On Wed, 2006-03-15 at 16:20 -0500, Yang Xiao wrote: > Hi Everyone, > I've been getting this error when trying to login from an XP box to a Samba > 3 + LDAP PDC, but failed. > > [2006/03/15 17:48:12, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(766) > _net_sam_logon: user Domain\user has user sid > S-1-5-21-3570476861-1302945835-1904156257-3004 > but group sid S-1-5-21-790863915-1833833965-864709722-513. > The conflicting domain portions are not supported for NETLOGON calls > > I did some research and found this is due to SID mismatch as it is shown > with the user sid and group sid > > net getlocalsid on the dc shows S-1-5-21-3570476861-1302945835-1904156257 > and net getlocalsid DOMAIN shows S-1-5-21-3570476861-1302945835-1904156257 > as well. > > but, net groupmap list shows > > Domain Admins (S-1-5-21-790863915-1833833965-864709722-512) -> Domain Admins > Domain Users (S-1-5-21-790863915-1833833965-864709722-513) -> Domain Users > Domain Guests (S-1-5-21-790863915-1833833965-864709722-514) -> Domain Guests > Domain Computers (S-1-5-21-790863915-1833833965-864709722-515) -> Domain > Computers > Administrators (S-1-5-32-544) -> Administrators > Account Operators (S-1-5-32-548) -> Account Operators > Print Operators (S-1-5-32-550) -> Print Operators > Backup Operators (S-1-5-32-551) -> Backup Operators > Replicators (S-1-5-32-552) -> Replicators > systems (S-1-5-21-3570476861-1302945835-1904156257-3003) -> systems > development (S-1-5-21-3570476861-1302945835-1904156257-3005) -> development > analytics (S-1-5-21-3570476861-1302945835-1904156257-3007) -> analytics > > and most of my user/machine accounts have sids like this > S-1-5-21-790863915-1833833965-864709722-xxxx. > but the smbldap.conf says the sid is set to > SID="S-1-5-21-3570476861-1302945835-1904156257" > > then according to LDAP > dn: sambaDomainName=Domain,dc=Domain,dc=com > sambaSID: S-1-5-21-3570476861-1302945835-1904156257 > > so this is a certified bloody mess, my question is, does this mean I have to > change every instance of sid that's > S-1-5-21-790863915-1833833965-864709722-xxxx in LDAP? what's a good way of > doing this? > > Many thanks! > > - Yang > > smb.conf & slapd.conf attached ---- # net groupmap help net groupmap add Create a new group mapping net groupmap modify Update a group mapping net groupmap delete Remove a group mapping net groupmap addmem Add a foreign alias member net groupmap delmem Delete a foreign alias member net groupmap listmem List foreign group members net groupmap memberships List foreign group memberships net groupmap list List current group map net groupmap set Set group mapping net groupmap cleanup Remove foreign group mapping entries
hmm...that last one seems interesting... Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
