samba - Apr 2005 - The conflicting domain portions are not supported

Hi, maybe I didn't explained myself well.
What i meant is that the user can't have the SID
S-1-5-21-528226156-890416033-2029241632 but MUST have a sid like
S-1-5-21-528226156-890416033-2029241632-xxxx ( where x is usually assigned
automatically by the add user's script)

Best Regards,
Bruno Guerreiro

-----Original Message-----
From: Jos? M. Fandi?o [mailto:samba@fadesa.es]
Sent: sexta-feira, 15 de Abril de 2005 12:59
Cc: samba@lists.samba.org
Subject: Re: [Samba] The conflicting domain portions are not supported


Bruno Guerreiro wrote:
> 
> Hi there,
> Your users sid should be something like
> S-1-5-21-528226156-890416033-2029241632-xxxx.
 My current understanding is that they are created 
algorithmically by samba.
> I think your user ldap entry may have some problem.
possibly :)
> Another thing, do you have any trust account in place?
Yes, "add machine script" is working and the user info250$
was created on the fly by smbldap-tools.

http://195.55.55.164/tests/samba/info250.ldif.txt

Also I'm using "enable privileges" if this makes any difference.
> If not, then something is really wrong, because you're not supposed to
have
> two completely diferente domain SID's in net groupmap listing
> 
> S-1-5-21-528226156-890416033-2029241632 and
> S-1-5-21-2403845858-3771094018-3344062789
well, S-1-5-21-2403845858-3771094018-3344062789 was an
old domain, but I think it isn't interfering with this.
Anyway I removed all ldap entries with that SID and
the problem persists.

# net groupmap list
Usuarios Basicos (S-1-5-21-528226156-890416033-2029241632-100) -> users
usuarios de samba (S-1-5-21-528226156-890416033-2029241632-717) -> usuarios
Domain Admins (S-1-5-21-528226156-890416033-2029241632-512) -> domadmin
Domain Users (S-1-5-21-528226156-890416033-2029241632-513) -> domusers
Domain Guests (S-1-5-21-528226156-890416033-2029241632-514) -> domguests
> What's the output of the net getlocalsid?
# net getlocalsid
SID for domain ORA9I is: S-1-5-21-528226156-890416033-2029241632
> It should match the SambaSID value in the SambaDomainName ldap entry.
[2005/04/15 13:40:36, 10] auth/auth_util.c:debug_nt_user_token(490)
  NT user token of user S-1-5-21-528226156-890416033-2029241632
  contains 8 SIDs
  SID[  0]: S-1-5-21-528226156-890416033-2029241632
  SID[  1]: S-1-5-21-528226156-890416033-2029241632-513
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-528226156-890416033-2029241632-3001
  SID[  6]: S-1-5-21-528226156-890416033-2029241632-512
  SID[  7]: S-1-5-21-528226156-890416033-2029241632-2431
  SE_PRIV  0x10 0x0 0x0 0x0
[2005/04/15 13:40:36, 5] auth/auth_util.c:make_server_info_sam(862)
  make_server_info_sam: made server info for user usuario1 -> usuario1
[2005/04/15 13:40:36, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: sam authentication for user [usuario1] succeeded
[2005/04/15 13:40:36, 5] auth/auth.c:check_ntlm_password(292)
  check_ntlm_password:  PAM Account for user [usuario1] succeeded
[2005/04/15 13:40:36, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [usuario1] -> [usuario1]
->
[usuario1] succeeded
[2005/04/15 13:40:36, 5] auth/auth_util.c:free_user_info(1380)
  attempting to free (and zero) a user_info structure
[2005/04/15 13:40:36, 10] auth/auth_util.c:free_user_info(1383)
  structure was created for usuario1
[2005/04/15 13:40:36, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(766)
  _net_sam_logon: user BETA\usuario1 has user sid
S-1-5-21-528226156-890416033-2029241632
   but group sid S-1-5-21-528226156-890416033-2029241632-513.
  The conflicting domain portions are not supported for NETLOGON calls

full log:
http://195.55.55.164/tests/samba/log.smb.txt

> -----Original Message-----
> From: Jos? M. Fandi?o [mailto:samba@fadesa.es]
> Sent: sexta-feira, 15 de Abril de 2005 10:08
> To: samba@lists.samba.org
> Subject: [Samba] The conflicting domain portions are not supported for
> NETLOGON calls
> 
> Hello list,
> 
>  When I try to log in a samba 3.0.13 server from a XP Pro
> machine, I get this error:
> 
> [2005/04/15 10:57:00, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(766)
>   _net_sam_logon: user BETA\usuario1 has user sid
> S-1-5-21-528226156-890416033-2029241632
>    but group sid S-1-5-21-528226156-890416033-2029241632-513.
>   The conflicting domain portions are not supported for NETLOGON calls
> 
> What can this mean?
> 
> Thank you.
> 
> http://195.55.55.164/tests/samba/smb.conf.txt
> http://195.55.55.164/tests/samba/log.smb.txt
> 
> # net groupmap list
> Usuarios Basicos (S-1-5-21-2403845858-3771094018-3344062789-100) ->
users
> usuarios de samba (S-1-5-21-2403845858-3771094018-3344062789-717) ->
> usuarios
> NT Admins (S-1-5-21-2403845858-3771094018-3344062789-719) -> ntadmin
> Domain Admins (S-1-5-21-528226156-890416033-2029241632-512) -> domadmin
> Domain Users (S-1-5-21-528226156-890416033-2029241632-513) -> domusers
> Domain Guests (S-1-5-21-528226156-890416033-2029241632-514) -> domguests
-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Bruno Guerreiro wrote:
> 
> Hi, maybe I didn't explained myself well.
> What i meant is that the user can't have the SID
> S-1-5-21-528226156-890416033-2029241632 but MUST have a sid like
> S-1-5-21-528226156-890416033-2029241632-xxxx ( where x is usually assigned
> automatically by the add user's script)
ok, now I understand it. "add user script" is not being used here
since users are managed with other tool and I forget add the -xxxx
prefix. 

Thank you for all Bruno.

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------