Simone Cittadini
2004-Sep-23 09:02 UTC
[Samba] openldap PDC : can't add machine account ; "too many domain info entries"
I've ereditated this quite messy openldap server from the previous administrator, samba (3) relies on it for acting as a PDC. The main problem (while I build a new directory from scratch) is you can't add a machine account to the domain : On the client it says the credentials are invalid, anyway the real problem (from samba logs) seems to be : "Got too many (2) domain info entries for domain DOMAIN" (I've replaced my domain name to 'DOMAIN' and sambahost name to 'host' for no particular reason ...) host:/etc/samba # strings secrets.tdb | grep SID &SECRETS/SID/HOST &SECRETS/SID/DOMAIN <-- I think this is the problem, since a clean installation on a test machine gives only the first line from the same command, but I can't figure how to remove the entry. other useful infos can be : 1) host:/ # smbclient -L localhost -U% Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.4-SUSE] Server Comment --------- ------- HOST Samba Server Version 3.0.4-SUSE Workgroup Master --------- ------- DOMAIN HOST 2) host:/ # net getlocalsid [2004/09/22 11:39:38, 0] lib/smbldap.c:smbldap_search_domain_info(1368) Got too many (2) domain info entries for domain DOMAIN SID for domain HOST is: S-1-5-21-3942806058-2931819711-1847247862 3) host:/ # pdbedit -Lv user Got too many (2) domain info entries for domain DOMAIN Got too many (2) domain info entries for domain DOMAIN Unix username: user NT username: user Account Flags: [U ] User SID: S-1-5-21-3942806058-2931819711-1847247862-2010 Primary Group SID: S-1-5-21-3942806058-2931819711-1847247862-513 Full Name: Some User Home Directory: \\host\user HomeDir Drive: H: Logon Script: logon.bat Profile Path: \\host\profiles\user Domain: DOMAIN [etc...] 4) host:/ # net groupmap list [2004/09/22 11:50:47, 0] lib/smbldap.c:smbldap_search_domain_info(1368) Got too many (2) domain info entries for domain DOMAIN Domain (S-1-5-21-3942806058-2931819711-1847247862-1203) -> domain Domain Guests (S-1-5-21-3942806058-2931819711-1847247862-514) -> nobody Domain Users (S-1-5-21-3942806058-2931819711-1847247862-513) -> users Domain Admins (S-1-5-21-3942806058-2931819711-1847247862-512) -> Domain Admins Guests (S-1-5-21-3942806058-2931819711-1847247862-546) -> Guests Power Users (S-1-5-21-3942806058-2931819711-1847247862-547) -> Power Users Account Operators (S-1-5-21-3942806058-2931819711-1847247862-548) -> Account Operators Server Operators (S-1-5-21-3942806058-2931819711-1847247862-549) -> Server Operators Print Operators (S-1-5-21-3942806058-2931819711-1847247862-550) -> Print Operators Backup Operators (S-1-5-21-3942806058-2931819711-1847247862-551) -> Backup Operators Replicator (S-1-5-21-3942806058-2931819711-1847247862-552) -> Replicator Domain Computers (S-1-5-21-3942806058-2931819711-1847247862-553) -> Domain Computers 5) [the exported LDIF of ldap domain entry] dn: sambaDomainName=DOMAIN, dc=domain, dc=com sambaNextUserRid: 4000 sambaSID: S-1-5-21-3942806058-2931819711-1847247862 sambaNextGroupRid: 4001 objectClass: sambaDomain sambaAlgorithmicRidBase: 1000 sambaDomainName: DOMAIN 6 ) [relevant lines from smb.conf] netbios name = HOST workgroup = DOMAIN passdb backend = ldapsam:ldap://localhost/ ldap suffix = dc=domain,dc=com ldap admin dn = cn=Manager,dc=domain,dc=com ldap ssl = on ldap user suffix = ou=people ldap group suffix = ou=Group ldap machine suffix = ou=people #ldap filter = ($(uid=%u)(objectclass=sambaSAMAccount)) ldap idmap suffix = ou=Idmap idmap backend = ldap:ldaps://host.domain.com add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' thanks -- Simone Cittadini =================COMVERT S.R.L. via F.lli Bressan, 21 20126 Milano - ITALY Tel +39.02.27006796(aspetta un beep)103 simonec@comvert.com http://www.comvert.com
Andrew Bartlett
2004-Sep-23 10:59 UTC
[Samba] openldap PDC : can't add machine account ; "too many domain info entries"
On Thu, 2004-09-23 at 19:01, Simone Cittadini wrote:> I've ereditated this quite messy openldap server from the previous > administrator, samba (3) relies on it for acting as a PDC. > The main problem (while I build a new directory from scratch) is you > can't add a machine account to the domain : > On the client it says the credentials are invalid, anyway the real > problem (from samba logs) seems to be : > > "Got too many (2) domain info entries for domain DOMAIN" > > (I've replaced my domain name to 'DOMAIN' and sambahost name to 'host' > for no particular reason ...) > > host:/etc/samba # strings secrets.tdb | grep SID > &SECRETS/SID/HOST > &SECRETS/SID/DOMAIN <-- I think this is the problem, since a clean > installation on a test machine gives only the first line from the same > command, but I can't figure how to remove the entry.Open up your ldap server in a tool like 'gq', and remove the incorrect (or both) 'sambaDomain=DOMAIN' entry in your ldap database. Somehow, you got two of them, and Samba doesn't like that. Samba uses this to store the domain SID, and other information, in the LDAP directory. Andrew Bartlett -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040923/c0163252/attachment.bin