[Samba] Messed up SIDs: How to change machine SID?

Marcus Mundt marcus.mundt at forsa.de
Tue Jul 16 08:29:05 MDT 2013 

Ok, today I was finally able to join my domain. The problem was a misconfiguration of idmap. Solution as follows:

<       idmap config DEFAULT:backend = ldap
<       idmap config DEFAULT:readonly = no
<       idmap config DEFAULT:default = yes
<       idmap config DEFAULT:ldap_base_dn = ou=people,dc=domain,dc=org
<       idmap config DEFAULT:ldap_user_dn = cn=rootuser,dc=domain,dc=org
<       idmap config DEFAULT:ldap_url = ldap://myldapserver

Thanks for everything!

-----Ursprüngliche Nachricht-----
Von:	Marcus Mundt <marcus.mundt at forsa.de>
Gesendet:	Mo 15.07.2013 15:25
Betreff:	Re: [Samba] Messed up SIDs: How to change machine SID?
An:	samba at lists.samba.org; 
> I could fix the SID issues. However the other errors and warinings remain. 
> Struggeling hard to find the cause for not being able to join a domain, getting 
> "Access Denied"
> 
> SMB log:
> [2013/07/12 15:48:03.439574,  2] auth/auth.c:309(check_ntlm_password)
>   check_ntlm_password:  authentication for user [admin] -> [admin] -> [admin] 
> succeeded
> [2013/07/12 15:48:03.442335,  3] groupdb/mapping.c:772(pdb_create_builtin_alias)
>   pdb_create_builtin_alias: Could not get a gid out of winbind
> [2013/07/12 15:48:03.442450,  2] auth/token_util.c:455(finalize_local_nt_token)
>   WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind allocate 
> gids?
> [2013/07/12 15:48:03.444454,  3] groupdb/mapping.c:772(pdb_create_builtin_alias)
>   pdb_create_builtin_alias: Could not get a gid out of winbind
> [2013/07/12 15:48:03.444555,  2] auth/token_util.c:479(finalize_local_nt_token)
>   WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
> ...
> [2013/07/12 15:48:03.191990,  0] 
> rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3)
>   _netr_ServerAuthenticate: no challenge sent to client N666
> ...
> [2013/07/12 15:48:03.587205,  3] smbd/connection.c:35(yield_connection)
>   Yielding connection to IPC$
> [2013/07/12 15:48:03.589351,  3] smbd/server_exit.c:181(exit_server_common)
>   Server exit (failed to receive smb request)
> 
> Questions:
> Is it mandatory that 
> Domain Admins
> Domain Users
> Domain Guests
> Domain Computers
> are spelled exactly like that. In GOsa I'm only allowed to use lower case 
> letters and no spaces. Hence I got
> domainadmins... and so forth. I don't know how to change the windows group name 
> only.
> 
> Is a root user mandatory or may I use "admin"? Since I got no root in LDAP, but 
> tried it last week, didn't help.
> 
> Which of the domain and builtin groups are mandatory? As far as I know only
> Domain Admins 	512
> Domain Users 	513
> Domain Guests   514
> 
> and
> 
> From the builtin domain (didn't know that there is a built in domain until now)
> Administrators 	544
> Users 	        545
> Guests          546
> 
> Thanks for any help in advance! Setting up a PDC seems not too hard, but I have 
> to use our existing LDAP directory and operate on a production system :(
> 
> Cheers,
> Marcus
> 
> 
> 
> > I have an LDAP backend.
> > 
> > In LDAP, the machine accounts for my  windows and linux clients so show 
> > the same base SID as the domain SID (ie.. all but the last digits.)
> > 
> > However I also have the mismatch with "net getdomainsid" -  which 
> > definately explains why they don't behave as I would expect.   You may 
> > want to try fixing this with "net setlocalsid."   I guess when you joing 
> > unix  or linux member server to the domain the localsid is not updated.
> > 
> > Re the BUILTIN groups you may want to explicitly map these to unix 
> > groups rather than relying on winbind to do it
> > 
> > 
> > e.g.   I created  unix groups
> > 
> > #getent group ....
> > Builtin Admins::544:
> > Builtin Users::545:
> > Builtin Guests::546:
> > 
> > Then mapped the well know built-in Windows groups to the unix groups
> > 
> > 
> > #net groupmap add ntgroup="Administrators" unixgroup=544 
> > sid=S-1-5-32-544   type=builtin
> > #net groupmap add ntgroup="Users" unixgroup=545   sid=S-1-5-32-545 
> > type=builtin
> > #net groupmap add ntgroup="Guests" unixgroup=546 sid=S-1-5-32-546 
> > type=builtin
> > 
> > # net groupmap list | grep -i builtin
> > 
> > Administrators (S-1-5-32-544) -> Builtin Admins
> > Users (S-1-5-32-545) -> Builtin Users
> > Guests (S-1-5-32-546) -> Builtin Guests
> > 
> > 
> > 
> > The linux samba member servers I use mostly for IT use anyway so I never 
> > shook out all the bugs.
> > 
> > 
> > 
> > 
> > On 07/03/13 11:49, Marcus Mundt wrote:
> > > Dear Samba Gurus,
> > >
> > > I got the following errors:
> > > tail -f /var/log/samba/log.wb-DOM1
> > > [2013/07/02 15:49:19.990168,  2] 
> winbindd/winbindd_rpc.c:320(rpc_name_to_sid)
> > >    name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
> > >
> > > log.smbd
> > > [2013/07/02 15:40:51.809516,  2] 
> > auth/token_util.c:455(finalize_local_nt_token)
> > >    WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind 
> > allocate gids?
> > > [2013/07/02 15:40:51.811330,  2] 
> > auth/token_util.c:479(finalize_local_nt_token)
> > >    WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
> > >
> > >
> > > I guess the reason might be this:
> > > net getdomainsid
> > > SID for local machine M1 is: 	S-1-5-21-3981825222-1828954701-2606613544
> > > SID for domain DOM1 is: 	S-1-5-21-2762780445-1763757571-3541238449
> > >
> > > net getdomainsid
> > > SID for local machine M2 is: 	S-1-5-21-2913448378-2543514743-1508345481
> > > SID for domain DOM1 is: 	S-1-5-21-2762780445-1763757571-3541238449
> > >
> > >
> > > Shouldn't the SIDs be the same except the last digits???
> > >
> > > Cheers,
> > > Marcus
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list