[Samba] SID of member server in Samba domain (smbldap_search_domain_info: NT_STATUS_UNSUCCESSFUL)
MI
mi.lists at alma.ch
Sun Nov 2 10:00:14 MST 2014
I have a domain with Samba 3 acting as PDC, and using LDAP (passdb backend = ldapsam).
I now wanted to add a second Samba 3 machine as a simple file server. I get errors
with getdomainsid and getlocalsid, so there is obviously still something wrong with
my config.
The PDC runs Samba 3.5.6 on Debian Squeeze. Sid queries return:
# net getdomainsid
SID for local machine MY_PDC_HOST is: S-1-5-21-4174501313-1202754954-1084205825
SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
# net getlocalsid
SID for domain MY_PDC_HOST is: S-1-5-21-4174501313-1202754954-1084205825
(So, all SIDs are the same. And there is no error)
The other server runs Samba 3.6.6 on Debian stable ("Wheezy"). At first, it wouldn't
let me access it's shares, and SID queries returned:
# net getdomainsid
SID for local machine OTHER is: S-1-5-21-2241737573-1899521008-914752976
SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
# net getlocalsid
SID for domain OTHER is: S-1-5-21-2241737573-1899521008-914752976
But the log file complained about mismatched domain SIDs, and wouldn't let me
authenticate:
auth/server_info.c:386(samu_to_SamInfo3)
The primary group domain sid(S-1-5-21-2241737573-1899521008-914752976-513)
does not match the domain sid(S-1-5-21-4174501313-1202754954-1084205825) for
mi(S-1-5-21-4174501313-1202754954-1084205825-3000)
auth/check_samsec.c:492(check_sam_security)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [mi] -> [mi] FAILED with error
NT_STATUS_UNSUCCESSFUL
So I tried to change the SID with
# net setlocalsid S-1-5-21-4174501313-1202754954-1084205825
Now, I can access the share but SID queries give errors:
# net getdomainsid
*smbldap_search_domain_info: Adding domain info for OTHER failed with
NT_STATUS_UNSUCCESSFUL*
SID for local machine OTHER is: S-1-5-21-4174501313-1202754954-1084205825
SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
# net getlocalsid
*smbldap_search_domain_info: Adding domain info for OTHER failed with
NT_STATUS_UNSUCCESSFUL*
SID for domain OTHER is: S-1-5-21-4174501313-1202754954-1084205825
Is it correct to have the same SID for a machine in the domain as for the domain
itself, or shouldn't that only be the case on the PDC?
Where do I start looking?
More information about the samba
mailing list