[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
rowlandpenny241155 at gmail.com
Mon Jul 6 11:22:57 UTC 2015
On 06/07/15 11:33, Roland Schwingel wrote:
> Thanks for your reply,
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote on 06.07.2015
> > > In the first 2 lines of the log I see the SIDs dumped.
> > > Both for my domain and for my member server.
> > >
> > > SID for local machine OSUSE-TEST is:
> > > S-1-5-21-1853263269-3041869306-167322181
> > > SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
> > > Join to 'MYDOM' is OK
> > >
> > > According to my LDAP the sid for my test member server (OSUSE-TEST)
> > > should be S-1-5-21-290147797-1639656955-1287535205-61405
> > Just what do you mean by 'According to my LDAP' ?
> > Have *you* set the SID somewhere?
> We have a quite big LDAP and DNS setup. This is one reason why we
> can't switch to samba as AD right now. I made a little php script a
> decade ago which is hooked in as "add machine script" to my PDC. This
> script searches for a free domain sid and creates a machine account in
> LDAP. This works very fine for many years now.
> The sid for MYDOM is:
> The sid for my domain member server in this domain is therefore:
> Here is the ldif for my still not working member server:
> # osuse-test$, computers, samba, mydom.com
> dn: uid=osuse-test$,ou=computers,ou=samba,dc=mydom,dc=com
> sambaPwdLastSet: 1436177562
> sambaNTPassword: B404FFE84BE2F31569CF908B3F2B6020
> sambaAcctFlags: [WX ]
> uid: osuse-test$
> cn: osuse-test$
> displayName: osuse-test$
> gidNumber: 515
> gecos: Computer
> description: Computer
> homeDirectory: /dev/null
> loginShell: /bin/false
> uidNumber: 61405
> sambaSID: S-1-5-21-290147797-1639656955-1287535205-61405
> sambaPrimaryGroupSID: S-1-5-21-290147797-1639656955-1287535205-515
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaKickoffTime: 2147483647
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaDomainName: MYDOM
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> objectClass: sambaSAMAccount
There doesn't seem to be anything wrong with that ldif.
> I have bootstrapped my samba member server before joining the domain with
> net setdomainsid S-1-5-21-290147797-1639656955-1287535205
> during net rpc join the domainsid ending in -61405 was generated by my
> php script and written to ldap.
> On my memberserver I get the following output of these commands:
> net getlocalsid => S-1-5-21-1853263269-3041869306-167322181
> net getdomainsid => S-1-5-21-290147797-1639656955-1287535205
I take it that you ran 'net getdomainsid' on the PDC and this is the SID
you are using.
> Is there no way to detect on my PDC what is the problem. Why is my PDC
> Samba rejecting my samba member server...?
Permissions ?? Is the join correct ?
It has been sometime since I did anything major with an LDAP PDC and
even then I used smbldap tools. It seems strange that 3.6 works but
4.2.2 doesn't, have you looked into the bug report that was posted in
this thread ?
From my understanding, you should be able to use 4.2.x just like 3.6.x,
but there are slight differences as I pointed out.
What are the problems, reasons etc for not moving to AD, I ask this
because you seem to be trying to set up a new domain and surely this is
the very time to upgrade.
> Thanks for your help again,
More information about the samba