Mike Cauble
2006-Sep-05 17:15 UTC
[Samba] User Group SID behavior has changed from 21b to 23c
I am using LDAP as my backend. I have 6 PDC's running Samba 3.0.21b, each domain has a different SID. I store all user,groups,and machine accounts in one LDAP database. So that when I create a user once, all domains can see the user. This keeps me from having to create a user account on each domain for cross domain file sharing. The behavior for Domains running Samba 3.0.21b is a follows. DOMAIN1 has a SID of S-1-5-21-1629861336-2395076261-3235541152 DOMAIN2 has a SID of S-1-5-21-2781067772-1786132867-2942848841 In DOMAIN1 I type: pdbedit -v -u mikec I get: Unix username: mikec NT username: mikec Account Flags: [U ] User SID: S-1-5-21-1629861336-2395076261-3235541152-3001 Primary Group SID: *S-1-5-21-1629861336-2395076261-3235541152-513* In DOMAIN2 I type: pdbedit -v -u mikec I get Unix username: mikec NT username: mikec Account Flags: [U ] User SID: S-1-5-21-1629861336-2395076261-3235541152-3001 Primary Group SID: *S-1-5-21-1629861336-2395076261-3235541152-513* Which is correct. I have setup a new PDC for DOMAIN2 using 3.0.23c Now in DOMAIN2 when I type: pdbedit -v -u mikec I get: NT username: mikec Account Flags: [U ] User SID: S-1-5-21-1629861336-2395076261-3235541152-3001 Primary Group SID: *S-1-5-21-2781067772-1786132867-2942848841-513* When try to conect to a Samba Server in DOMAIN2 from DOMAIN1 I get the error message _net_sam_logon: user DOMAIN2\mikec has user sid S-1-5-21-1629861336-2395076261-3235541152-3001 but group sid S-1-5-21-2781067772-1786132867-2942848841-513. The conflicting domain portions are not supported for NETLOGON calls The behavior in 3.0.23c has changed from 3.0.21b
Gerald (Jerry) Carter
2006-Sep-05 17:46 UTC
[Samba] User Group SID behavior has changed from 21b to 23c
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike,> I am using LDAP as my backend. I have 6 PDC's running > Samba 3.0.21b, each domain has a different SID. I > store all user,groups,and machine accounts in one > LDAP database. So that when I create a user once, > all domains can see the user. This keeps me > from having to create a user account on > each domain for cross domain file sharing....> I have setup a new PDC for DOMAIN2 using 3.0.23c > Now in DOMAIN2 when I type: > pdbedit -v -u mikec > I get: > > NT username: mikec > Account Flags: [U ] > User SID: S-1-5-21-1629861336-2395076261-3235541152-3001 > Primary Group SID: *S-1-5-21-2781067772-1786132867-2942848841-513* > > When try to conect to a Samba Server in DOMAIN2 from > DOMAIN1 I get the error message > _net_sam_logon: user DOMAIN2\mikec has user sid > S-1-5-21-1629861336-2395076261-3235541152-3001 > but group sid S-1-5-21-2781067772-1786132867-2942848841-513. > The conflicting domain portions are not supported for > NETLOGON calls > > The behavior in 3.0.23c has changed from 3.0.21bYup. And you were relying on unsupported behavior in previous releases. We have never supported sharing an ldapsam passdb backend between multiple domains in the 3.0 series. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE/bfgIR7qMdg1EfYRAl3AAKDpFeMG4gUTp2eYo7xxhftEQ/nN8gCeIuoD r27k/qsKT1f300pa55zPp3g=Wo+s -----END PGP SIGNATURE-----
Mario Lipinski
2006-Sep-05 19:11 UTC
[Samba] User Group SID behavior has changed from 21b to 23c
Hello, i am expecting also a behavior i cannot follow with groups.> # pdbedit -L -v law > WARNING: The "printer admin" option is deprecated > Unix username: law > NT username: law > Account Flags: [HUX ] > User SID: S-1-5-21-4092459118-2595994810-1099795350-3002 > Primary Group SID: S-1-5-21-4092459118-2595994810-1099795350-513However, i am not member of the mapped group with the rid 513... Mario -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil Url : http://lists.samba.org/archive/samba/attachments/20060905/09b1fca5/attachment.bin