Ok, today I was finally able to join my domain. The problem was a misconfiguration of idmap. Solution as follows:
< idmap config DEFAULT:backend = ldap < idmap config DEFAULT:readonly = no < idmap config DEFAULT:default = yes < idmap config DEFAULT:ldap_base_dn = ou=people,dc=domain,dc=org < idmap config DEFAULT:ldap_user_dn = cn=rootuser,dc=domain,dc=org < idmap config DEFAULT:ldap_url = ldap://myldapserver Thanks for everything! -----Ursprüngliche Nachricht----- Von: Marcus Mundt <[email protected]> Gesendet: Mo 15.07.2013 15:25 Betreff: Re: [Samba] Messed up SIDs: How to change machine SID? An: [email protected]; > I could fix the SID issues. However the other errors and warinings remain. > Struggeling hard to find the cause for not being able to join a domain, > getting > "Access Denied" > > SMB log: > [2013/07/12 15:48:03.439574, 2] auth/auth.c:309(check_ntlm_password) > check_ntlm_password: authentication for user [admin] -> [admin] -> [admin] > succeeded > [2013/07/12 15:48:03.442335, 3] > groupdb/mapping.c:772(pdb_create_builtin_alias) > pdb_create_builtin_alias: Could not get a gid out of winbind > [2013/07/12 15:48:03.442450, 2] > auth/token_util.c:455(finalize_local_nt_token) > WARNING: Failed to create BUILTIN\Administrators group! Can Winbind > allocate > gids? > [2013/07/12 15:48:03.444454, 3] > groupdb/mapping.c:772(pdb_create_builtin_alias) > pdb_create_builtin_alias: Could not get a gid out of winbind > [2013/07/12 15:48:03.444555, 2] > auth/token_util.c:479(finalize_local_nt_token) > WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? > ... > [2013/07/12 15:48:03.191990, 0] > rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate: no challenge sent to client N666 > ... > [2013/07/12 15:48:03.587205, 3] smbd/connection.c:35(yield_connection) > Yielding connection to IPC$ > [2013/07/12 15:48:03.589351, 3] smbd/server_exit.c:181(exit_server_common) > Server exit (failed to receive smb request) > > Questions: > Is it mandatory that > Domain Admins > Domain Users > Domain Guests > Domain Computers > are spelled exactly like that. In GOsa I'm only allowed to use lower case > letters and no spaces. Hence I got > domainadmins... and so forth. I don't know how to change the windows group > name > only. > > Is a root user mandatory or may I use "admin"? Since I got no root in LDAP, > but > tried it last week, didn't help. > > Which of the domain and builtin groups are mandatory? As far as I know only > Domain Admins 512 > Domain Users 513 > Domain Guests 514 > > and > > From the builtin domain (didn't know that there is a built in domain until > now) > Administrators 544 > Users 545 > Guests 546 > > Thanks for any help in advance! Setting up a PDC seems not too hard, but I > have > to use our existing LDAP directory and operate on a production system :( > > Cheers, > Marcus > > > > > I have an LDAP backend. > > > > In LDAP, the machine accounts for my windows and linux clients so show > > the same base SID as the domain SID (ie.. all but the last digits.) > > > > However I also have the mismatch with "net getdomainsid" - which > > definately explains why they don't behave as I would expect. You may > > want to try fixing this with "net setlocalsid." I guess when you joing > > unix or linux member server to the domain the localsid is not updated. > > > > Re the BUILTIN groups you may want to explicitly map these to unix > > groups rather than relying on winbind to do it > > > > > > e.g. I created unix groups > > > > #getent group .... > > Builtin Admins::544: > > Builtin Users::545: > > Builtin Guests::546: > > > > Then mapped the well know built-in Windows groups to the unix groups > > > > > > #net groupmap add ntgroup="Administrators" unixgroup=544 > > sid=S-1-5-32-544 type=builtin > > #net groupmap add ntgroup="Users" unixgroup=545 sid=S-1-5-32-545 > > type=builtin > > #net groupmap add ntgroup="Guests" unixgroup=546 sid=S-1-5-32-546 > > type=builtin > > > > # net groupmap list | grep -i builtin > > > > Administrators (S-1-5-32-544) -> Builtin Admins > > Users (S-1-5-32-545) -> Builtin Users > > Guests (S-1-5-32-546) -> Builtin Guests > > > > > > > > The linux samba member servers I use mostly for IT use anyway so I never > > shook out all the bugs. > > > > > > > > > > On 07/03/13 11:49, Marcus Mundt wrote: > > > Dear Samba Gurus, > > > > > > I got the following errors: > > > tail -f /var/log/samba/log.wb-DOM1 > > > [2013/07/02 15:49:19.990168, 2] > winbindd/winbindd_rpc.c:320(rpc_name_to_sid) > > > name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED > > > > > > log.smbd > > > [2013/07/02 15:40:51.809516, 2] > > auth/token_util.c:455(finalize_local_nt_token) > > > WARNING: Failed to create BUILTIN\Administrators group! Can Winbind > > allocate gids? > > > [2013/07/02 15:40:51.811330, 2] > > auth/token_util.c:479(finalize_local_nt_token) > > > WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate > > > gids? > > > > > > > > > I guess the reason might be this: > > > net getdomainsid > > > SID for local machine M1 is: > > > S-1-5-21-3981825222-1828954701-2606613544 > > > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 > > > > > > net getdomainsid > > > SID for local machine M2 is: > > > S-1-5-21-2913448378-2543514743-1508345481 > > > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 > > > > > > > > > Shouldn't the SIDs be the same except the last digits??? > > > > > > Cheers, > > > Marcus > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
