[Samba] Invalid SID after upgrade to Samba 4.1
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Nov 10 20:56:40 UTC 2015
On 10/11/15 19:57, Mark Burkley wrote:
> Hi folks,
>
> We just had a problem with our samba server here in the office. I
> upgraded our file server from Debian wheezy (samba 3.6) to Debian jessie
> (samba 4.1) but this broke Samba and I struggled for a day or so to
> figure out why. Searching for answers online found lots of cases of
> similar problems but nothing jumping out as a relevant solution.
>
> This is my global config section
>
> [global]
> workgroup = WORKGROUP
> realm = emutex.com
> server string = Server
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> server role = standalone server
> security = user
> passdb backend = ldapsam:ldap://ldap.....com/
> obey pam restrictions = No
> ldap admin dn = cn=samba,ou=DSA,dc=emutex,dc=com
> ldap suffix = dc=emutex, dc=com
> ldap group suffix = ou=groups
> ldap user suffix = ou=users
> ldap machine suffix = ou=machines
> ldap idmap suffix = ou=users
> ldap ssl = no
> log level = 3
> interfaces = eth0
> syslog = 0
> server string = %h server
> panic action = /usr/share/samba/panic-action %d
> encrypt passwords = true
> follow symlinks = yes
> wide links = yes
> unix extensions = no
> map to guest = bad user
>
> I have a file server that uses NFS and samba to serve files to both *nix
> and Windows users. I have another server running OpenLDAP and Kerberos
> for authentication. Samba uses ldapsam as the backend and this has
> worked fine for several years. But after the upgrade, I was getting an
> error from "pdbedit -L" saying "SID S-xxxx does not belong to our
> domain". The domain has not changed, nor has the hostname of the server.
>
> I examined the LDAP database and found two entries
> "sambaDomainName=WORKGROUP" and "sambaDomainName=SERVER". The SID in
> the entry for "WORKGROUP" matched the SID in the user entries but the
> SID in the entry for SERVER was new. I tried using "net setlocalsid"
> but this didn't change anything so I copied the SID from entry WORKGROUP
> to entry SERVER and deleted the entry for WORKGROUP. After that,
> everything worked fine as before.
>
> So it seems to me the meaning of "domain" has changed and Samba is now
> using the hostname entry as the source of the SID instead of the
> workgroup name? So that after upgrading from samba 3 to samba 4, users
> who have an LDAP backend need to manually edit the sambaDomainName
> entries in their database.
>
> I'd appreciate if someone more knowledgeable about Samba and LDAP
> backends could confirm this and verify that my fix is reasonable and
> safe and so on. Apologies if this is documented somewhere already, but
> if it is I couldn't find it.
>
> Many thanks,
>
> Mark
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
You are using 'realm = emutex.com' , this may be your problem, you only
use this on a DC or an ADS domain member.
If this is a standalone server, then it is not a part of a domain,
though it could be a machine in workgroup.
Rowland
More information about the samba
mailing list