Re: [Samba] Messed up SIDs: How to change machine SID?
Ok, today I was finally able to join my domain. The problem was a misconfiguration of idmap. Solution as follows: idmap config DEFAULT:backend = ldap idmap config DEFAULT:readonly = no idmap config DEFAULT:default = yes idmap config DEFAULT:ldap_base_dn = ou=people,dc=domain,dc=org idmap config DEFAULT:ldap_user_dn = cn=rootuser,dc=domain,dc=org idmap config DEFAULT:ldap_url = ldap://myldapserver Thanks for everything! -Ursprüngliche Nachricht- Von:Marcus Mundt marcus.mu...@forsa.de Gesendet: Mo 15.07.2013 15:25 Betreff:Re: [Samba] Messed up SIDs: How to change machine SID? An: samba@lists.samba.org; I could fix the SID issues. However the other errors and warinings remain. Struggeling hard to find the cause for not being able to join a domain, getting Access Denied SMB log: [2013/07/12 15:48:03.439574, 2] auth/auth.c:309(check_ntlm_password) check_ntlm_password: authentication for user [admin] - [admin] - [admin] succeeded [2013/07/12 15:48:03.442335, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.442450, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/12 15:48:03.54, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.444555, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? ... [2013/07/12 15:48:03.191990, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate: no challenge sent to client N666 ... [2013/07/12 15:48:03.587205, 3] smbd/connection.c:35(yield_connection) Yielding connection to IPC$ [2013/07/12 15:48:03.589351, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) Questions: Is it mandatory that Domain Admins Domain Users Domain Guests Domain Computers are spelled exactly like that. In GOsa I'm only allowed to use lower case letters and no spaces. Hence I got domainadmins... and so forth. I don't know how to change the windows group name only. Is a root user mandatory or may I use admin? Since I got no root in LDAP, but tried it last week, didn't help. Which of the domain and builtin groups are mandatory? As far as I know only Domain Admins 512 Domain Users 513 Domain Guests 514 and From the builtin domain (didn't know that there is a built in domain until now) Administrators544 Users 545 Guests 546 Thanks for any help in advance! Setting up a PDC seems not too hard, but I have to use our existing LDAP directory and operate on a production system :( Cheers, Marcus I have an LDAP backend. In LDAP, the machine accounts for my windows and linux clients so show the same base SID as the domain SID (ie.. all but the last digits.) However I also have the mismatch with net getdomainsid - which definately explains why they don't behave as I would expect. You may want to try fixing this with net setlocalsid. I guess when you joing unix or linux member server to the domain the localsid is not updated. Re the BUILTIN groups you may want to explicitly map these to unix groups rather than relying on winbind to do it e.g. I created unix groups #getent group Builtin Admins::544: Builtin Users::545: Builtin Guests::546: Then mapped the well know built-in Windows groups to the unix groups #net groupmap add ntgroup=Administrators unixgroup=544 sid=S-1-5-32-544 type=builtin #net groupmap add ntgroup=Users unixgroup=545 sid=S-1-5-32-545 type=builtin #net groupmap add ntgroup=Guests unixgroup=546 sid=S-1-5-32-546 type=builtin # net groupmap list | grep -i builtin Administrators (S-1-5-32-544) - Builtin Admins Users (S-1-5-32-545) - Builtin Users Guests (S-1-5-32-546) - Builtin Guests The linux samba member servers I use mostly for IT use anyway so I never shook out all the bugs. On 07/03/13 11:49, Marcus Mundt wrote: Dear Samba Gurus, I got the following errors: tail -f /var/log/samba/log.wb-DOM1 [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED log.smbd [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? I guess
Re: [Samba] Messed up SIDs: How to change machine SID?
I could fix the SID issues. However the other errors and warinings remain. Struggeling hard to find the cause for not being able to join a domain, getting Access Denied SMB log: [2013/07/12 15:48:03.439574, 2] auth/auth.c:309(check_ntlm_password) check_ntlm_password: authentication for user [admin] - [admin] - [admin] succeeded [2013/07/12 15:48:03.442335, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.442450, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/12 15:48:03.54, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.444555, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? ... [2013/07/12 15:48:03.191990, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate: no challenge sent to client N666 ... [2013/07/12 15:48:03.587205, 3] smbd/connection.c:35(yield_connection) Yielding connection to IPC$ [2013/07/12 15:48:03.589351, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) Questions: Is it mandatory that Domain Admins Domain Users Domain Guests Domain Computers are spelled exactly like that. In GOsa I'm only allowed to use lower case letters and no spaces. Hence I got domainadmins... and so forth. I don't know how to change the windows group name only. Is a root user mandatory or may I use admin? Since I got no root in LDAP, but tried it last week, didn't help. Which of the domain and builtin groups are mandatory? As far as I know only Domain Admins 512 Domain Users513 Domain Guests 514 and From the builtin domain (didn't know that there is a built in domain until now) Administrators 544 Users 545 Guests 546 Thanks for any help in advance! Setting up a PDC seems not too hard, but I have to use our existing LDAP directory and operate on a production system :( Cheers, Marcus I have an LDAP backend. In LDAP, the machine accounts for my windows and linux clients so show the same base SID as the domain SID (ie.. all but the last digits.) However I also have the mismatch with net getdomainsid - which definately explains why they don't behave as I would expect. You may want to try fixing this with net setlocalsid. I guess when you joing unix or linux member server to the domain the localsid is not updated. Re the BUILTIN groups you may want to explicitly map these to unix groups rather than relying on winbind to do it e.g. I created unix groups #getent group Builtin Admins::544: Builtin Users::545: Builtin Guests::546: Then mapped the well know built-in Windows groups to the unix groups #net groupmap add ntgroup=Administrators unixgroup=544 sid=S-1-5-32-544 type=builtin #net groupmap add ntgroup=Users unixgroup=545 sid=S-1-5-32-545 type=builtin #net groupmap add ntgroup=Guests unixgroup=546 sid=S-1-5-32-546 type=builtin # net groupmap list | grep -i builtin Administrators (S-1-5-32-544) - Builtin Admins Users (S-1-5-32-545) - Builtin Users Guests (S-1-5-32-546) - Builtin Guests The linux samba member servers I use mostly for IT use anyway so I never shook out all the bugs. On 07/03/13 11:49, Marcus Mundt wrote: Dear Samba Gurus, I got the following errors: tail -f /var/log/samba/log.wb-DOM1 [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED log.smbd [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? I guess the reason might be this: net getdomainsid SID for local machine M1 is: S-1-5-21-3981825222-1828954701-2606613544 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 net getdomainsid SID for local machine M2 is: S-1-5-21-2913448378-2543514743-1508345481 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 Shouldn't the SIDs be the same except the last digits??? Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Messed up SIDs: How to change machine SID?
Dear Samba Gurus, I got the following errors: tail -f /var/log/samba/log.wb-DOM1 [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED log.smbd [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? I guess the reason might be this: net getdomainsid SID for local machine M1 is:S-1-5-21-3981825222-1828954701-2606613544 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 net getdomainsid SID for local machine M2 is:S-1-5-21-2913448378-2543514743-1508345481 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 Shouldn't the SIDs be the same except the last digits??? Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Messed up SIDs: How to change machine SID?
I have an LDAP backend. In LDAP, the machine accounts for my windows and linux clients so show the same base SID as the domain SID (ie.. all but the last digits.) However I also have the mismatch with net getdomainsid - which definately explains why they don't behave as I would expect. You may want to try fixing this with net setlocalsid. I guess when you joing unix or linux member server to the domain the localsid is not updated. Re the BUILTIN groups you may want to explicitly map these to unix groups rather than relying on winbind to do it e.g. I created unix groups #getent group Builtin Admins::544: Builtin Users::545: Builtin Guests::546: Then mapped the well know built-in Windows groups to the unix groups #net groupmap add ntgroup=Administrators unixgroup=544 sid=S-1-5-32-544 type=builtin #net groupmap add ntgroup=Users unixgroup=545 sid=S-1-5-32-545 type=builtin #net groupmap add ntgroup=Guests unixgroup=546 sid=S-1-5-32-546 type=builtin # net groupmap list | grep -i builtin Administrators (S-1-5-32-544) - Builtin Admins Users (S-1-5-32-545) - Builtin Users Guests (S-1-5-32-546) - Builtin Guests The linux samba member servers I use mostly for IT use anyway so I never shook out all the bugs. On 07/03/13 11:49, Marcus Mundt wrote: Dear Samba Gurus, I got the following errors: tail -f /var/log/samba/log.wb-DOM1 [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED log.smbd [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? I guess the reason might be this: net getdomainsid SID for local machine M1 is:S-1-5-21-3981825222-1828954701-2606613544 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 net getdomainsid SID for local machine M2 is:S-1-5-21-2913448378-2543514743-1508345481 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 Shouldn't the SIDs be the same except the last digits??? Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
