[Samba] SID of member server in Samba domain (smbldap_search_domain_info: NT_STATUS_UNSUCCESSFUL)

MI mi.lists at alma.ch
Sun Nov 2 10:00:14 MST 2014 

I have a domain with Samba 3 acting as PDC, and using LDAP (passdb backend = ldapsam).

I now wanted to add a second Samba 3 machine as a simple file server. I get errors 
with getdomainsid and getlocalsid, so there is obviously still something wrong with 
my config.

The PDC runs Samba 3.5.6 on Debian Squeeze. Sid queries return:

    # net getdomainsid
    SID for local machine MY_PDC_HOST is: S-1-5-21-4174501313-1202754954-1084205825
    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825

    # net getlocalsid
    SID for domain MY_PDC_HOST is: S-1-5-21-4174501313-1202754954-1084205825

(So, all SIDs are the same. And there is no error)


The other server runs Samba 3.6.6 on Debian stable ("Wheezy"). At first, it wouldn't 
let me access it's shares, and SID queries returned:

    # net getdomainsid
    SID for local machine OTHER is: S-1-5-21-2241737573-1899521008-914752976
    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825

    # net getlocalsid
    SID for domain OTHER is: S-1-5-21-2241737573-1899521008-914752976

But the log file complained about mismatched domain SIDs, and wouldn't let me 
authenticate:

    auth/server_info.c:386(samu_to_SamInfo3)
       The primary group domain sid(S-1-5-21-2241737573-1899521008-914752976-513)
    does not match the domain sid(S-1-5-21-4174501313-1202754954-1084205825) for
    mi(S-1-5-21-4174501313-1202754954-1084205825-3000)

    auth/check_samsec.c:492(check_sam_security)
       check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'

    auth/auth.c:319(check_ntlm_password)
       check_ntlm_password:  Authentication for user [mi] -> [mi] FAILED with error
    NT_STATUS_UNSUCCESSFUL



So I tried to change the SID with

    # net setlocalsid S-1-5-21-4174501313-1202754954-1084205825


Now, I can access the share but SID queries give errors:

    # net getdomainsid
    *smbldap_search_domain_info: Adding domain info for OTHER failed with
    NT_STATUS_UNSUCCESSFUL*
    SID for local machine OTHER is: S-1-5-21-4174501313-1202754954-1084205825
    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825

    # net getlocalsid
    *smbldap_search_domain_info: Adding domain info for OTHER failed with
    NT_STATUS_UNSUCCESSFUL*
    SID for domain OTHER is: S-1-5-21-4174501313-1202754954-1084205825


Is it correct to have the same SID for a machine in the domain as for the domain 
itself, or shouldn't that only be the case on the PDC?

Where do I start looking?

More information about the samba mailing list