samba - Jun 2008 - second samba pdc

Hello List,

I have 2 samba domain on 2 physical Servers but the User Administration is 
over 1 LDAP Server. At the moment i become some errors on my first PDC box:

smbd[16074]:   sid S-1-5-21-3194266148-564761370-2586249389-101652 does not 
belong to our domain    (Thats all hosts from the second PDC)

* first samba Server SID = S-1-5-21-3991578539-3149662252-1894531253
* second samba Server SID =  S-1-5-21-3194266148-564761370-2586249389

when i do:
pdbedit -Lv pc011$
Unix username:        pc011$
NT username:          pc011$
Account Flags:        [W          ]
User SID:             S-1-5-21-3194266148-564761370-2586249389-101708
Primary Group SID:    S-1-5-21-3991578539-3149662252-1894531253-513  <----
Full Name:            pcpo011
Home Directory:       \\192.18.0.11\pc011_\.9xprofile
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         \\192.168.0.11\profiles\.msprofile
Domain:               DomB
Account desc:         pc011
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Mo, 09 Jun 2008 11:41:49 CEST
Password can change:  Mo, 09 Jun 2008 11:41:49 CEST
Password must change: So, 07 Sep 2008 11:41:49 CEST
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

I become under Primary Group SID S-1-5-21-3991578539-3149662252-1894531253-513 
the SID from my first PDC 

but when i do on the second PDC the same command looks OK

pdbedit -Lv pc011$
Unix username:        pc011$
NT username:          pc011$
Account Flags:        [W          ]
User SID:             S-1-5-21-3194266148-564761370-2586249389-101708
Primary Group SID:    S-1-5-21-3194266148-564761370-2586249389-515
Full Name:            pc011
Home Directory:       \\samba-node2\pc011_\.9xprofile
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         \\samba-node2\profiles\.msprofile
Domain:               DomB
Account desc:         pc011
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Mon, 09 Jun 2008 11:41:49 CEST
Password can change:  Mon, 09 Jun 2008 11:41:49 CEST
Password must change: Wed, 09 Jul 2008 11:41:49 CEST
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

now my ask, need i the same samba localsid on both servers? or is it useless ?


I hope someone can help 

MFG

Sven

Hi Adam

I have for DomA an BDC and work fine, but this is a second domain in an subnet 
for other users.

MFG

Sven

Am Montag, 9. Juni 2008 15:14:17 schrieben Sie:
> why isn't one of the servers a BDC?
>
> Sven Buchstaller wrote:
> > Hello List,
> >
> > I have 2 samba domain on 2 physical Servers but the User
Administration
> > is over 1 LDAP Server. At the moment i become some errors on my first
PDC
> > box:
> >
> > smbd[16074]:   sid S-1-5-21-3194266148-564761370-2586249389-101652
does
> > not belong to our domain    (Thats all hosts from the second PDC)
> >
> > * first samba Server SID = S-1-5-21-3991578539-3149662252-1894531253
> > * second samba Server SID =  S-1-5-21-3194266148-564761370-2586249389
> >
> > when i do:
> > pdbedit -Lv pc011$
> > Unix username:        pc011$
> > NT username:          pc011$
> > Account Flags:        [W          ]
> > User SID:             S-1-5-21-3194266148-564761370-2586249389-101708
> > Primary Group SID:    S-1-5-21-3991578539-3149662252-1894531253-513 
> > <---- Full Name:            pcpo011
> > Home Directory:       \\192.18.0.11\pc011_\.9xprofile
> > HomeDir Drive:        H:
> > Logon Script:         logon.bat
> > Profile Path:         \\192.168.0.11\profiles\.msprofile
> > Domain:               DomB
> > Account desc:         pc011
> > Workstations:
> > Munged dial:
> > Logon time:           0
> > Logoff time:          never
> > Kickoff time:         never
> > Password last set:    Mo, 09 Jun 2008 11:41:49 CEST
> > Password can change:  Mo, 09 Jun 2008 11:41:49 CEST
> > Password must change: So, 07 Sep 2008 11:41:49 CEST
> > Last bad password   : 0
> > Bad password count  : 0
> > Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> >
> > I become under Primary Group SID
> > S-1-5-21-3991578539-3149662252-1894531253-513 the SID from my first
PDC
> >
> > but when i do on the second PDC the same command looks OK
> >
> > pdbedit -Lv pc011$
> > Unix username:        pc011$
> > NT username:          pc011$
> > Account Flags:        [W          ]
> > User SID:             S-1-5-21-3194266148-564761370-2586249389-101708
> > Primary Group SID:    S-1-5-21-3194266148-564761370-2586249389-515
> > Full Name:            pc011
> > Home Directory:       \\samba-node2\pc011_\.9xprofile
> > HomeDir Drive:        H:
> > Logon Script:         logon.bat
> > Profile Path:         \\samba-node2\profiles\.msprofile
> > Domain:               DomB
> > Account desc:         pc011
> > Workstations:
> > Munged dial:
> > Logon time:           0
> > Logoff time:          never
> > Kickoff time:         never
> > Password last set:    Mon, 09 Jun 2008 11:41:49 CEST
> > Password can change:  Mon, 09 Jun 2008 11:41:49 CEST
> > Password must change: Wed, 09 Jul 2008 11:41:49 CEST
> > Last bad password   : 0
> > Bad password count  : 0
> > Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> >
> > now my ask, need i the same samba localsid on both servers? or is it
> > useless ?
> >
> >
> > I hope someone can help
> >
> > MFG
> >
> > Sven

why isn't one of the servers a BDC?

Sven Buchstaller wrote:
> Hello List,
>
> I have 2 samba domain on 2 physical Servers but the User Administration is 
> over 1 LDAP Server. At the moment i become some errors on my first PDC box:
>
> smbd[16074]:   sid S-1-5-21-3194266148-564761370-2586249389-101652 does not
> belong to our domain    (Thats all hosts from the second PDC)
>
> * first samba Server SID = S-1-5-21-3991578539-3149662252-1894531253
> * second samba Server SID =  S-1-5-21-3194266148-564761370-2586249389
>
> when i do:
> pdbedit -Lv pc011$
> Unix username:        pc011$
> NT username:          pc011$
> Account Flags:        [W          ]
> User SID:             S-1-5-21-3194266148-564761370-2586249389-101708
> Primary Group SID:    S-1-5-21-3991578539-3149662252-1894531253-513 
<----
> Full Name:            pcpo011
> Home Directory:       \\192.18.0.11\pc011_\.9xprofile
> HomeDir Drive:        H:
> Logon Script:         logon.bat
> Profile Path:         \\192.168.0.11\profiles\.msprofile
> Domain:               DomB
> Account desc:         pc011
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          never
> Kickoff time:         never
> Password last set:    Mo, 09 Jun 2008 11:41:49 CEST
> Password can change:  Mo, 09 Jun 2008 11:41:49 CEST
> Password must change: So, 07 Sep 2008 11:41:49 CEST
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> I become under Primary Group SID
S-1-5-21-3991578539-3149662252-1894531253-513
> the SID from my first PDC 
>
> but when i do on the second PDC the same command looks OK
>
> pdbedit -Lv pc011$
> Unix username:        pc011$
> NT username:          pc011$
> Account Flags:        [W          ]
> User SID:             S-1-5-21-3194266148-564761370-2586249389-101708
> Primary Group SID:    S-1-5-21-3194266148-564761370-2586249389-515
> Full Name:            pc011
> Home Directory:       \\samba-node2\pc011_\.9xprofile
> HomeDir Drive:        H:
> Logon Script:         logon.bat
> Profile Path:         \\samba-node2\profiles\.msprofile
> Domain:               DomB
> Account desc:         pc011
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          never
> Kickoff time:         never
> Password last set:    Mon, 09 Jun 2008 11:41:49 CEST
> Password can change:  Mon, 09 Jun 2008 11:41:49 CEST
> Password must change: Wed, 09 Jul 2008 11:41:49 CEST
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> now my ask, need i the same samba localsid on both servers? or is it
useless ?
>
>
> I hope someone can help 
>
> MFG
>
> Sven
>

On 6/9/08, Sven Buchstaller <ask@quickline.de>
wrote:
> Hello List,
>
> I have 2 samba domain on 2 physical Servers but the User Administration is
> over 1 LDAP Server. At the moment i become some errors on my first PDC box:
I have the same setup, using 2 PDCs and one OpenLDAP server.

However, for this to work you need either two distinct LDAP databases
or at least two different LDAP BASEDNs, e.g.

dc=domain1,dc=mycompany,dc=net
dc=domain2,dc=mycompady,dc=net

Otherwise the two domains will store user/machine/group data in the
same LDAP hierarchy which will of cource cause trouble.

HTH

- Richard

HI Richard,

THX for replay, thats not good news for me :( 


Am Mittwoch, 11. Juni 2008 12:56:33 schrieben Sie:
> On 6/9/08, Sven Buchstaller <ask@quickline.de> wrote:
> > Hello List,
> >
> > I have 2 samba domain on 2 physical Servers but the User
Administration
> > is over 1 LDAP Server. At the moment i become some errors on my first
PDC
> > box:
>
> I have the same setup, using 2 PDCs and one OpenLDAP server.
>
> However, for this to work you need either two distinct LDAP databases
> or at least two different LDAP BASEDNs, e.g.
>
> dc=domain1,dc=mycompany,dc=net
> dc=domain2,dc=mycompady,dc=net
>
> Otherwise the two domains will store user/machine/group data in the
> same LDAP hierarchy which will of cource cause trouble.
>
> HTH
>
> - Richard

On Wednesday 11 June 2008 05:56:33 Richard Foltyn wrote:
> On 6/9/08, Sven Buchstaller <ask@quickline.de> wrote:
> > Hello List,
> >
> > I have 2 samba domain on 2 physical Servers but the User
Administration
> > is over 1 LDAP Server. At the moment i become some errors on my first
PDC
> > box:
>
> I have the same setup, using 2 PDCs and one OpenLDAP server.
>
> However, for this to work you need either two distinct LDAP databases
> or at least two different LDAP BASEDNs, e.g.
>
> dc=domain1,dc=mycompany,dc=net
> dc=domain2,dc=mycompady,dc=net
>
> Otherwise the two domains will store user/machine/group data in the
> same LDAP hierarchy which will of cource cause trouble.
>
> HTH
>
> - Richard
Actually, there are a few sites that run multiple domains in the same DIT. It 
does work, though there are a few challenges.  Interdomain trusts need to be 
set up manually if a single DIT is shared across multiple domains (each 
having its own SID of course).  The net utility can not be used to create the 
trust accounts.  Also, the way winbind handles foreign SIDs needs to be 
handled carefulyl to avoid conflicts.

The short answer is that it is a very bad practice to use and poor design to 
use a single DIT across multiple domains.  It is much smarter to design and 
implement a separate DIT per domain as shown above.

Cheers,
- John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (512) 970-0256

We just upgraded from samba-2.2.8  to samba-3.0.30 on Digital Unix  
4.0F (thanks for good work patching it, Volker).
The file/folder structure has changed, so I wonder what would be the  
simplest way to transfer the user passwords form old to new.
Right now all users are gone.

Bengt Nilsson