On Wed, 2006-03-15 at 19:21 -0500, Yang Xiao wrote:>
>
> On 3/15/06, Craig White <craigwhite@azapple.com> wrote:
> On Wed, 2006-03-15 at 17:45 -0500, Yang Xiao wrote:
> >
> >
> > On 3/15/06, Craig White <craigwhite@azapple.com> wrote:
> > On Wed, 2006-03-15 at 16:20 -0500, Yang Xiao wrote:
> > > Hi Everyone,
> > > I've been getting this error when trying to
login
> from an XP
> > box to a Samba
> > > 3 + LDAP PDC, but failed.
> > >
> > > [2006/03/15 17:48:12, 1]
> > rpc_server/srv_netlog_nt.c:_net_sam_logon(766)
> > > _net_sam_logon: user Domain\user has user sid
> > > S-1-5-21-3570476861-1302945835-1904156257-3004
> > > but group sid
> > S-1-5-21-790863915-1833833965-864709722-513.
> > > The conflicting domain portions are not
> supported for
> > NETLOGON calls
> > >
> > > I did some research and found this is due to SID
> mismatch as
> > it is shown
> > > with the user sid and group sid
> > >
> > > net getlocalsid on the dc shows
> > S-1-5-21-3570476861-1302945835-1904156257
> > > and net getlocalsid DOMAIN shows
> > S-1-5-21-3570476861-1302945835-1904156257
> > > as well.
> > >
> > > but, net groupmap list shows
> > >
> > > Domain Admins
> (S-1-5-21-790863915-1833833965-864709722-512)
> > -> Domain Admins
> > > Domain Users
> (S-1-5-21-790863915-1833833965-864709722-513)
> > -> Domain Users
> > > Domain Guests
> (S-1-5-21-790863915-1833833965-864709722-514)
> > -> Domain Guests
> > > Domain Computers
> > (S-1-5-21-790863915-1833833965-864709722-515) ->
> Domain
> > > Computers
> > > Administrators (S-1-5-32-544) ->
Administrators
> > > Account Operators (S-1-5-32-548) -> Account
> Operators
> > > Print Operators (S-1-5-32-550) -> Print
Operators
> > > Backup Operators (S-1-5-32-551) -> Backup
> Operators
> > > Replicators (S-1-5-32-552) -> Replicators
> > > systems
> (S-1-5-21-3570476861-1302945835-1904156257-3003) ->
> > systems
> > > development
> (S-1-5-21-3570476861-1302945835-1904156257-3005)
> > -> development
> > > analytics
> (S-1-5-21-3570476861-1302945835-1904156257-3007)
> > -> analytics
> > >
> > > and most of my user/machine accounts have sids
> like this
> > > S-1-5-21-790863915-1833833965-864709722-xxxx.
> > > but the smbldap.conf says the sid is set to
> > >
SID="S-1-5-21-3570476861-1302945835-1904156257"
> > >
> > > then according to LDAP
> > > dn: sambaDomainName=Domain,dc=Domain,dc=com
> > > sambaSID:
> S-1-5-21-3570476861-1302945835-1904156257
> > >
> > > so this is a certified bloody mess, my question
> is, does
> > this mean I have to
> > > change every instance of sid that's
> > > S-1-5-21-790863915-1833833965-864709722-xxxx in
> LDAP? what's
> > a good way of
> > > doing this?
> > >
> > > Many thanks!
> > >
> > > - Yang
> > >
> > > smb.conf & slapd.conf attached
> > ----
> > # net groupmap help
> > net groupmap add
> > Create a new group mapping
> > net groupmap modify
> > Update a group mapping
> > net groupmap delete
> > Remove a group mapping
> > net groupmap addmem
> > Add a foreign alias member
> > net groupmap delmem
> > Delete a foreign alias member
> > net groupmap listmem
> > List foreign group members
> > net groupmap memberships
> > List foreign group memberships
> > net groupmap list
> > List current group map
> > net groupmap set
> > Set group mapping
> > net groupmap cleanup
> > Remove foreign group mapping entries
> >
> > hmm...that last one seems interesting...
> >
> > Craig
> > Hi,
> >
> > Forgive my brain deadness, I guess you are saying I should
> map the
> > groups with sids that doesn't match the domain sid to
groups
> that have
> > the correct sids? that means I will have to create new
> groups for the
> > mapping. which makes sense. But what's troubling me is
that
> this has
> > been working for 4 month, and I don't remember doing any
> group
> > mappings.
> ----
> I would probably go with what ever the Users registry hives
> and the
> Computers think that the base SID is because those are much
> harder to
> change.
>
> You could slapcat your entire DSA out and use some kind of
> text editor
> with find/replace and do one wholesale change of your entire
> LDAP DSA
> and them slapadd it all back in...simple, neat, efficient,
> fast.
>
> you can netsetlocalsid to simply change the SID of the domain
> itself.
>
> you can fix the groupmaps by 'net groupmap cleanup'
>
> The system tolerates a broken setup to some extent which is
> why having
> users belong to groups whose SID doesn't match the domain
> possibly
> because these things would occur with a trusted domain where a
> user
> might have a membership to a group, etc.
>
> you can add the lost groups back in (if you do a net groupmap
> cleanup)
> by following documentation...
>
> net groupmap add ...
>
> and even do
>
> net groupmap delete ...
>
> if you don't want to do the net groupmap cleanup thing and
> want some
> hands on experience with the commands
>
> Craig
>
>
> Ok, my fault, I didn't know what I was doing.
> did a net groupmap cleanup
> then tried to add
> net groupmap add sid=S-1-5-21-790863915-1833833965-864709722-513
> unixgroup=users ntgroup="Domain Users"
> and got this error : adding entry for group Domain Users failed!
>
> it turns out the group has been deleted from LDAP as well.
>
> so I figure I need to add them back ?
----
yeah - that makes sense...I haven't used the net group add/delete since
I figured out LDAP and get it set in LDAP which really is displayName is
the 'Windows Group' name and the other is the 'posix group' name
and of
course, they can be the same - as it was in your setup where both were
set "Domain Users" "Domain Admins" etc.
Craig