[Samba] SID of member server in Samba domain (smbldap_search_domain_info: NT_STATUS_UNSUCCESSFUL)
MI
mi.lists at alma.ch
Mon Nov 3 10:39:23 MST 2014
> For a domain controller (PDC or BDC), the localsid should be the same as the
> domainsid. For a member server, the local sid will be unique to that machine,
> so what you are seeing is normal.
Well, that is what I originally had. A different local SID for the member server, and
no error. Everything looked fine, except that I couldn't authenticate.
> I think it is a little funny that "net getlocalsid" refers to the machine name of
> the local computer as a domain but that is what I see too.
>
> The only time you would need to change the localsid is if you where changing a
> member server into a domain controller.
>
> I find samba member servers to be more problems than domain controllers. On my
> member servers I have LDAP running for the unix account info but not samba
> accounts. The domain controllers use LDAP for both unix and samba account info.
> I don't use winbind on the member servers. If I look at file permissions in
> windows on files I own, it shows them as owned my UNIX\myname not
> MYDOMAIN\myname. So samba doesn't recognize that the windows users is a
> member of the domain but at least it maps the samba user to the LDAP unix user when
> granting file access.
I haven't configured winbind either. Nor idmap. Neither on the PDC, nor on the member
server. Maybe I should?
> (It makes changing permissions via windows difficult, but users can also ssh
> to the server.)
>
Your users can SSH? You are lucky to have very special users. Most of mine can't even
open a command prompt to type "ping ..." into it, without patient hand-holding ...
It must be possible to have a member server while still using the LDAP server which
is on the PDC. In the manual, I found explanations for a BDC, but not for a plain
file server.
If someone has this working, please share...
MI
>
> On 11/02/14 12:00, MI wrote:
>> I have a domain with Samba 3 acting as PDC, and using LDAP (passdb backend =
>> ldapsam).
>>
>> I now wanted to add a second Samba 3 machine as a simple file server. I get errors
>> with getdomainsid and getlocalsid, so there is obviously still something wrong
>> with my config.
>>
>> The PDC runs Samba 3.5.6 on Debian Squeeze. Sid queries return:
>>
>> # net getdomainsid
>> SID for local machine MY_PDC_HOST is: S-1-5-21-4174501313-1202754954-1084205825
>> SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>>
>> # net getlocalsid
>> SID for domain MY_PDC_HOST is: S-1-5-21-4174501313-1202754954-1084205825
>>
>> (So, all SIDs are the same. And there is no error)
>>
>>
>> The other server runs Samba 3.6.6 on Debian stable ("Wheezy"). At first, it
>> wouldn't let me access it's shares, and SID queries returned:
>>
>> # net getdomainsid
>> SID for local machine OTHER is: S-1-5-21-2241737573-1899521008-914752976
>> SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>>
>> # net getlocalsid
>> SID for domain OTHER is: S-1-5-21-2241737573-1899521008-914752976
>>
>> But the log file complained about mismatched domain SIDs, and wouldn't let me
>> authenticate:
>>
>> auth/server_info.c:386(samu_to_SamInfo3)
>> The primary group domain sid(S-1-5-21-2241737573-1899521008-914752976-513)
>> does not match the domain sid(S-1-5-21-4174501313-1202754954-1084205825) for
>> mi(S-1-5-21-4174501313-1202754954-1084205825-3000)
>>
>> auth/check_samsec.c:492(check_sam_security)
>> check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
>>
>> auth/auth.c:319(check_ntlm_password)
>> check_ntlm_password: Authentication for user [mi] -> [mi] FAILED with error
>> NT_STATUS_UNSUCCESSFUL
>>
>>
>>
>> So I tried to change the SID with
>>
>> # net setlocalsid S-1-5-21-4174501313-1202754954-1084205825
>>
>>
>> Now, I can access the share but SID queries give errors:
>>
>> # net getdomainsid
>> *smbldap_search_domain_info: Adding domain info for OTHER failed with
>> NT_STATUS_UNSUCCESSFUL*
>> SID for local machine OTHER is: S-1-5-21-4174501313-1202754954-1084205825
>> SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>>
>> # net getlocalsid
>> *smbldap_search_domain_info: Adding domain info for OTHER failed with
>> NT_STATUS_UNSUCCESSFUL*
>> SID for domain OTHER is: S-1-5-21-4174501313-1202754954-1084205825
>>
>>
>> Is it correct to have the same SID for a machine in the domain as for the domain
>> itself, or shouldn't that only be the case on the PDC?
>>
>> Where do I start looking?
>>
>>
>
More information about the samba
mailing list