samba - Feb 2011 - Winbind, pdbedit - does not belong to our domain

Hi all,

I have a problem that started last week with winbind on a member 
server.  The network consists of the following:

Openldap/Bind/DHCP Server (No Samba)
PDC - CentOS Linux - Samba 3-3.5.6-43.el5 (sernet package)
BDC - CentOS Linux - Samba 3-3.0.31-36
Proxy Server (with NTLM Auth) - Mandriva Linux - Samba 3.5.3-3.1mdv2010.1

All of these work fine but the proxy needs replacing so I've put a new 
server together (CentOS 5.5 Sernet/Samba 3-3.5.6-43.el5) with and this 
is where it gets interesting.  I've followed the same procedure I've 
used on the above 4 machines but I keep getting error messages in 
pdbedit as below:

smbldap_search_domain_info: Searching 
for:[(&(objectClass=sambaDomain)(sambaDomainName=PROXY))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_paged: base => [dc=bordengrammar,dc=kent,dc=sch,dc=uk], 
filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], 
pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-2387947558-1535987125-4294967295-1000 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2998 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2000 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2002 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2004 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-2006 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-3000 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-3004 does not belong to 
our domain
sid S-1-5-21-5543384853-2091317229-2861916464-3006 does not belong to 
our domain

The first part suggests that the LDAP connection succeeded and the 
domain name and the SIDS are correct. The first SID appears to be the 
local root user but the rest are OK.

Getent passwd works and returns all domain users.

Getent group returns all groups correctly.

Net group map list works and returns correctly mapped groups.

Wbinfo -t returns "checking the trust secret for domain BGS via RPC 
calls succeeded".

wbinfo --own-domain returns the correct NT domain name

In short, everything seems to work OK until you run wbinfo -u or -g at 
which point it sits there until it times out.  Smb.conf is the same as 
the other member servers, the net rpc join command  returned success and 
a machine account was successfully created in the LDAP directory. The 
smb.conf file is here:

[global]

workgroup = BGS
netbios name = PROXY
password server = 172.20.5.254
server string = "Proxy"
wins server = 172.20.5.254
log file = /var/log/samba/%m.log
max log size = 50
security = domain
smb ports = 139
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
dns proxy = no
dos charset = 850
unix charset = ISO8859-1
log level = 3
idmap uid = 10000-200000
idmap gid = 10000-200000
winbind use default domain = yes
local master = no
os level = 10
domain master = no
preferred master = no
name resolve order = wins bcast lmhosts
domain logons = no

ldap ssl = no
passdb backend = ldapsam:ldap://172.20.5.253
idmap backend = ldap:ldap://172.20.5.253
ldap admin dn = cn=Manager,dc=bordengrammar,dc=kent,dc=sch,dc=uk
ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
ldap machine suffix = ou=Users
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap


Any suggestions gratefully received.

Thanks,

Julian

On 20/02/11 01:02, Bob Miller wrote:
>    
>> Getent passwd works and returns all domain users.
>>
>> Getent group returns all groups correctly.
>>
>> Net group map list works and returns correctly mapped groups.
>>
>> Wbinfo -t returns "checking the trust secret for domain BGS via
RPC
>> calls succeeded".
>>
>> wbinfo --own-domain returns the correct NT domain name
>>
>> In short, everything seems to work OK until you run wbinfo -u or -g at
>> which point it sits there until it times out.  Smb.conf is the same as
>> the other member servers, the net rpc join command  returned success
and
>> a machine account was successfully created in the LDAP directory. The
>> smb.conf file is here:
>>      
>    
>> Any suggestions gratefully received.
>>
>> Thanks,
>>
>> Julian
>>      
> I recently played a game similar to this one, for me everything worked
> but wbinfo -g.  What I did to resolve that was use `net sam
> mapunixgroup` for all the domain groups, and all my group stuff started
> magically working.  I doubt that will do anything for your wbinfo -u
> problem, but it might move you a step forward.  Or it might not; it is
> just a suggestion....
>
>
>
> Bob Miller
> 334-7117/660-5315
> http://computerisms.ca
> bob at computerisms.ca
> Network, Internet, Server,
> and Open Source Solutions
>
>
>    
Thanks for that.  Gave it a go but no joy so I decided to try making it 
a BDC to see what would happen.  First I tried "net setlocalsid" with 
the domain sid but it refused to change.  I then changed "domain logons 
= no"  to yes and tried again and it set the local SID.  Funny thing 
though was that I'd forgotten to set "security =" to user and had
left
it as domain but it didn't complain. Samba started and winbind worked.

I also have a new print server going on which had the same problem as 
the proxy re: winbind.  After setting this up as a BDC, it also works 
fine.  The interesting thing is that all the other member servers that 
are not functioning as BDCs have local sids that are different to the 
domain sid ( I believe this is how it should be)  and they hooked up 
without a problem.  Luckily, I'm running a Samba PDC so I do the BDC thing.

When I have a bit more time I may pursue this and I'll post any info here.

Cheers,

Julian