[Samba] SID of member server in Samba domain (smbldap_search_domain_info: NT_STATUS_UNSUCCESSFUL)

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Nov 3 13:30:52 MST 2014

If the group sid is showing up as wrong,  that means that the client 
machine telling the server that "LOCALMACHINENAME\someuser" is trying to 
connect to the server not "MY_DOMAIN\someuser."

Does "net rpc testjoin" on the member server work OK?

If you enable winbind, does "wbinfo -u" show the users?

Per the "idmap_rid" man page, you should be able to enable idmapping 
without explicitly configuring an idmap backend in LDAP or TDB.    
thought it never worked for me.  I  tried to have ldap backend for 
idmapping on member servers (see idmap_ldap)   but I think that may not 
be allowed with member servers anyway.

When I look through the logs in  /var/log/samba on the member server, I 
can see that (even without winbind) the users presumbed to be in the domain.

My DC's are Solaris 10 with Samba 3.6.x but the member servers are 
Fedora Core 19 with Samba 4.x -  although I think Samba 4.x as a member 
server of a "Classic" domain is effectively the sambe as Samba 3.x.

I have not specified any user mapping options in smb.conf

On 11/03/14 13:57, Márcio Merlone wrote:
> On 02-11-2014 15:00, MI wrote:
>> The PDC runs Samba 3.5.6 on Debian Squeeze. Sid queries return:
>>    # net getdomainsid
>>    SID for local machine MY_PDC_HOST is: 
>> S-1-5-21-4174501313-1202754954-1084205825
>>    SID for domain MY_DOMAIN is: 
>> S-1-5-21-4174501313-1202754954-1084205825
> (...)
>> The other server runs Samba 3.6.6 on Debian stable ("Wheezy"). At 
>> first, it wouldn't let me access it's shares, and SID queries returned:
>>    # net getdomainsid
>>    SID for local machine OTHER is: 
>> S-1-5-21-2241737573-1899521008-914752976
>>    SID for domain MY_DOMAIN is: 
>> S-1-5-21-4174501313-1202754954-1084205825
> (...)
>> But the log file complained about mismatched domain SIDs, and 
>> wouldn't let me authenticate:
>>    auth/server_info.c:386(samu_to_SamInfo3)
>>       The primary group domain 
>> sid(S-1-5-21-2241737573-1899521008-914752976-513)
>>    does not match the domain 
>> sid(S-1-5-21-4174501313-1202754954-1084205825) for
>>    mi(S-1-5-21-4174501313-1202754954-1084205825-3000)
> Hi,
> I'm not a samba guru, but I believe your group's SID is wrong:
> *S-1-5-21-4174501313-1202754954-1084205825* ->Domain SID
> *S-1-5-21-4174501313-1202754954-1084205825*-3000 -> User SID
> *S-1-5-21-2241737573-1899521008-914752976*-513 -> Group SID
> AFAIK, domain groups and users must match their SID with the domain, 
> so I think your group SID should be:
> S-1-5-21-4174501313-1202754954-1084205825-513
> Samba boffins will correct me if wrong.
> Best regards.

More information about the samba mailing list