samba - Aug 2008 - pdbedit will only add users to the local machine domain, not the global domain

Hello all,

When I try to add a user to my secrets.tdb file on my Samba 3.2.0 PDC, the
users are always added under the local machine domain, not the global domain.
That is, if my PDC machine name is srv1, and it is PDC for the domain DOM1,
then whenever I add a user using "pdbedit -a -u username", then that
user
gets placed under the local domain SRV1, not the global domain DOM1.  So my
first question is how to I get accounts to appear under the global domain,
DOM1?

Now, if I understand things correctly, the SRV1 domain and the DOM1 domain are
supposed to have the same SID.  So perhaps this doesn't matter.  But when I
try to run

net rpc testjoin

on a second machine srv2, I get

[2008/08/12 04:31:57,  0]
rpc_client/cli_pipe.c:get_schannel_session_key_common(2449)
  get_schannel_session_key: could not fetch trust account password for domain
'DOM1'
[2008/08/12 04:31:57,  0] utils/net_rpc_join.c:net_rpc_join_ok(87)
  net_rpc_join_ok: failed to get schannel session key from server srv1 for
domain DOM1. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Join to domain 'DOM1' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

(I get the same result with "net rpc testjoin -S srv1" as well.)

When I look for the machine account srv1$ using "net rpc" commands, I
can see
the account, but it appears under the domain SRV1, not under the domain DOM1
like the error message would seem to indicate that it should be under.

Here is my PDC config:

[global]
workgroup = DOM1
security = user
encrypt passwords = yes
passdb backend = tdbsam:/etc/samba/private/secrets.tdb
local master = yes
os level = 33
domain master = yes
preferred master = yes

Thanks in advance for any help that anyone can offer.

John Guthrie
guthrie@counterexample.org

I <guthrie@counterexample.org> wrote:
> Here is my PDC config:
> 
> [global]
> workgroup = DOM1
> security = user
> encrypt passwords = yes
> passdb backend = tdbsam:/etc/samba/private/secrets.tdb
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> local master = yes
> os level = 33
> domain master = yes
> preferred master = yes
I just had a thought.  I was wondering if my the location of my tdbsam is
the problem.  I am noticing that the "net getdomainsid" and
"net setdomainsid" commands are still writing to the default tdbsam
location
for my OS of /var/lib/samba/private/secrets.tdb.

Would this be causing any complications?

Thanks.

John Guthrie
guthrie@counterexample.org

I wrote:
> Hello all,
> 
> When I try to add a user to my secrets.tdb file on my Samba 3.2.0 PDC, the
> users are always added under the local machine domain, not the global
domain.
> That is, if my PDC machine name is srv1, and it is PDC for the domain DOM1,
> then whenever I add a user using "pdbedit -a -u username", then
that user
> gets placed under the local domain SRV1, not the global domain DOM1.  So my
> first question is how to I get accounts to appear under the global domain,
> DOM1?
Okay, the problem turned out to be PEBKAC of sorts.  It turns out that I had
placed an old config that wasn't set up for a PDC back into place.  The
lesson here is that if your accounts are getting added to the local domain,
and not the global domain, then check whether "domain logons" is set
to yes.

My apologies for the noise.

John Guthrie
guthrie@counterexample.org