[Samba] Fwd: Migrating server

Rob Thoman emailthomasrob at gmail.com
Wed Mar 7 05:24:11 UTC 2018


I added the computer account using php and still have the issues

win10-ldaptest, computers, mydomain
dn: uid=win10-ldaptest,ou=computers,dc=mydomain
cn: win10-ldaptest
gidNumber: 515 (matches the one in the first result)
homeDirectory: /dev/null
uid: win10-ldaptest
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
objectClass: top
sambaSID: S-1-5-21-3936576374-1604348213-1812465911-
sambaAcctFlags: [W]
uidNumber: 1000

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


On Wed, Mar 7, 2018 at 3:16 PM, Rob Thoman <emailthomasrob at gmail.com> wrote:

> dn: cn=Domain Admins,ou=groups,dc=mydomain
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-3936576374-1604348213-1812465911-512
> sambaGroupType: 2
> displayName: Domain Admins
> memberUid: root
> memberUid: sadmin
>
> dn: cn=Domain Users,ou=groups,dc=mydomain
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 513
> cn: Domain Users
> description: Netbios Domain Users
> sambaSID: S-1-5-21-3936576374-1604348213-1812465911-513
> sambaGroupType: 2
> displayName: Domain Users
>
> dn: cn=Domain Computers,ou=groups,dc=mydomain
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 515
> cn: Domain Computers
> description: Netbios Domain Computers accounts
> sambaSID: S-1-5-21-3936576374-1604348213-1812465911-515
> sambaGroupType: 2
> displayName: Domain Computers
>
>
> If I search for the user
>
> ldapsearch -x cn=sadmin -b dc=mydomain
> dn: uid=sadmin,ou=users,dc=mydomain
> uid: sadmin
> cn: sadmin
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/sh
> uidNumber: 1359
> gidNumber: 1359
> homeDirectory: /home/admin
> sambaSID: S-1-5-21-3936576374-1604348213-1812465911-1006
> sambaNTPassword: B8AF1F54013E322D0A02F9B9FF4B5B1F
> sambaPasswordHistory: 000000000000000000000000000000
> 00000000000000000000000000
>  00000000
> sambaAcctFlags: [U          ]
> sambaPwdLastSet: 1520247253
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> Tried to add the machine to the domain using the "sadmin"
>
> Mar  6 00:22:28 sam3dc slapd[5581]: <= bdb_equality_candidates: (uid) not
> indexed
> Mar  6 00:22:28 sam3dc slapd[5581]: <= bdb_equality_candidates:
> (gidNumber) not indexed
> Mar  6 00:22:28 sam3dc slapd[5581]: <= bdb_equality_candidates:
> (gidNumber) not indexed
> Mar  6 00:22:28 Dozer5 slapd[5581]: <= bdb_equality_candidates:
> (memberUid) not indexed
> Mar  6 00:22:28 sam3dc slapd[5581]: <= bdb_equality_candidates:
> (gidNumber) not indexed
> Mar  6 00:22:29 sam3dc slapd[5581]: <= bdb_equality_candidates: (uid) not
> indexed
>
> [2018/03/06 00:22:29.101185,  1] auth/server_info.c:447(samu_to_SamInfo3)
>   Failed to get groups from sam account.
> [2018/03/06 00:22:29.101275,  0] auth/check_samsec.c:492(check_
> sam_security)
>   check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_INTERNAL_DB_CORRUPTION'
> [2018/03/06 00:22:29.101322,  5] auth/auth.c:271(check_ntlm_password)
>   check_ntlm_password: sam authentication for user [sundata] FAILED with
> error NT_STATUS_INTERNAL_DB_CORRUPTION
>
>
>
>
> On Tue, Mar 6, 2018 at 9:32 PM, Harry Jede <walk2sun at arcor.de> wrote:
>
>> Am Dienstag, 6. März 2018, 16:42:23 CET schrieb Rob Thoman:
>>
>> > I have the following in the samba logs for that machine
>>
>> >
>>
>> > Failed to get groups from sam account.
>>
>> >
>>
>> >
>>
>> > So basically it is telling me there are issues with groups, fair
>>
>> > enough. What is the best way to get the groups in ldap? I have tried
>>
>> > the pdedit -i tdbsam -e ldapam, also have tried adding it via the
>>
>> > migration tools
>>
>> Fine you have find something I have assumed in a previous mail.
>>
>> Once again the command to retrieve the groups:
>>
>>
>>
>> # for s in 512 513 515 ;do ldapsearch -LLLY EXTERNAL -H ldapi:/// -b
>> dc=mydomain -s sub "sambasid=S-1-5-21-2631908330-1812305667-41686038-$s";done
>> 2>/dev/null
>>
>>
>>
>> This is a one liner. Between sub and " character is a space.
>>
>>
>>
>> The output should look like:
>>
>>
>>
>> dn: cn=DomainAdmins,ou=groups,dc=afrika,dc=xx
>>
>> objectClass: top
>>
>> objectClass: posixGroup
>>
>> objectClass: sambaGroupMapping
>>
>> gidNumber: 512
>>
>> cn: DomainAdmins
>>
>> memberUid: Administrator
>>
>> memberUid: root
>>
>> description: Netbios Domain Administrators
>>
>> sambaSID: S-1-5-21-1507708399-2130971284-2230424465-512
>>
>> sambaGroupType: 2
>>
>> displayName: Domain Admins
>>
>>
>>
>> dn: cn=DomainUsers,ou=groups,dc=afrika,dc=xx
>>
>> objectClass: top
>>
>> objectClass: posixGroup
>>
>> objectClass: sambaGroupMapping
>>
>> gidNumber: 513
>>
>> cn: DomainUsers
>>
>> description: Netbios Domain Users
>>
>> sambaSID: S-1-5-21-1507708399-2130971284-2230424465-513
>>
>> sambaGroupType: 2
>>
>> displayName: Domain Users
>>
>>
>>
>> dn: cn=DomainComputers,ou=groups,dc=afrika,dc=xx
>>
>> objectClass: top
>>
>> objectClass: posixGroup
>>
>> objectClass: sambaGroupMapping
>>
>> gidNumber: 515
>>
>> cn: DomainComputers
>>
>> description: Netbios Domain Computers accounts
>>
>> sambaSID: S-1-5-21-1507708399-2130971284-2230424465-515
>>
>> sambaGroupType: 2
>>
>> displayName: Domain Computers
>>
>>
>>
>> --
>>
>>
>>
>> Gruss
>>
>> Harry Jede
>>
>
>


More information about the samba mailing list