samba - Dec 2004 - Samba PDC Server Local SID, Domain SID, and GROUP RID Question

Hi,
	I have a question regarding an issue I am having with our new
Samba PDC.  We used to be running an NT domain controller and about
two months ago, I made the transition to a Debian linux box running
Samba.  The PDC is currently running Samba 3.0.8.
	My samba PDC is using the tdbsam backend and, for the most part
is working flawlessly.  However, when using smbpasswd to add samba accounts,
I always get the following error:

tdb_update_sam: Failing to store a SAM_ACCOUNT for [userid] without a primary
group RID

I have a temporary workaround.  I setup my samba accounts using
pdbedit and specifying a group RID for the new user:

pdbedit -G S-1-5-21-1590455367-7305976-751859383-513 -a <username>

Now, I've googled a lot on this and have read through the mailing list
archives and know that this often has to do with people not having
group mapping setup.  But I do:

jerry:~# net groupmap list | grep users
Users (S-1-5-32-545) -> users
Domain Users (S-1-5-21-1590455367-7305976-751859383-513) -> users

So, digging deeper, here is something I have discovered and don't know
if this might be the source of my trouble:

When I was testing my Samba PDC (the hostname is "jerry"), I set up a
test domain, called JERRY.  When I made the actual transition, the
domain was changed to our real domain, WECC-DOMAIN.  And yesterday, I
noticed this:

jerry:~# net getdomainsid
SID for domain JERRY is: S-1-5-21-675875985-4049016363-1657815630
SID for domain WECC-DOMAIN is: S-1-5-21-1590455367-7305976-751859383

The domain JERRY technically shouldn't exist anymore, at least I don't
need it to.  You will notice that the group RID I specify when adding accounts
using pdbedit matches WECC-DOMAIN and that my group mapping is also for 
the domain WECC-DOMAIN.  Is it possible that this SID for the JERRY
domain is interfering with my setting up accounts with smbpasswd?

Thanks!
Bryan Walton

On Mon, Dec 13, 2004 at 09:32:27AM -0600, bryanw wrote:
> 	My samba PDC is using the tdbsam backend and, for the most part
> is working flawlessly.  However, when using smbpasswd to add samba
accounts,
> I always get the following error:
> 
> tdb_update_sam: Failing to store a SAM_ACCOUNT for [userid] without a
primary
> group RID
> 
> Now, I've googled a lot on this and have read through the mailing list
> archives and know that this often has to do with people not having
> group mapping setup.  But I do:
> 
> jerry:~# net groupmap list | grep users
> Users (S-1-5-32-545) -> users
> Domain Users (S-1-5-21-1590455367-7305976-751859383-513) -> users
> 
As it turns out, I had group mapping set up, but "too" thoroughly. 
Found this in the archives:

-- snip --

The problem can be also caused if you already have 'Domain Users ->
users' and add 'Users -> users' since Samba mapps gid -> SID
by finding
the first SID -> gid mapping with the right gid and will fail if 'Users
-> users' is the first map it encounters.

-- end snip --


Thanks,
Bryan Walton