Hi, i`ve searched a lot, but i haven?t found a solution to it.. I have the this: One Server with samba 3.0.14a-3sarge1 on Debian Sarge. This Samba use Ldap as passdb backend... everything works great until this point. I have other samba 3.0.24-6etch4 On Debian Etch. The samba 3.0.14a-3sarge1 has: security = user passdb backend = ldapsam:ldap://127.0.0.1/ The Samba 3.0.24-6etch4 On Debian Etch security = server password server = name_of_the_other_samba_with_ldap So the thing is that in the Samba 3.0.14a-3sarge1 i can map share volumes from Windows Vista in other hand on Samba 3.0.24-6etch4 i cannot map the share volumes with Windows vista..... it works great form any other windows auntil windows 2003. So i tried change the configuration in Samba 3.0.24-6etch4 to: security = user passdb backend = ldapsam:ldap://ip.of.samba.with.ldap/ and also add the other necesary stuff.... and after the changes when i try to map the shares on the Samba 3.0.24-6etch4 from windows vista i have this error: User mf with invalid SID S-1-5-21-3688588122-661306053-2264363457-21150 in passdb However in the linux box i try: smbclient -L //localhost -Umf it`s connect and can see the shares... but: smbclient -L //localhost/dat -Umf i write the passwd and get the same error. so, tried to put the SID of the server samba with the ldap tree... with: net setdomainsid S-1-5-21-3688588122-661306053-2264363457 net setdomainsid -W domain S-1-5-21-3688588122-661306053-2264363457 and when i do: SID for domain LINUX_14NORTE is: S-1-5-21-4042076608-3156973157-4245816591 i still got the another one... So, i read that some guys tried to modify the secrets.tdb... but it does not work for me.. Somebody have any idea about how to put or change the SID? Thanks in advance.!!!!!!!!!!! Michael.-
On 22/8/07 18:37, "M. Michael Fern?ndez" <michael@michael.cl> wrote:> > so, tried to put the SID of the server samba with the ldap tree... with: > > net setdomainsid S-1-5-21-3688588122-661306053-2264363457 > > net setdomainsid -W domain S-1-5-21-3688588122-661306053-2264363457 > > and when i do: > > SID for domain LINUX_14NORTE is: > S-1-5-21-4042076608-3156973157-4245816591 > > i still got the another one... > > > So, i read that some guys tried to modify the secrets.tdb... but it does > not work for me.. > > Somebody have any idea about how to put or change the SID?Ran into exactly the same issue a few weeks ago and was helped on this very list. What I ended up doing was to use an LDAP browser and edit the domain accounts for each machine to have the same SID. Bj?rn -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund@it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout.
> What I ended up doing was to use an LDAP browser > and edit the domain accounts for ech machine to > have the same SID.we're not using LDAP but we can manipulate the trivial data base file "secrets.tdb" to set the locl SID to any sensible SID. Is it OK to set the local SID to the same value as the domain SID? In our network the PDC server has the same local SID as the domain SID. All other member servers register the same domain SID for the domain and a totally different local SID for themselves in "secrets.tdb". This works quite well, except that sometimes there is an entry in samba logs that a domain-qualified user SID with correct RID for an existing user with the same UID=(RID-1000)/2 and same GIDs on all member servers can't be mapped to his name, e.g. [2007/08/21 20:48:26, 0] smbd/posix_acls.c:create_canon_ace_lists(1421) create_canon_ace_lists: unable to map SID S-1-5-21-3574958883-2392404172-2943802112-2590 to uid or gid. whereby RID=2590 translates to UID=795, a well-known user in our domain S-1-5-21-3574958883-2392404172-2943802112. Is it OK to set the local SID to the same value as the domain SID, as the quoted posting seems to imply?
>>> Is it OK to set the local SID to the same value as >>> the domain SID, as the quoted posting seems to imply? >> >> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id365521 >> >> "... there is now a safe copy of the local machine SID. On a PDC/BDC >> this is the domain SID also." >> >> So, as the documentation says, yes, on a PDC/BDC the machine SID IS >> equal to the domain SID. > > The local SID is the machine SID. > > Let it be ultimately clear - only a PDC and BDC may have the samba SID. > On a PDC and BDC the Domain SID is the same as the machine SID.Thanks, Edmundo, Thanks, John, The difference between a BDC and a member server seems to be mainly that a BDC can jump in for a crashed PDC and a server member can't. That means a little more careful configuring but if that would stop it from barking unable to map SID: S-1-5-21-NOTORIOUS-DOMAIN-SID-myRID it would be worth the trouble. Are there performance reasons against promoting 4 member servers to BDCs to equalize the SIDs? Tu put it in different words: why would a joined member server still have problems identifying a regular domain-Joe?