[Samba] pdb search

Rowland Penny rpenny at samba.org
Tue Jul 31 08:32:32 UTC 2018 

On Tue, 31 Jul 2018 15:01:30 +1000
Rob Thoman via samba <samba at lists.samba.org> wrote:

> Hi All,
> 
> We have classic PDC with an ldap backened. We're trying to add some
> member servers which will act as print and file servers. We've joined
> the member servers to the domain using net rpc join. The problem we
> are having is we are seeing the following when using
> pdbedit -L -v -d10 from a member server
> 
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=WINTF))]
> smbldap_open_connection: connection opened
> Skipping entry uid=robertb,ou=users,dc=tog
> sid S-1-5-21-x-x-x-3034 does not belong to our domain
> 
> net getlocalsid
> ID for local machine WINTF is: S-1-5-21-4632170330-5278305567-71232245
> SID for domain TOG is: S-1-5-21-7852576374-8644348213-3812465877
> 
> 
> The same when running from the LDAP server, we get
> 
> Unix username:        robertb
> NT username:          robertb
> Account Flags:        [U          ]
> User SID:             S-1-5-21-x-x-x-x-3034
> Primary Group SID:    S-1-5-21-x-x-x-x-513
> Full Name:            Robert Barat
> Domain:               TOG
> 
> The user details can be accessed using getent passwd robertb from the
> member server.
> 
> The smb.conf of the member server is
>         workgroup = TOG
>         netbios name = WINTF
>         security = user
>        idmap config * : backend = ldap
>        idmap config * : range = 3000-7999
> 
>   passdb backend = ldapsam:ldap://10.10.10.1
>   ldap admin dn = cn=admin,dc=tog
>   ldap suffix = dc=tog
>   ldap group suffix = ou=groups
>   ldap machine suffix = ou=computers
>   ldap user suffix = ou=users
>   idmap backend = ldap
>   ldap idmap suffix = ou=idmap
>   idmap config * : ldap_url = ldap://10.10.10.1
>   idmap config * : ldap_base_dn = ou=idmap,dc=tog
>   idmap config * : ldap_user_dn = cn=admin,dc=tog
> 
>     domain logons = no
> 
> Any suggestions?
> 
> RT

Yes, upgrade to AD as soon as possible, if you have any Windows 10
machines, you may come in one morning and find that NOTHING works.

In the mean time, there wasn't much point in sanitizing the SIDS if
didn't sanitize them all, in fact you have made it worse because we now
don't know which SID is 'x-x-x-x', are they all the same SID or are the
different SIDs ?

You could try setting the local SID to be the same as the domain SID.

Rowland

More information about the samba mailing list