain. Struggeling hard to find the cause for not being able to join a domain, getting "Access Denied"

SMB log:
[2013/07/12 15:48:03.439574,  2] auth/auth.c:309(check_ntlm_password)
  check_ntlm_password:  authentication for user [admin] -> [admin] -> [admin] succeeded
[2013/07/12 15:48:03.442335,  3] groupdb/mapping.c:772(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not get a gid out of winbind
[2013/07/12 15:48:03.442450,  2] auth/token_util.c:455(finalize_local_nt_token)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind allocate gids?
[2013/07/12 15:48:03.444454,  3] groupdb/mapping.c:772(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not get a gid out of winbind
[2013/07/12 15:48:03.444555,  2] auth/token_util.c:479(finalize_local_nt_token)
  WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
...
[2013/07/12 15:48:03.191990,  0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate: no challenge sent to client N666
...
[2013/07/12 15:48:03.587205,  3] smbd/connection.c:35(yield_connection)
  Yielding connection to IPC$
[2013/07/12 15:48:03.589351,  3] smbd/server_exit.c:181(exit_server_common)
  Server exit (failed to receive smb request)

Questions:
Is it mandatory that 
Domain Admins
Domain Users
Domain Guests
Domain Computers
are spelled exactly like that. In GOsa I'm only allowed to use lower case letters and no spaces. Hence I got
domainadmins... and so forth. I don't know how to change the windows group name only.

Is a root user mandatory or may I use "admin"? Since I got no root in LDAP, but tried it last week, didn't help.

Which of the domain and builtin groups are mandatory? As far as I know only
Domain Admins 	512
Domain Users 	513
Domain Guests   514

and

>From the builtin domain (didn't know that there is a built in domain until now)
Administrators 	544
Users 	        545
Guests          546

Thanks for any help in advance! Setting up a PDC seems not too hard, but I have to use our existing LDAP directory and operate on a production system :(

Cheers,
Marcus



> I have an LDAP backend.
> 
> In LDAP, the machine accounts for my  windows and linux clients so show 
> the same base SID as the domain SID (ie.. all but the last digits.)
> 
> However I also have the mismatch with "net getdomainsid" -  which 
> definately explains why they don't behave as I would expect.   You may 
> want to try fixing this with "net setlocalsid."   I guess when you joing 
> unix  or linux member server to the domain the localsid is not updated.
> 
> Re the BUILTIN groups you may want to explicitly map these to unix 
> groups rather than relying on winbind to do it
> 
> 
> e.g.   I created  unix groups
> 
> #getent group ....
> Builtin Admins::544:
> Builtin Users::545:
> Builtin Guests::546:
> 
> Then mapped the well know built-in Windows groups to the unix groups
> 
> 
> #net groupmap add ntgroup="Administrators" unixgroup=544 
> sid=S-1-5-32-544   type=builtin
> #net groupmap add ntgroup="Users" unixgroup=545   sid=S-1-5-32-545 
> type=builtin
> #net groupmap add ntgroup="Guests" unixgroup=546 sid=S-1-5-32-546 
> type=builtin
> 
> # net groupmap list | grep -i builtin
> 
> Administrators (S-1-5-32-544) -> Builtin Admins
> Users (S-1-5-32-545) -> Builtin Users
> Guests (S-1-5-32-546) -> Builtin Guests
> 
> 
> 
> The linux samba member servers I use mostly for IT use anyway so I never 
> shook out all the bugs.
> 
> 
> 
> 
> On 07/03/13 11:49, Marcus Mundt wrote:
> > Dear Samba Gurus,
> >
> > I got the following errors:
> > tail -f /var/log/samba/log.wb-DOM1
> > [2013/07/02 15:49:19.990168,  2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid)
> >    name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
> >
> > log.smbd
> > [2013/07/02 15:40:51.809516,  2] 
> auth/token_util.c:455(finalize_local_nt_token)
> >    WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind 
> allocate gids?
> > [2013/07/02 15:40:51.811330,  2] 
> auth/token_util.c:479(finalize_local_nt_token)
> >    WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
> >
> >
> > I guess the reason might be this:
> > net getdomainsid
> > SID for local machine M1 is: 	S-1-5-21-3981825222-1828954701-2606613544
> > SID for domain DOM1 is: 	S-1-5-21-2762780445-1763757571-3541238449
> >
> > net getdomainsid
> > SID for local machine M2 is: 	S-1-5-21-2913448378-2543514743-1508345481
> > SID for domain DOM1 is: 	S-1-5-21-2762780445-1763757571-3541238449
> >
> >
> > Shouldn't the SIDs be the same except the last digits???
> >
> > Cheers,
> > Marcus
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list