[Samba] Messed up SIDs: How to change machine SID?
Marcus Mundt
marcus.mundt at forsa.de
Tue Jul 16 08:29:05 MDT 2013
Ok, today I was finally able to join my domain. The problem was a misconfiguration of idmap. Solution as follows:
< idmap config DEFAULT:backend = ldap
< idmap config DEFAULT:readonly = no
< idmap config DEFAULT:default = yes
< idmap config DEFAULT:ldap_base_dn = ou=people,dc=domain,dc=org
< idmap config DEFAULT:ldap_user_dn = cn=rootuser,dc=domain,dc=org
< idmap config DEFAULT:ldap_url = ldap://myldapserver
Thanks for everything!
-----Ursprüngliche Nachricht-----
Von: Marcus Mundt <marcus.mundt at forsa.de>
Gesendet: Mo 15.07.2013 15:25
Betreff: Re: [Samba] Messed up SIDs: How to change machine SID?
An: samba at lists.samba.org;
> I could fix the SID issues. However the other errors and warinings remain.
> Struggeling hard to find the cause for not being able to join a domain, getting
> "Access Denied"
>
> SMB log:
> [2013/07/12 15:48:03.439574, 2] auth/auth.c:309(check_ntlm_password)
> check_ntlm_password: authentication for user [admin] -> [admin] -> [admin]
> succeeded
> [2013/07/12 15:48:03.442335, 3] groupdb/mapping.c:772(pdb_create_builtin_alias)
> pdb_create_builtin_alias: Could not get a gid out of winbind
> [2013/07/12 15:48:03.442450, 2] auth/token_util.c:455(finalize_local_nt_token)
> WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate
> gids?
> [2013/07/12 15:48:03.444454, 3] groupdb/mapping.c:772(pdb_create_builtin_alias)
> pdb_create_builtin_alias: Could not get a gid out of winbind
> [2013/07/12 15:48:03.444555, 2] auth/token_util.c:479(finalize_local_nt_token)
> WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
> ...
> [2013/07/12 15:48:03.191990, 0]
> rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate: no challenge sent to client N666
> ...
> [2013/07/12 15:48:03.587205, 3] smbd/connection.c:35(yield_connection)
> Yielding connection to IPC$
> [2013/07/12 15:48:03.589351, 3] smbd/server_exit.c:181(exit_server_common)
> Server exit (failed to receive smb request)
>
> Questions:
> Is it mandatory that
> Domain Admins
> Domain Users
> Domain Guests
> Domain Computers
> are spelled exactly like that. In GOsa I'm only allowed to use lower case
> letters and no spaces. Hence I got
> domainadmins... and so forth. I don't know how to change the windows group name
> only.
>
> Is a root user mandatory or may I use "admin"? Since I got no root in LDAP, but
> tried it last week, didn't help.
>
> Which of the domain and builtin groups are mandatory? As far as I know only
> Domain Admins 512
> Domain Users 513
> Domain Guests 514
>
> and
>
> From the builtin domain (didn't know that there is a built in domain until now)
> Administrators 544
> Users 545
> Guests 546
>
> Thanks for any help in advance! Setting up a PDC seems not too hard, but I have
> to use our existing LDAP directory and operate on a production system :(
>
> Cheers,
> Marcus
>
>
>
> > I have an LDAP backend.
> >
> > In LDAP, the machine accounts for my windows and linux clients so show
> > the same base SID as the domain SID (ie.. all but the last digits.)
> >
> > However I also have the mismatch with "net getdomainsid" - which
> > definately explains why they don't behave as I would expect. You may
> > want to try fixing this with "net setlocalsid." I guess when you joing
> > unix or linux member server to the domain the localsid is not updated.
> >
> > Re the BUILTIN groups you may want to explicitly map these to unix
> > groups rather than relying on winbind to do it
> >
> >
> > e.g. I created unix groups
> >
> > #getent group ....
> > Builtin Admins::544:
> > Builtin Users::545:
> > Builtin Guests::546:
> >
> > Then mapped the well know built-in Windows groups to the unix groups
> >
> >
> > #net groupmap add ntgroup="Administrators" unixgroup=544
> > sid=S-1-5-32-544 type=builtin
> > #net groupmap add ntgroup="Users" unixgroup=545 sid=S-1-5-32-545
> > type=builtin
> > #net groupmap add ntgroup="Guests" unixgroup=546 sid=S-1-5-32-546
> > type=builtin
> >
> > # net groupmap list | grep -i builtin
> >
> > Administrators (S-1-5-32-544) -> Builtin Admins
> > Users (S-1-5-32-545) -> Builtin Users
> > Guests (S-1-5-32-546) -> Builtin Guests
> >
> >
> >
> > The linux samba member servers I use mostly for IT use anyway so I never
> > shook out all the bugs.
> >
> >
> >
> >
> > On 07/03/13 11:49, Marcus Mundt wrote:
> > > Dear Samba Gurus,
> > >
> > > I got the following errors:
> > > tail -f /var/log/samba/log.wb-DOM1
> > > [2013/07/02 15:49:19.990168, 2]
> winbindd/winbindd_rpc.c:320(rpc_name_to_sid)
> > > name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
> > >
> > > log.smbd
> > > [2013/07/02 15:40:51.809516, 2]
> > auth/token_util.c:455(finalize_local_nt_token)
> > > WARNING: Failed to create BUILTIN\Administrators group! Can Winbind
> > allocate gids?
> > > [2013/07/02 15:40:51.811330, 2]
> > auth/token_util.c:479(finalize_local_nt_token)
> > > WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
> > >
> > >
> > > I guess the reason might be this:
> > > net getdomainsid
> > > SID for local machine M1 is: S-1-5-21-3981825222-1828954701-2606613544
> > > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449
> > >
> > > net getdomainsid
> > > SID for local machine M2 is: S-1-5-21-2913448378-2543514743-1508345481
> > > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449
> > >
> > >
> > > Shouldn't the SIDs be the same except the last digits???
> > >
> > > Cheers,
> > > Marcus
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list