ashok cvs
2007-Feb-16 05:07 UTC
[Samba] Getting error Samba SID does not belong to our domain
Hi all
we have samba 3.0.21c with OpenLDAP backend as PDC and also 4 BDC's
Suddenly on PDC we are getting these error messages in /var/log/messages
I am unable to register any system to the domain. niether able to logon to
the domain.
##########################################################################################
Feb 15 11:14:32 msdpl smbd[18212]: [2007/02/15 11:14:32, 0]
lib/util_sock.c:send_smb(765)
Feb 15 11:14:32 msdpl smbd[18212]: Error writing 5 bytes to client. -1.
(Connection reset by peer)
Feb 15 11:14:34 msdpl smbd[18217]: [2007/02/15 11:14:34, 0]
passdb/pdb_ldap.c:ldapuser2displayentry(4006)
Feb 15 11:14:34 msdpl smbd[18217]: sid
S-1-5-21-3963901886-956592875-555457773-500 does not belong to our domain
Feb 15 11:14:34 msdpl smbd[18217]: [2007/02/15 11:14:34, 0]
passdb/pdb_ldap.c:ldapuser2displayentry(4006)
Feb 15 11:14:34 msdpl smbd[18217]: sid
S-1-5-21-3963901886-956592875-555457773-2998 does not belong to our domain
Feb 15 11:14:34 msdpl smbd[18217]: [2007/02/15 11:14:34, 0]
passdb/pdb_ldap.c:ldapuser2displayentry(4006)
Feb 15 11:14:34 msdpl smbd[18217]: sid
S-1-5-21-3963901886-956592875-555457773-3004 does not belong to our domain
Feb 15 11:14:34 msdpl smbd[18217]: [2007/02/15 11:14:34, 0]
passdb/pdb_ldap.c:ldapuser2displayentry(4006)
Feb 15 11:14:34 msdpl smbd[18217]: sid
S-1-5-21-3963901886-956592875-555457773-3006 does not belong to our domain
Feb 15 11:14:35 msdpl smbd[18217]: [2007/02/15 11:14:35, 0]
passdb/pdb_ldap.c:ldapuser2displayentry(4006)
Feb 15 11:14:35 msdpl smbd[18217]: sid
S-1-5-21-3963901886-956592875-555457773-3008 does not belong to our domain
Feb 15 11:14:35 msdpl smbd[18217]: [2007/02/15 11:14:35, 0]
passdb/pdb_ldap.c:ldapuser2displayentry(4006)
Feb 15 11:14:35 msdpl smbd[18217]: sid
S-1-5-21-3963901886-956592875-555457773-3010 does not belong to our domain
Feb 15 11:14:35 msdpl smbd[18217]: [2007/02/15 11:14:35, 0]
passdb/pdb_ldap.c:ldapuser2displayentry(4006)
Feb 15 11:14:35 msdpl smbd[18217]: sid
S-1-5-21-3963901886-956592875-555457773-3012 does not belong to our domain
Feb 15 11:14:35 msdpl smbd[18217]: [2007/02/15 11:14:35, 0]
passdb/pdb_ldap.c:ldapuser2displayentry(4006)
Feb 15 11:14:35 msdpl smbd[18217]: sid
S-1-5-21-3963901886-956592875-555457773-3014 does not belong to our domain
Feb 15 11:14:35 msdpl smbd[18217]: [2007/02/15 11:14:35, 0]
passdb/pdb_ldap.c:ldapuser2displayentry(4006)
Feb 15 11:14:35 msdpl smbd[18217]: sid
S-1-5-21-3963901886-956592875-555457773-3016 does not belong to our domain
#####################################################################
when typing net rpc info it gives the following error
rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine
MEDHAPDC pipe \samr fnum 0x7008returned critical error. Error was Call timed
out: server did not respond after 10000 milliseconds [2007/02/15 21:12:52,
0] libsmb/clientgen.c:cli_rpc_pipe_close(375) cli_rpc_pipe_close: cli_close
failed on pipe \samr, fnum 0x7008 to machine MEDHAPDC. Error was Call timed
out: server did not respond after 10000 milliseconds this is net rpc error
but when we type
#net getlocalsid it gives the SID
S-1-5-21-3963901886-956592875-555457773
Actually my server's SID is the same as above.
what does the above error means .
The below is my smb.conf
#######################################################################################
[global]
workgroup = msdpl.com
netbios name = medhapdc
passdb backend = ldapsam:ldap://msdpl.com
server string = Domain Controller
hosts allow = 192.168.128. 192.168.129. 192.168.130. 127.
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = eth0,lo
printing = cups
disable spoolss = Yes
printcap name = cups
max print jobs = 100
enable privileges = yes
log level = 2
password level = 8
username level = 8
bind interfaces only = yes
local master = Yes
os level = 65
domain master = yes
preferred master = yes
remote browse sync = 192.168.130.3
null passwords = no
hide unreadable = yes
hide dot files = yes
domain logons = yes
logon script = %u.bat
logon path logon drive = X:
logon home wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
time server = yes
log file = /var/log/samba/%m.log
max log size = 50
nt acl support = yes
ldap passwd sync = yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u"
"%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g'
'%u'
ldap delete dn = Yes
ldap ssl = no
ldap suffix = dc=msdpl,dc=com
ldap admin dn = cn=manager,dc=msdpl,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=People check password script /usr/local/bin/crackcheck
-s
map acl inherit = yes
winbind use default domain = yes
template shell = /bin/false
######################################################[Share
Definations]###########################################
[homes]
comment = Home Directories
valid users = %S, root
browseable = no
read only = no
nt acl support = Yes
# Un-comment the following and create the netlogon directory for Domain
Logons
[netlogon]
comment = Network Logon Service
path = /netlogon/scripts
guest ok = yes
browseable = yes
write list = root, kr1233
#Profiles Share
[profiles]
comment = Profiles Share
path = /profiles/%U
read only = No
browseable = yes
writeable = yes
veto files = /lost+found/.Trash-root/*.sh/*.scr/.recycle/desktop.ini
#######################################################################################
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap timeout = 50
idmap backend = ldap:ldap://msdpl.com
idmap uid = 10000-20000
idmap gid = 10000-20000
Please help me
Regards
ashok
ashok cvs
2007-Feb-16 15:56 UTC
[Samba] Re: Getting error Samba SID does not belong to our domain
Hi all To the above problem i would like to add. The domain is msdpl.com and the server netbios name is medhapdc when i type #net getlocalsid/ i get SID for domain MEDHAPDC is: S-1-5-21-3963901886-956592875-555457773 the above sid is the sid which is stored in /etc/smbldap-tools/smbldap.conf file where as if i type #net getlocalsid msdpl.com SID for domain msdpl.com is: S-1-5-21-826493912-338369434-3047185250 why are both different. i am unable to understand. we did not do any thing, but suddenly this happened. all my desktop's are losing the trust relation ship. please help me Regards ashok On 2/16/07, ashok cvs <ashokcvs@gmail.com> wrote:> > Hi all > > we have samba 3.0.21c with OpenLDAP backend as PDC and also 4 BDC's > Suddenly on PDC we are getting these error messages in /var/log/messages > I am unable to register any system to the domain. niether able to logon to > the domain. > > ########################################################################################## > Feb 15 11:14:32 msdpl smbd[18212]: [2007/02/15 11:14:32, 0] > lib/util_sock.c:send_smb(765) > Feb 15 11:14:32 msdpl smbd[18212]: Error writing 5 bytes to client. -1. > (Connection reset by peer) > Feb 15 11:14:34 msdpl smbd[18217]: [2007/02/15 11:14:34, 0] > passdb/pdb_ldap.c:ldapuser2displayentry(4006) > Feb 15 11:14:34 msdpl smbd[18217]: sid > S-1-5-21-3963901886-956592875-555457773-500 does not belong to our domain > Feb 15 11:14:34 msdpl smbd[18217]: [2007/02/15 11:14:34, 0] > passdb/pdb_ldap.c:ldapuser2displayentry(4006) > Feb 15 11:14:34 msdpl smbd[18217]: sid > S-1-5-21-3963901886-956592875-555457773-2998 does not belong to our domain > Feb 15 11:14:34 msdpl smbd[18217]: [2007/02/15 11:14:34, 0] > passdb/pdb_ldap.c:ldapuser2displayentry(4006) > Feb 15 11:14:34 msdpl smbd[18217]: sid > S-1-5-21-3963901886-956592875-555457773-3004 does not belong to our domain > Feb 15 11:14:34 msdpl smbd[18217]: [2007/02/15 11:14:34, 0] > passdb/pdb_ldap.c:ldapuser2displayentry(4006) > Feb 15 11:14:34 msdpl smbd[18217]: sid > S-1-5-21-3963901886-956592875-555457773-3006 does not belong to our domain > Feb 15 11:14:35 msdpl smbd[18217]: [2007/02/15 11:14:35, 0] > passdb/pdb_ldap.c:ldapuser2displayentry(4006) > Feb 15 11:14:35 msdpl smbd[18217]: sid > S-1-5-21-3963901886-956592875-555457773-3008 does not belong to our domain > Feb 15 11:14:35 msdpl smbd[18217]: [2007/02/15 11:14:35, 0] > passdb/pdb_ldap.c:ldapuser2displayentry(4006) > Feb 15 11:14:35 msdpl smbd[18217]: sid > S-1-5-21-3963901886-956592875-555457773-3010 does not belong to our domain > Feb 15 11:14:35 msdpl smbd[18217]: [2007/02/15 11:14:35, 0] > passdb/pdb_ldap.c:ldapuser2displayentry(4006) > Feb 15 11:14:35 msdpl smbd[18217]: sid > S-1-5-21-3963901886-956592875-555457773-3012 does not belong to our domain > Feb 15 11:14:35 msdpl smbd[18217]: [2007/02/15 11:14:35, 0] > passdb/pdb_ldap.c:ldapuser2displayentry(4006) > Feb 15 11:14:35 msdpl smbd[18217]: sid > S-1-5-21-3963901886-956592875-555457773-3014 does not belong to our domain > Feb 15 11:14:35 msdpl smbd[18217]: [2007/02/15 11:14:35, 0] > passdb/pdb_ldap.c:ldapuser2displayentry(4006) > Feb 15 11:14:35 msdpl smbd[18217]: sid > S-1-5-21-3963901886-956592875-555457773-3016 does not belong to our domain > ##################################################################### > when typing net rpc info it gives the following error > rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine > MEDHAPDC pipe \samr fnum 0x7008returned critical error. Error was Call timed > out: server did not respond after 10000 milliseconds [2007/02/15 21:12:52, > 0] libsmb/clientgen.c:cli_rpc_pipe_close(375) cli_rpc_pipe_close: cli_close > failed on pipe \samr, fnum 0x7008 to machine MEDHAPDC. Error was Call timed > out: server did not respond after 10000 milliseconds this is net rpc error > > but when we type > #net getlocalsid it gives the SID > S-1-5-21-3963901886-956592875-555457773 > > Actually my server's SID is the same as above. > > what does the above error means . > > The below is my smb.conf > > ####################################################################################### > [global] > > workgroup = msdpl.com > netbios name = medhapdc > passdb backend = ldapsam:ldap://msdpl.com > server string = Domain Controller > hosts allow = 192.168.128. 192.168.129. 192.168.130. 127. > security = user > encrypt passwords = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > interfaces = eth0,lo > printing = cups > disable spoolss = Yes > printcap name = cups > max print jobs = 100 > enable privileges = yes > log level = 2 > password level = 8 > username level = 8 > bind interfaces only = yes > local master = Yes > os level = 65 > domain master = yes > preferred master = yes > remote browse sync = 192.168.130.3 > null passwords = no > hide unreadable = yes > hide dot files = yes > domain logons = yes > logon script = %u.bat > logon path > logon drive = X: > logon home > wins support = yes > name resolve order = wins lmhosts host bcast > dns proxy = no > time server = yes > log file = /var/log/samba/%m.log > max log size = 50 > nt acl support = yes > ldap passwd sync = yes > add user script = /usr/local/sbin/smbldap-useradd -m "%u" > delete user script = /usr/local/sbin/smbldap-userdel "%u" > add machine script = /usr/local/sbin/smbldap-useradd -w "%m" > add group script = /usr/local/sbin/smbldap-groupadd -p "%g" > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" > "%g" > set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' > ldap delete dn = Yes > ldap ssl = no > ldap suffix = dc=msdpl,dc=com > ldap admin dn = cn=manager,dc=msdpl,dc=com > ldap group suffix = ou=Groups > ldap user suffix = ou=People check password script > /usr/local/bin/crackcheck -s > map acl inherit = yes > winbind use default domain = yes > template shell = /bin/false > ######################################################[Share > Definations]########################################### > [homes] > comment = Home Directories > valid users = %S, root > browseable = no > read only = no > nt acl support = Yes > > # Un-comment the following and create the netlogon directory for Domain > Logons > [netlogon] > comment = Network Logon Service > path = /netlogon/scripts > guest ok = yes > browseable = yes > write list = root, kr1233 > > #Profiles Share > [profiles] > comment = Profiles Share > path = /profiles/%U > read only = No > browseable = yes > writeable = yes > veto files = /lost+found/.Trash-root/*.sh/*.scr/.recycle/desktop.ini > ####################################################################################### > > ldap machine suffix = ou=Computers > ldap idmap suffix = ou=Idmap > ldap timeout = 50 > idmap backend = ldap:ldap://msdpl.com > idmap uid = 10000-20000 > idmap gid = 10000-20000 > > > Please help me > > Regards > ashok > >