[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working

Rowland Penny rowlandpenny241155 at gmail.com
Mon Jul 6 11:22:57 UTC 2015 

On 06/07/15 11:33, Roland Schwingel wrote:
>
> Thanks for your reply,
>
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote on 06.07.2015 
> 10:03:20:
>
> > > In the first 2 lines of the log I see the SIDs dumped.
> > > Both for my domain and for my member server.
> > >
> > > SID for local machine OSUSE-TEST is:
> > > S-1-5-21-1853263269-3041869306-167322181
> > > SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
> > > Join to 'MYDOM' is OK
> > >
> > > According to my LDAP the sid for my test member server (OSUSE-TEST)
> > > should be S-1-5-21-290147797-1639656955-1287535205-61405
> >
> > Just what do you mean by 'According to my LDAP' ?
> > Have *you* set the SID somewhere?
> We have a quite big LDAP and DNS setup. This is one reason why we 
> can't switch to samba as AD right now. I made a little php script a 
> decade ago which is hooked in as "add machine script" to my PDC. This 
> script searches for a free domain sid and creates a machine account in 
> LDAP. This works very fine for many years now.
>
> The sid for MYDOM is:
> S-1-5-21-290147797-1639656955-1287535205
> The sid for my domain member server in this domain is therefore: 
> S-1-5-21-290147797-1639656955-1287535205-61405
>
> Here is the ldif for my still not working member server:
> # osuse-test$, computers, samba, mydom.com
> dn: uid=osuse-test$,ou=computers,ou=samba,dc=mydom,dc=com
> sambaPwdLastSet: 1436177562
> sambaNTPassword: B404FFE84BE2F31569CF908B3F2B6020
> sambaAcctFlags: [WX         ]
> uid: osuse-test$
> cn: osuse-test$
> displayName: osuse-test$
> gidNumber: 515
> gecos: Computer
> description: Computer
> homeDirectory: /dev/null
> loginShell: /bin/false
> uidNumber: 61405
> sambaSID: S-1-5-21-290147797-1639656955-1287535205-61405
> sambaPrimaryGroupSID: S-1-5-21-290147797-1639656955-1287535205-515
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaKickoffTime: 2147483647
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaDomainName: MYDOM
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> objectClass: sambaSAMAccount

There doesn't seem to be anything wrong with that ldif.

>
> I have bootstrapped my samba member server before joining the domain with
> net setdomainsid S-1-5-21-290147797-1639656955-1287535205
> during net rpc join the domainsid ending in -61405 was generated by my 
> php script and written to ldap.
>
> On my memberserver I get the following output of these commands:
> net getlocalsid     => S-1-5-21-1853263269-3041869306-167322181
> net getdomainsid     => S-1-5-21-290147797-1639656955-1287535205

I take it that you ran 'net getdomainsid' on the PDC and this is the SID 
you are using.

>
> Is there no way to detect on my PDC what is the problem. Why is my PDC 
> Samba rejecting my samba member server...?
>

Permissions ?? Is the join correct ?

It has been sometime since I did anything major with an LDAP PDC and 
even then I used smbldap tools. It seems strange that 3.6 works but 
4.2.2 doesn't, have you looked into the bug report that was posted in 
this thread ?

 From my understanding, you should be able to use 4.2.x just like 3.6.x, 
but there are slight differences as I pointed out.

What are the problems, reasons etc for not moving to AD, I ask this 
because you seem to be trying to set up a new domain and surely this is 
the very time to upgrade.

Rowland
> Thanks for your help again,
>
> Roland

More information about the samba mailing list