[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working

Roland Schwingel roland at onevision.com
Mon Jul 6 10:33:01 UTC 2015

Thanks for your reply,

Rowland Penny <rowlandpenny241155 at gmail.com> wrote on 06.07.2015 10:03:20:

 > > In the first 2 lines of the log I see the SIDs dumped.
 > > Both for my domain and for my member server.
 > >
 > > SID for local machine OSUSE-TEST is:
 > > S-1-5-21-1853263269-3041869306-167322181
 > > SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
 > > Join to 'MYDOM' is OK
 > >
 > > According to my LDAP the sid for my test member server (OSUSE-TEST)
 > > should be S-1-5-21-290147797-1639656955-1287535205-61405
 > Just what do you mean by 'According to my LDAP' ?
 > Have *you* set the SID somewhere?
We have a quite big LDAP and DNS setup. This is one reason why we can't 
switch to samba as AD right now. I made a little php script a decade ago 
which is hooked in as "add machine script" to my PDC. This script 
searches for a free domain sid and creates a machine account in LDAP. 
This works very fine for many years now.

The sid for MYDOM is:
The sid for my domain member server in this domain is therefore: 

Here is the ldif for my still not working member server:
# osuse-test$, computers, samba, mydom.com
dn: uid=osuse-test$,ou=computers,ou=samba,dc=mydom,dc=com
sambaPwdLastSet: 1436177562
sambaNTPassword: B404FFE84BE2F31569CF908B3F2B6020
sambaAcctFlags: [WX         ]
uid: osuse-test$
cn: osuse-test$
displayName: osuse-test$
gidNumber: 515
gecos: Computer
description: Computer
homeDirectory: /dev/null
loginShell: /bin/false
uidNumber: 61405
sambaSID: S-1-5-21-290147797-1639656955-1287535205-61405
sambaPrimaryGroupSID: S-1-5-21-290147797-1639656955-1287535205-515
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaKickoffTime: 2147483647
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaDomainName: MYDOM
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: sambaSAMAccount

I have bootstrapped my samba member server before joining the domain with
net setdomainsid S-1-5-21-290147797-1639656955-1287535205
during net rpc join the domainsid ending in -61405 was generated by my 
php script and written to ldap.

On my memberserver I get the following output of these commands:
net getlocalsid 	=> S-1-5-21-1853263269-3041869306-167322181
net getdomainsid 	=> S-1-5-21-290147797-1639656955-1287535205

Is there no way to detect on my PDC what is the problem. Why is my PDC 
Samba rejecting my samba member server...?

Thanks for your help again,


More information about the samba mailing list