Cesar Amaya
2008-Apr-01 01:02 UTC
[Samba] LDAP different Group SID -- not supported for NETLOGON calls
Hello list, I have two Samba-LDAP DC's each in different networks, domain AMECC_SAL (192.168.40.0/24) and domain AMECC_GUA (192.168.42./24). I have established a inter-domain trust relationship in both directions. My problem comes when I try to log into a machine in the AMECC_SAL domain using any user from the AMECC_GUA domain. The machine?s name in which I want to sign in is cc03. The log for the machine account says: # tail -f cc03.log [2008/03/31 16:55:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 515 [2008/03/31 16:55:35, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [ricky] -> [ricky] -> [ricky] succeeded [2008/03/31 16:55:35, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(1004) _net_sam_logon: user AMECC_GUA\ricky has user sid S-1-5-21-2494724867-3922152549-500773586-3022 but group sid S-1-5-21-3360583363-2600074294-2199971840-513. The conflicting domain portions are not supported for NETLOGON calls Part of the pdbedit -L -v says: Unix username: ricky NT username: ricky Account Flags: [U ] User SID: S-1-5-21-2494724867-3922152549-500773586-3022 init_group_from_ldap: Entry found for group: 513 init_group_from_ldap: Entry found for group: 513 Primary Group SID: S-1-5-21-2494724867-3922152549-500773586-513 from this output we can tell that Primary Group SID is different from that group sid of cc03.log file: S-1-5-21-3360583363-2600074294-2199971840-513. I am using the following software: FreeBSD 7.0 Release, samba-3.0.28,1, openldap-2.3.41 and smbldap-tools-0.9.4_2. Please can any one give some help??? Thank you very much.
Cesar Amaya
2008-Apr-02 17:49 UTC
[Samba] LDAP different Group SID -- not supported for NETLOGON calls
Cesar Amaya wrote:> Hello list, > I have two Samba-LDAP DC's each in different networks, domain > AMECC_SAL (192.168.40.0/24) and domain AMECC_GUA (192.168.42./24). I > have established a inter-domain trust relationship in both directions. > My problem comes when I try to log into a machine in the AMECC_SAL > domain using any user from the AMECC_GUA domain. The machine?s name in > which I want to sign in is cc03. > > The log for the machine account says: > # tail -f cc03.log > [2008/03/31 16:55:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) > init_group_from_ldap: Entry found for group: 515 > [2008/03/31 16:55:35, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [ricky] -> [ricky] -> > [ricky] succeeded > [2008/03/31 16:55:35, 1] > rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(1004) > _net_sam_logon: user AMECC_GUA\ricky has user sid > S-1-5-21-2494724867-3922152549-500773586-3022 > but group sid S-1-5-21-3360583363-2600074294-2199971840-513. > The conflicting domain portions are not supported for NETLOGON calls > > Part of the pdbedit -L -v says: > Unix username: ricky > NT username: ricky > Account Flags: [U ] > User SID: S-1-5-21-2494724867-3922152549-500773586-3022 > init_group_from_ldap: Entry found for group: 513 > init_group_from_ldap: Entry found for group: 513 > Primary Group SID: S-1-5-21-2494724867-3922152549-500773586-513 > > from this output we can tell that Primary Group SID is different from > that group sid of cc03.log file: > S-1-5-21-3360583363-2600074294-2199971840-513. > I am using the following software: FreeBSD 7.0 Release, > samba-3.0.28,1, openldap-2.3.41 and smbldap-tools-0.9.4_2. > > Please can any one give some help??? > Thank you very much. > > > >I think this error is because the service nns_ldap is not runing. I got this error nss_ldap: could not search LDAP server - Server is unavailable