samba - Dec 2009 - new user can't log

Hello everyone.

I was having a problem with my Samba PDC with LDAP backend. The command 
'net getlocalsid' gaves me the message "Got too many (2) domain
info
entries for domain [domain]". I logged im my ldap server, and saw that i 
have the following entries:

    dn: sambaDomainName=DOMINIO,dc=dominio,dc=com,dc=br
    sambaDomainName: DOMINIO
    sambaSID: S-1-5-21-874179082-3571801642-3889913597
    sambaAlgorithmicRidBase: 1000
    objectClass: sambaDomain
    sambaNextUserRid: 67109862
    sambaNextGroupRid: 67109863
    structuralObjectClass: sambaDomain
    entryUUID: 9ca720c8-00a6-102c-9973-d48efacd902d
    creatorsName: cn=root,dc=dominio,dc=com,dc=br
    createTimestamp: 20070926180404Z
    entryCSN: 20070926180404Z#000001#00#000000
    modifiersName: cn=root,dc=dominio,dc=com,dc=br
    modifyTimestamp: 20070926180404Z


and:

    dn: ou=Dominios,dc=dominio,dc=com,dc=br
    ou: Dominios
    objectClass: top
    objectClass: organizationalUnit
    structuralObjectClass: organizationalUnit

    dn: sambaDomainName=DOMINIO,ou=Dominios,dc=dominio,dc=com,dc=br
    objectClass: sambaDomain
    sambaAlgorithmicRidBase: 1000
    sambaSID: S-1-5-21-874179082-3571801642-3889913597
    sambaDomainName: DOMINIO
    sambaMinPwdLength: 4
    sambaLogonToChgPwd: 2
    sambaForceLogoff: 0
    sambaRefuseMachinePwdChange: 1
    structuralObjectClass: sambaDomain

Deleting the former (the one that was not inside the 'ou=Dominios') 
solved the problem. Now, the 'net getlocalsid' gives me the SID for my 
domain correctly. I don't know if this have any relation with my new 
problem, but i created a new user and he can't login.

The error is in portuguese, but i'll translate here: "The system could 
not logon by the following error: A device conected to the system is not 
working".

In the log of the machine the user is trying to log, i have the 
following info:

    [2009/12/18 16:47:29,  2] auth/auth.c:check_ntlm_password(308)
      check_ntlm_password:  authentication for user [dsribeiro] ->
    [dsribeiro] -> [dsribeiro] succeeded
    [2009/12/18 16:47:29,  1]
    rpc_server/srv_netlog_nt.c:_netr_LogonSamLogon(1060)
      _netr_LogonSamLogon: user DOMINIO\dsribeiro has user sid
    S-1-5-21-4161212321-1980848047-2820993626-3468
       but group sid S-1-5-21-874179082-3571801642-3889913597-513.
      The conflicting domain portions are not supported for NETLOGON calls

Can anyone point me to how to solve this? I'm not what you guys could 
call an expert in samba :D



-- 

*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Log?stica.*
lscarneiro at veltrac.com.br <mailto:lscarneiro at veltrac.com.br>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5601/
/Av. Higien?polis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/

2009/12/18 Leonardo Carneiro <lscarneiro at
veltrac.com.br>:
>
> ? [2009/12/18 16:47:29, ?2] auth/auth.c:check_ntlm_password(308)
> ? ? check_ntlm_password: ?authentication for user [dsribeiro] ->
> ? [dsribeiro] -> [dsribeiro] succeeded
> ? [2009/12/18 16:47:29, ?1]
> ? rpc_server/srv_netlog_nt.c:_netr_LogonSamLogon(1060)
> ? ? _netr_LogonSamLogon: user DOMINIO\dsribeiro has user sid
> ? S-1-5-21-4161212321-1980848047-2820993626-3468
> ? ? ?but group sid S-1-5-21-874179082-3571801642-3889913597-513.
> ? ? The conflicting domain portions are not supported for NETLOGON calls
>
> Can anyone point me to how to solve this? I'm not what you guys could
call
> an expert in samba :D

The SIDs do not match.

Is this the only domain there? If so, I would simply use ldapmodify to
modify users' SID to match the domain SID. You'll need to replace
S-1-5-21-4161212321-1980848047-2820993626 with
S-1-5-21-874179082-3571801642-3889913597

Unless I've blown my memory on Windows internals, each user's SID is
comprised of the domain's SID, then a "self-refential" RID
portion. That
means a user from the domain DOMINIOS should NOT have what amounts to a
"prefix" that looks as though it came from a different domain. But
unless
I'm mistaken, your logs are telling you exactly that - the domain portion of
the group and user SID's indicate different domains, and that indicates a
problem.

One theory is that perhaps your domain was created, groups and users were
created, but then for some reason your domain SID changed, and perhaps that
led to your described duplicate domain entry (?) problem.

Anyway, I'd take a look at the SIDS of other users and groups and see if
this problem exists for other users or groups on your domain.

-David