I could fix the SID issues. However the other errors and warinings remain. Struggeling hard to find the cause for not being able to join a domain, getting "Access Denied"
SMB log: [2013/07/12 15:48:03.439574, 2] auth/auth.c:309(check_ntlm_password) check_ntlm_password: authentication for user [admin] -> [admin] -> [admin] succeeded [2013/07/12 15:48:03.442335, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.442450, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/12 15:48:03.444454, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.444555, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? ... [2013/07/12 15:48:03.191990, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate: no challenge sent to client N666 ... [2013/07/12 15:48:03.587205, 3] smbd/connection.c:35(yield_connection) Yielding connection to IPC$ [2013/07/12 15:48:03.589351, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) Questions: Is it mandatory that Domain Admins Domain Users Domain Guests Domain Computers are spelled exactly like that. In GOsa I'm only allowed to use lower case letters and no spaces. Hence I got domainadmins... and so forth. I don't know how to change the windows group name only. Is a root user mandatory or may I use "admin"? Since I got no root in LDAP, but tried it last week, didn't help. Which of the domain and builtin groups are mandatory? As far as I know only Domain Admins 512 Domain Users 513 Domain Guests 514 and >From the builtin domain (didn't know that there is a built in domain until now) Administrators 544 Users 545 Guests 546 Thanks for any help in advance! Setting up a PDC seems not too hard, but I have to use our existing LDAP directory and operate on a production system :( Cheers, Marcus > I have an LDAP backend. > > In LDAP, the machine accounts for my windows and linux clients so show > the same base SID as the domain SID (ie.. all but the last digits.) > > However I also have the mismatch with "net getdomainsid" - which > definately explains why they don't behave as I would expect. You may > want to try fixing this with "net setlocalsid." I guess when you joing > unix or linux member server to the domain the localsid is not updated. > > Re the BUILTIN groups you may want to explicitly map these to unix > groups rather than relying on winbind to do it > > > e.g. I created unix groups > > #getent group .... > Builtin Admins::544: > Builtin Users::545: > Builtin Guests::546: > > Then mapped the well know built-in Windows groups to the unix groups > > > #net groupmap add ntgroup="Administrators" unixgroup=544 > sid=S-1-5-32-544 type=builtin > #net groupmap add ntgroup="Users" unixgroup=545 sid=S-1-5-32-545 > type=builtin > #net groupmap add ntgroup="Guests" unixgroup=546 sid=S-1-5-32-546 > type=builtin > > # net groupmap list | grep -i builtin > > Administrators (S-1-5-32-544) -> Builtin Admins > Users (S-1-5-32-545) -> Builtin Users > Guests (S-1-5-32-546) -> Builtin Guests > > > > The linux samba member servers I use mostly for IT use anyway so I never > shook out all the bugs. > > > > > On 07/03/13 11:49, Marcus Mundt wrote: > > Dear Samba Gurus, > > > > I got the following errors: > > tail -f /var/log/samba/log.wb-DOM1 > > [2013/07/02 15:49:19.990168, 2] > > winbindd/winbindd_rpc.c:320(rpc_name_to_sid) > > name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED > > > > log.smbd > > [2013/07/02 15:40:51.809516, 2] > auth/token_util.c:455(finalize_local_nt_token) > > WARNING: Failed to create BUILTIN\Administrators group! Can Winbind > allocate gids? > > [2013/07/02 15:40:51.811330, 2] > auth/token_util.c:479(finalize_local_nt_token) > > WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? > > > > > > I guess the reason might be this: > > net getdomainsid > > SID for local machine M1 is: > > S-1-5-21-3981825222-1828954701-2606613544 > > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 > > > > net getdomainsid > > SID for local machine M2 is: > > S-1-5-21-2913448378-2543514743-1508345481 > > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 > > > > > > Shouldn't the SIDs be the same except the last digits??? > > > > Cheers, > > Marcus > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
