Hi, I am trying to set up Samba as a PDC on our network and having some difficulty. I established a trusted machine account and added it to the domain. Samba will however not release the SIDs needed by our servers working off of it. I get the following message when trying to do a gpresult [microsoft resource kit] LookupAccountSid failed with 1789 I did a grep through samba 2.2.8b and samba 3.0.0b3 sources and couldn't even pull up that 'AccountSid' command. Is this not supported at all? Will I be forced to enter the depths of Windows as a PDC? It doesn't seem too complicated to release the SIDs to trusted machines [such as the one which does our user map services]... isn't that what I'm trying to do here? -Mike _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
On Thu, 2003-08-07 at 23:22, Mike Miller wrote:> Hi, > I am trying to set up Samba as a PDC on our network and having some > difficulty. I established a trusted machine account and added it to the > domain. Samba will however not release the SIDs needed by our servers > working off of it.what are you talking about? I don't know what releasing a SID means. brad PS don't cross post to samba-technical
Well The windows 2000 machine is trying to obtain the SID for a user [domain\username], but it is very tight about such security of the users' SIDs. It _will_ give me a list of users, but not their SIDs in order to assign file permissions to these users. Sorry about the cross-post. -M>From: Brad Langhorst <brad@langhorst.com> >To: Mike Miller <temp6453@hotmail.com> >CC: samba@lists.samba.org >Subject: Re: [Samba] PDC Functions >Date: 07 Aug 2003 23:27:14 -0400 > >On Thu, 2003-08-07 at 23:22, Mike Miller wrote: > > Hi, > > I am trying to set up Samba as a PDC on our network and having some > > difficulty. I established a trusted machine account and added it to the > > domain. Samba will however not release the SIDs needed by our servers > > working off of it. >what are you talking about? I don't know what releasing a SID means. > >brad > >PS >don't cross post to samba-technical_________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
-----Original Message----- From: samba-bounces+eric=rasor.net@lists.samba.org [mailto:samba-bounces+eric=rasor.net@lists.samba.org] On Behalf Of Mike Miller Sent: Thursday, August 07, 2003 10:22 PM To: samba@lists.samba.org Subject: [Samba] PDC Functions Hi, I am trying to set up Samba as a PDC on our network and having some difficulty. I established a trusted machine account and added it to the domain. Samba will however not release the SIDs needed by our servers working off of it. I get the following message when trying to do a gpresult [microsoft resource kit] LookupAccountSid failed with 1789 I did a grep through samba 2.2.8b and samba 3.0.0b3 sources and couldn't even pull up that 'AccountSid' command. Is this not supported at all? Will I be forced to enter the depths of Windows as a PDC? It doesn't seem too complicated to release the SIDs to trusted machines [such as the one which does our user map services]... isn't that what I'm trying to do here? -Mike _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
What I'm attempting to do is get services for unix working on a win2k box, running off of a samba PDC. I am having great difficulty doing so. I have added a trust relationship and added the 2k server into the domain. I then try and change ownership to anyone in the domain without luck. It always gives me that the Sid Lookup Failed. Microsoft said the following and basically told me to use an NT/2k PDC. I completely trust the machine in every way, so I'm not too worried about security of the machine, however I want it to work on these RPC calls to get the SIDs. For some reason, it doesn't seem to be giving me any SIDs. Any ideas? --- START M$ ANSWER --- No. The NFS server running on your file server will need the mapped domain user's SID in order to impersonate him while accessing files. The DC will not give out that SID unless the NFS subauthentication DLL (aka Server for NFS Authentication) is installed on it. In other words, you will have to migrate the DC first, and install Server for NFS Auth on it if you need to use mapped domain users...Further, the DC should be running pre-Win2k compat mode if the mapping server (running as local service on a member server) is to be able to get the list of users. --- END M$ ANSWER --- -Mike>From: Brad Langhorst <brad@langhorst.com> >To: Mike Miller <temp6453@hotmail.com> >CC: samba@lists.samba.org >Subject: Re: [Samba] PDC Functions >Date: 08 Aug 2003 00:19:24 -0400 > >On Thu, 2003-08-07 at 23:33, Mike Miller wrote: > > Well The windows 2000 machine is trying to obtain the SID for a user > > [domain\username], >is that 2k machine joined to the samba domain? >the SID is not really a secret so i don't know why it would be tight >about them >if the sid is just the machine's SID + a user ID >2*UID+2 (if i recall correctly) >you can determine the samba machine's SID with >rpcclient (lsaquery command) > > > but it is very tight about such security of the users' > > SIDs. >windows is tight or samba is tight? > > > It _will_ give me a list of users, but not their SIDs in order to > > assign file permissions to these users. >there should be no users on the win2k machine in a pdc environment. > >Are you trying to migrate to samba? >There is tool to suck out the info from an NT4 pdc (vampire) >but I'm not aware of any tool to migrate from 2k to samba. > >I don't know how to determine the SIDs of your 2k users but they must be >in the 2k user manager somewhere. > >What's stopping you from just recreating all the users on the new PDC? > >I don't really understand what you're trying to do... sorry > >brad_________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
On Fri, 2003-08-08 at 10:41, Mike Miller wrote:> What I'm attempting to do is get services for unix working on a win2k box, > running off of a samba PDC. I am having great difficulty doing so. I have > added a trust relationship and added the 2k server into the domain. I then > try and change ownership to anyone in the domain without luck. It always > gives me that the Sid Lookup Failed. Microsoft said the following and > basically told me to use an NT/2k PDC. I completely trust the machine in > every way, so I'm not too worried about security of the machine, however I > want it to work on these RPC calls to get the SIDs. For some reason, it > doesn't seem to be giving me any SIDs. Any ideas?A couple of things: 1. All shared files must have the same UID/GID mappings. NFS handles permissions by UID/GID, so if you are getting our UID/GID information from an LDAP server this is not a problem. All information is always consistent. 2. Since SIDs of domain accounts (users, groups, or computers) include a SID assigned to the domain in which they are created, your SMB Server will need the users RID and domain SID in order for the clients to access volumes. Heres why: The <MACHINE SID> along with the <DOMAIN SID> is used during the challenge-auth stage to determine if the machine can access the domain. After that the domain SID is concatenated with the RID of the account to create the account's unique identifier. Conclusion, As long as you clone the Domain SID, User RID, and NT/LM Hashed Password you should be good to go. PS. I don't know if you are using Samba 2.2 or Samba 3, but remember, Samba 3 [is] still beta. I haven't see *not one* post from anybody to successfully and seamlessly migrate a NT PDC to a Samba 3 PDC. However, I can say that I have done this with 2.2.8a nd LDAP completely and flawlessly. ;-) Hope this helps. -- Scott