Re: [Samba] Messed up SIDs: How to change machine SID?

Wed, 03 Jul 2013 09:10:25 -0700 

I have an LDAP backend.
In LDAP, the machine accounts for my windows and linux clients so show the same base SID as the domain SID (ie.. all but the last digits.) 


However I also have the mismatch with "net getdomainsid" -  which 
definately explains why they don't behave as I would expect.   You may 
want to try fixing this with "net setlocalsid."   I guess when you joing 
unix  or linux member server to the domain the localsid is not updated.



Re the BUILTIN groups you may want to explicitly map these to unix 
groups rather than relying on winbind to do it



e.g.   I created  unix groups

#getent group ....
Builtin Admins::544:
Builtin Users::545:
Builtin Guests::546:

Then mapped the well know built-in Windows groups to the unix groups



#net groupmap add ntgroup="Administrators" unixgroup=544 
sid=S-1-5-32-544   type=builtin
#net groupmap add ntgroup="Users" unixgroup=545   sid=S-1-5-32-545 
type=builtin
#net groupmap add ntgroup="Guests" unixgroup=546 sid=S-1-5-32-546 
type=builtin


# net groupmap list | grep -i builtin

Administrators (S-1-5-32-544) -> Builtin Admins
Users (S-1-5-32-545) -> Builtin Users
Guests (S-1-5-32-546) -> Builtin Guests




The linux samba member servers I use mostly for IT use anyway so I never 
shook out all the bugs.





On 07/03/13 11:49, Marcus Mundt wrote:

Dear Samba Gurus,

I got the following errors:
tail -f /var/log/samba/log.wb-DOM1
[2013/07/02 15:49:19.990168,  2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid)
   name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED

log.smbd
[2013/07/02 15:40:51.809516,  2] auth/token_util.c:455(finalize_local_nt_token)
   WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind 
allocate gids?
[2013/07/02 15:40:51.811330,  2] auth/token_util.c:479(finalize_local_nt_token)
   WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?


I guess the reason might be this:
net getdomainsid
SID for local machine M1 is:    S-1-5-21-3981825222-1828954701-2606613544
SID for domain DOM1 is:         S-1-5-21-2762780445-1763757571-3541238449

net getdomainsid
SID for local machine M2 is:    S-1-5-21-2913448378-2543514743-1508345481
SID for domain DOM1 is:         S-1-5-21-2762780445-1763757571-3541238449


Shouldn't the SIDs be the same except the last digits???

Cheers,
Marcus


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to