Hello, This about another attempt of joining a (samba controlled) domain. It is samba version 3.0.14 with a LDAP backend. The client is a Windows XP computer. I do get message "welcome to the domain" (reboot to activate) But an user login fails ... I think I have nailed it down to a strange SID that the client brings in. On a working system I have this LDAP entry: | dn: uid=tosh$,ou=Computers,ou=Users,dc=yourdomain,dc=tld | objectClass: top | objectClass: inetOrgPerson | objectClass: posixAccount | objectClass: sambaSamAccount | cn: tosh$ | sn: tosh$ | uid: tosh$ | uidNumber: 2014 | gidNumber: 515 | homeDirectory: /dev/null | loginShell: /bin/false | description: Computer | gecos: Computer | structuralObjectClass: inetOrgPerson | sambaSID: S-1-5-21-2689494773-1951033108-3857615256-5028 | sambaPrimaryGroupSID: S-1-5-21-2689494773-1951033108-3857615256-515 | displayName: TOSH$ | sambaPwdMustChange: 2147483647 | sambaAcctFlags: [W ] | sambaPwdCanChange: 1128030550 | sambaNTPassword: 6EB64F5A71C942C2FAFF3AC003B03686 | sambaPwdLastSet: 1128030550 Note the same base SID On the failing system there is this after adding a client: | dn: uid=coco$,ou=Computers,ou=Users,dc=yourdomain,dc=tld | objectClass: top | objectClass: inetOrgPerson | objectClass: posixAccount | objectClass: sambaSamAccount | cn: coco$ | sn: coco$ | uid: coco$ | uidNumber: 2015 | gidNumber: 515 | homeDirectory: /dev/null | loginShell: /bin/false | description: Computer | gecos: Computer | sambaSID: S-1-5-21-1217595360-3837695174-1118015926-5030 | sambaPrimaryGroupSID: S-1-5-21-2202232871-2120539869-948389690-515 | displayName: COCO$ | sambaPwdCanChange: 1128087802 | sambaPwdMustChange: 2147483647 | sambaNTPassword: 43C26C7D4326A9C5746A35B643E3FB5B | sambaPwdLastSet: 1128087802 | sambaAcctFlags: [W ] Note the different base SID. Could be confirmed that base SIDs should be te same? (or could be told that it is okay ;-) Anyway: which way to go ? ( or what to read next ? ;-) Cheers Geert Stappers -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.samba.org/archive/samba/attachments/20051001/0196950b/attachment.bin
On Sat, Oct 01, 2005 at 01:28:21AM +0200, Geert Stappers wrote:> > Hello, > > > This about another attempt of joining a (samba controlled) domain. > > It is samba version 3.0.14 with a LDAP backend. > The client is a Windows XP computer. > > I do get message "welcome to the domain" (reboot to activate) > But an user login fails ... > > > I think I have nailed it down to a strange SID that the client brings in. > > On a working system I have this LDAP entry: > > | dn: uid=tosh$,ou=Computers,ou=Users,dc=yourdomain,dc=tld<snip/>> | sambaSID: S-1-5-21-2689494773-1951033108-3857615256-5028 > | sambaPrimaryGroupSID: S-1-5-21-2689494773-1951033108-3857615256-515 > > Note the same base SID > > On the failing system there is this after adding a client: > > > | dn: uid=coco$,ou=Computers,ou=Users,dc=yourdomain,dc=tld<snip/>> | sambaSID: S-1-5-21-1217595360-3837695174-1118015926-5030 > | sambaPrimaryGroupSID: S-1-5-21-2202232871-2120539869-948389690-515 > > Note the different base SID. > > > Could be confirmed that base SIDs should be te same? > (or could be told that it is okay ;-) >The output of ldapsearch -LLLH ldaps://LDAPHOST \ -WxD uid=smbadmin,ou=people,ou=users,dc=yourdomain,dc=tld \ -b dc=yourdomain,dc=tld \ "(&(ObjectClass=posixAccount)(gidNumber=515))" \ sambaSID sambaPrimaryGroupSID would be helpfull to determine the track to continue> > Anyway: which way to go ? ( or what to read next ? ;-) >Cheers Geert Stappers
On Sat, Oct 01, 2005 at 08:09:41AM +0200, Geert Stappers wrote:> On Sat, Oct 01, 2005 at 01:28:21AM +0200, Geert Stappers wrote: > ><snip/>> > > > I do get message "welcome to the domain" (reboot to activate) > > But an user login fails ... > > > > > > I think I have nailed it down to a strange SID that the client brings in. > > > > On a working system I have this LDAP entry:<snip/>> > > > Note the same base SID > > > > On the failing system there is this after adding a client:<snip/>> > Note the different base SID. > > > > > > Could be confirmed that base SIDs should be te same? > > (or could be told that it is okay ;-) > > > > The output of ><snip/>> > would be helpfull to determine the track to continue > > > > > Anyway: which way to go ? ( or what to read next ? ;-) > >The computer was moved into another network (previous ontold) That did effect the SID Forcing the SID to the previous value was done wrong. Right way to get matching SIDs in samba & ldap was: /etc/init.d/samba stop cd /var/lib/samba ; rm * smbpasswd -w secret # allows samba to read from ldap /etc/init.d/samba start # ldap SID into samba databases /etc/init.d/samba restart # get the died smbd running again Cheers Geert Stappers -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.samba.org/archive/samba/attachments/20051003/910c657b/attachment.bin