[Samba] SID of member server in Samba domain (smbldap_search_domain_info: NT_STATUS_UNSUCCESSFUL)
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Nov 3 08:47:38 MST 2014
For a domain controller (PDC or BDC), the localsid should be the same as
the domainsid. For a member server, the local sid will be unique to
that machine, so what you are seeing is normal. I think it is a
little funny that "net getlocalsid" refers to the machine name of the
local computer as a domain but that is what I see too.
The only time you would need to change the localsid is if you where
changing a member server into a domain controller.
I find samba member servers to be more problems than domain
controllers. On my member servers I have LDAP running for the unix
account info but not samba accounts. The domain controllers use LDAP
for both unix and samba account info. I don't use winbind on the member
servers. If I look at file permissions in windows on files I own,
it shows them as owned my UNIX\myname not MYDOMAIN\myname. So
samba doesn't recognize that the windows users is a member of the domain
but at least it maps the samba user to the LDAP unix user when granting
file access. (It makes changing permissions via windows difficult,
but users can also ssh to the server.)
I tried configuring the samba member servers to use LDAP for the idmap
backend to keep the SID-to-ID consistent on all systems but with no luck.
On 11/02/14 12:00, MI wrote:
> I have a domain with Samba 3 acting as PDC, and using LDAP (passdb
> backend = ldapsam).
>
> I now wanted to add a second Samba 3 machine as a simple file server.
> I get errors with getdomainsid and getlocalsid, so there is obviously
> still something wrong with my config.
>
> The PDC runs Samba 3.5.6 on Debian Squeeze. Sid queries return:
>
> # net getdomainsid
> SID for local machine MY_PDC_HOST is:
> S-1-5-21-4174501313-1202754954-1084205825
> SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>
> # net getlocalsid
> SID for domain MY_PDC_HOST is:
> S-1-5-21-4174501313-1202754954-1084205825
>
> (So, all SIDs are the same. And there is no error)
>
>
> The other server runs Samba 3.6.6 on Debian stable ("Wheezy"). At
> first, it wouldn't let me access it's shares, and SID queries returned:
>
> # net getdomainsid
> SID for local machine OTHER is:
> S-1-5-21-2241737573-1899521008-914752976
> SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>
> # net getlocalsid
> SID for domain OTHER is: S-1-5-21-2241737573-1899521008-914752976
>
> But the log file complained about mismatched domain SIDs, and wouldn't
> let me authenticate:
>
> auth/server_info.c:386(samu_to_SamInfo3)
> The primary group domain
> sid(S-1-5-21-2241737573-1899521008-914752976-513)
> does not match the domain
> sid(S-1-5-21-4174501313-1202754954-1084205825) for
> mi(S-1-5-21-4174501313-1202754954-1084205825-3000)
>
> auth/check_samsec.c:492(check_sam_security)
> check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_UNSUCCESSFUL'
>
> auth/auth.c:319(check_ntlm_password)
> check_ntlm_password: Authentication for user [mi] -> [mi]
> FAILED with error
> NT_STATUS_UNSUCCESSFUL
>
>
>
> So I tried to change the SID with
>
> # net setlocalsid S-1-5-21-4174501313-1202754954-1084205825
>
>
> Now, I can access the share but SID queries give errors:
>
> # net getdomainsid
> *smbldap_search_domain_info: Adding domain info for OTHER failed with
> NT_STATUS_UNSUCCESSFUL*
> SID for local machine OTHER is:
> S-1-5-21-4174501313-1202754954-1084205825
> SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>
> # net getlocalsid
> *smbldap_search_domain_info: Adding domain info for OTHER failed with
> NT_STATUS_UNSUCCESSFUL*
> SID for domain OTHER is: S-1-5-21-4174501313-1202754954-1084205825
>
>
> Is it correct to have the same SID for a machine in the domain as for
> the domain itself, or shouldn't that only be the case on the PDC?
>
> Where do I start looking?
>
>
More information about the samba
mailing list