[Samba] SID of member server in Samba domain (smbldap_search_domain_info: NT_STATUS_UNSUCCESSFUL)

MI mi.lists at alma.ch
Mon Nov 3 10:39:23 MST 2014 

> For a domain controller (PDC or BDC), the localsid should be the same as the 
> domainsid.     For a member server, the local sid will be unique to that machine, 
> so what you are seeing is normal.

Well, that is what I originally had. A different local SID for the member server, and 
no error. Everything looked fine, except that I couldn't authenticate.

> I think it is a little funny that "net getlocalsid" refers to the machine name of 
> the local computer as a domain but  that is what I see too.
>
> The only time you would need to change the localsid is if you where changing a 
> member server into a domain controller.
>
> I find samba  member servers to be more problems than domain controllers.    On my 
> member servers  I have LDAP running for the unix account info but not samba 
> accounts.     The domain controllers use LDAP for both unix and samba account info. 
> I don't use winbind on the member servers.      If I look at file permissions in 
> windows on files I own, it shows them as owned my UNIX\myname not 
> MYDOMAIN\myname.        So samba doesn't recognize that the windows users is a 
> member of the domain but at least it maps the samba user to the LDAP unix user when 
> granting file access.

I haven't configured winbind either. Nor idmap. Neither on the PDC, nor on the member 
server. Maybe I should?


>     (It makes changing  permissions via windows difficult, but users can also ssh 
> to the server.)
>

Your users can SSH? You are lucky to have very special users. Most of mine can't even 
open a command prompt to type "ping ..."  into it, without patient hand-holding ...


It must be possible to have a member server while still using the LDAP server which 
is on the PDC. In the manual, I found explanations for a BDC, but not for a plain 
file server.

If someone has this working, please share...

MI

>
> On 11/02/14 12:00, MI wrote:
>> I have a domain with Samba 3 acting as PDC, and using LDAP (passdb backend = 
>> ldapsam).
>>
>> I now wanted to add a second Samba 3 machine as a simple file server. I get errors 
>> with getdomainsid and getlocalsid, so there is obviously still something wrong 
>> with my config.
>>
>> The PDC runs Samba 3.5.6 on Debian Squeeze. Sid queries return:
>>
>>    # net getdomainsid
>>    SID for local machine MY_PDC_HOST is: S-1-5-21-4174501313-1202754954-1084205825
>>    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>>
>>    # net getlocalsid
>>    SID for domain MY_PDC_HOST is: S-1-5-21-4174501313-1202754954-1084205825
>>
>> (So, all SIDs are the same. And there is no error)
>>
>>
>> The other server runs Samba 3.6.6 on Debian stable ("Wheezy"). At first, it 
>> wouldn't let me access it's shares, and SID queries returned:
>>
>>    # net getdomainsid
>>    SID for local machine OTHER is: S-1-5-21-2241737573-1899521008-914752976
>>    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>>
>>    # net getlocalsid
>>    SID for domain OTHER is: S-1-5-21-2241737573-1899521008-914752976
>>
>> But the log file complained about mismatched domain SIDs, and wouldn't let me 
>> authenticate:
>>
>>    auth/server_info.c:386(samu_to_SamInfo3)
>>       The primary group domain sid(S-1-5-21-2241737573-1899521008-914752976-513)
>>    does not match the domain sid(S-1-5-21-4174501313-1202754954-1084205825) for
>>    mi(S-1-5-21-4174501313-1202754954-1084205825-3000)
>>
>>    auth/check_samsec.c:492(check_sam_security)
>>       check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
>>
>>    auth/auth.c:319(check_ntlm_password)
>>       check_ntlm_password:  Authentication for user [mi] -> [mi] FAILED with error
>>    NT_STATUS_UNSUCCESSFUL
>>
>>
>>
>> So I tried to change the SID with
>>
>>    # net setlocalsid S-1-5-21-4174501313-1202754954-1084205825
>>
>>
>> Now, I can access the share but SID queries give errors:
>>
>>    # net getdomainsid
>>    *smbldap_search_domain_info: Adding domain info for OTHER failed with
>>    NT_STATUS_UNSUCCESSFUL*
>>    SID for local machine OTHER is: S-1-5-21-4174501313-1202754954-1084205825
>>    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>>
>>    # net getlocalsid
>>    *smbldap_search_domain_info: Adding domain info for OTHER failed with
>>    NT_STATUS_UNSUCCESSFUL*
>>    SID for domain OTHER is: S-1-5-21-4174501313-1202754954-1084205825
>>
>>
>> Is it correct to have the same SID for a machine in the domain as for the domain 
>> itself, or shouldn't that only be the case on the PDC?
>>
>> Where do I start looking?
>>
>>
>

More information about the samba mailing list