What do the following commands show?
net getlocalsid
net getdomainsid
They should be the same.
When you ran " net rpc getsid " did you include "-S
the_name_of_the_NT4_server" ? Maybe it somehow talked to another
domain controller. If your samba machine was configured as a BDC before
you vampired the info from the NT4 server, maybe it didn't pull the sid
from the NT4 server.
Can you just manually change your SID in LDAP to match that from the NT4
server?
I also found (at least with samba 3.4.x) that even if I set "ldap group
suffix=ou=group" in smb.conf, samba would look through my whole LDAP
tree for group entries. I had initially tried to have separate
"ou=group" and "ou=smb_group" containers to separate my unix
groups from
my samba group mappings.
I suspect your group mapping issue may resolve itself once you fix the
sid mismatch.
On 09/22/2010 11:58 AM, Dermot wrote:> Hi,
>
> I am in the process of attempting a NT4 Domain to Samba migration
> (3.2.5). I have been following the instructions at
> http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html. I am
> using an ldap backend. I am not convinced everything is set-up
> correctly.
>
> Before I began I removed all /var/lib/samba/*tdb and shutdown smb and ldap.
>
> At point 13 where you do `getent group` the Domain groups do not
> appear. They exist in the ldap tree ou=Groups.
>
> I have the joined the samba machine to the NT4 domain (point 14)
>
> When I attempt pdbedit -Lw, I get:
>
> sid S-1-5-21-1979685110-1467996072-351907979-500 does not belong to our
domain
> sid S-1-5-21-1979685110-1467996072-351907979-2998 does not belong to our
domain
> sid S-1-5-21-1979685110-1467996072-351907979-3010 does not belong to our
domain
>
> This sid is not the one that appears in my ldap sambaDomainName or
> from the `net rpc getsid ` command. Also when I attempt `netgroupmap
> list` (point 16) I get:
> net groupmap list
> [2010/09/22 15:41:05, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3342)
> ldapsam_setsamgrent: LDAP search failed: No such object
> [2010/09/22 15:41:05, 0]
passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3417)
> ldapsam_enum_group_mapping: Unable to open passdb
>
>
> So something is wrong but I am not sure what. Can anyone offer any advise?
> Thanks in advance,
> Dp.
>