Dear Samba Gurus, I got the following errors: tail -f /var/log/samba/log.wb-DOM1 [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED log.smbd [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? I guess the reason might be this: net getdomainsid SID for local machine M1 is: S-1-5-21-3981825222-1828954701-2606613544 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 net getdomainsid SID for local machine M2 is: S-1-5-21-2913448378-2543514743-1508345481 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 Shouldn't the SIDs be the same except the last digits??? Cheers, Marcus
I have an LDAP backend. In LDAP, the machine accounts for my windows and linux clients so show the same base SID as the domain SID (ie.. all but the last digits.) However I also have the mismatch with "net getdomainsid" - which definately explains why they don't behave as I would expect. You may want to try fixing this with "net setlocalsid." I guess when you joing unix or linux member server to the domain the localsid is not updated. Re the BUILTIN groups you may want to explicitly map these to unix groups rather than relying on winbind to do it e.g. I created unix groups #getent group .... Builtin Admins::544: Builtin Users::545: Builtin Guests::546: Then mapped the well know built-in Windows groups to the unix groups #net groupmap add ntgroup="Administrators" unixgroup=544 sid=S-1-5-32-544 type=builtin #net groupmap add ntgroup="Users" unixgroup=545 sid=S-1-5-32-545 type=builtin #net groupmap add ntgroup="Guests" unixgroup=546 sid=S-1-5-32-546 type=builtin # net groupmap list | grep -i builtin Administrators (S-1-5-32-544) -> Builtin Admins Users (S-1-5-32-545) -> Builtin Users Guests (S-1-5-32-546) -> Builtin Guests The linux samba member servers I use mostly for IT use anyway so I never shook out all the bugs. On 07/03/13 11:49, Marcus Mundt wrote:> Dear Samba Gurus, > > I got the following errors: > tail -f /var/log/samba/log.wb-DOM1 > [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) > name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED > > log.smbd > [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) > WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? > [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) > WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? > > > I guess the reason might be this: > net getdomainsid > SID for local machine M1 is: S-1-5-21-3981825222-1828954701-2606613544 > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 > > net getdomainsid > SID for local machine M2 is: S-1-5-21-2913448378-2543514743-1508345481 > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 > > > Shouldn't the SIDs be the same except the last digits??? > > Cheers, > Marcus
I could fix the SID issues. However the other errors and warinings remain. Struggeling hard to find the cause for not being able to join a domain, getting "Access Denied" SMB log: [2013/07/12 15:48:03.439574, 2] auth/auth.c:309(check_ntlm_password) check_ntlm_password: authentication for user [admin] -> [admin] -> [admin] succeeded [2013/07/12 15:48:03.442335, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.442450, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/12 15:48:03.444454, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.444555, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? ... [2013/07/12 15:48:03.191990, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate: no challenge sent to client N666 ... [2013/07/12 15:48:03.587205, 3] smbd/connection.c:35(yield_connection) Yielding connection to IPC$ [2013/07/12 15:48:03.589351, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) Questions: Is it mandatory that Domain Admins Domain Users Domain Guests Domain Computers are spelled exactly like that. In GOsa I'm only allowed to use lower case letters and no spaces. Hence I got domainadmins... and so forth. I don't know how to change the windows group name only. Is a root user mandatory or may I use "admin"? Since I got no root in LDAP, but tried it last week, didn't help. Which of the domain and builtin groups are mandatory? As far as I know only Domain Admins 512 Domain Users 513 Domain Guests 514 and>From the builtin domain (didn't know that there is a built in domain until now)Administrators 544 Users 545 Guests 546 Thanks for any help in advance! Setting up a PDC seems not too hard, but I have to use our existing LDAP directory and operate on a production system :( Cheers, Marcus> I have an LDAP backend. > > In LDAP, the machine accounts for my windows and linux clients so show > the same base SID as the domain SID (ie.. all but the last digits.) > > However I also have the mismatch with "net getdomainsid" - which > definately explains why they don't behave as I would expect. You may > want to try fixing this with "net setlocalsid." I guess when you joing > unix or linux member server to the domain the localsid is not updated. > > Re the BUILTIN groups you may want to explicitly map these to unix > groups rather than relying on winbind to do it > > > e.g. I created unix groups > > #getent group .... > Builtin Admins::544: > Builtin Users::545: > Builtin Guests::546: > > Then mapped the well know built-in Windows groups to the unix groups > > > #net groupmap add ntgroup="Administrators" unixgroup=544 > sid=S-1-5-32-544 type=builtin > #net groupmap add ntgroup="Users" unixgroup=545 sid=S-1-5-32-545 > type=builtin > #net groupmap add ntgroup="Guests" unixgroup=546 sid=S-1-5-32-546 > type=builtin > > # net groupmap list | grep -i builtin > > Administrators (S-1-5-32-544) -> Builtin Admins > Users (S-1-5-32-545) -> Builtin Users > Guests (S-1-5-32-546) -> Builtin Guests > > > > The linux samba member servers I use mostly for IT use anyway so I never > shook out all the bugs. > > > > > On 07/03/13 11:49, Marcus Mundt wrote: > > Dear Samba Gurus, > > > > I got the following errors: > > tail -f /var/log/samba/log.wb-DOM1 > > [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) > > name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED > > > > log.smbd > > [2013/07/02 15:40:51.809516, 2] > auth/token_util.c:455(finalize_local_nt_token) > > WARNING: Failed to create BUILTIN\Administrators group! Can Winbind > allocate gids? > > [2013/07/02 15:40:51.811330, 2] > auth/token_util.c:479(finalize_local_nt_token) > > WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? > > > > > > I guess the reason might be this: > > net getdomainsid > > SID for local machine M1 is: S-1-5-21-3981825222-1828954701-2606613544 > > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 > > > > net getdomainsid > > SID for local machine M2 is: S-1-5-21-2913448378-2543514743-1508345481 > > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 > > > > > > Shouldn't the SIDs be the same except the last digits??? > > > > Cheers, > > Marcus > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Ok, today I was finally able to join my domain. The problem was a misconfiguration of idmap. Solution as follows: < idmap config DEFAULT:backend = ldap < idmap config DEFAULT:readonly = no < idmap config DEFAULT:default = yes < idmap config DEFAULT:ldap_base_dn = ou=people,dc=domain,dc=org < idmap config DEFAULT:ldap_user_dn = cn=rootuser,dc=domain,dc=org < idmap config DEFAULT:ldap_url = ldap://myldapserver Thanks for everything! -----Urspr?ngliche Nachricht----- Von: Marcus Mundt <marcus.mundt at forsa.de> Gesendet: Mo 15.07.2013 15:25 Betreff: Re: [Samba] Messed up SIDs: How to change machine SID? An: samba at lists.samba.org;> I could fix the SID issues. However the other errors and warinings remain. > Struggeling hard to find the cause for not being able to join a domain, getting > "Access Denied" > > SMB log: > [2013/07/12 15:48:03.439574, 2] auth/auth.c:309(check_ntlm_password) > check_ntlm_password: authentication for user [admin] -> [admin] -> [admin] > succeeded > [2013/07/12 15:48:03.442335, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) > pdb_create_builtin_alias: Could not get a gid out of winbind > [2013/07/12 15:48:03.442450, 2] auth/token_util.c:455(finalize_local_nt_token) > WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate > gids? > [2013/07/12 15:48:03.444454, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) > pdb_create_builtin_alias: Could not get a gid out of winbind > [2013/07/12 15:48:03.444555, 2] auth/token_util.c:479(finalize_local_nt_token) > WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? > ... > [2013/07/12 15:48:03.191990, 0] > rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate: no challenge sent to client N666 > ... > [2013/07/12 15:48:03.587205, 3] smbd/connection.c:35(yield_connection) > Yielding connection to IPC$ > [2013/07/12 15:48:03.589351, 3] smbd/server_exit.c:181(exit_server_common) > Server exit (failed to receive smb request) > > Questions: > Is it mandatory that > Domain Admins > Domain Users > Domain Guests > Domain Computers > are spelled exactly like that. In GOsa I'm only allowed to use lower case > letters and no spaces. Hence I got > domainadmins... and so forth. I don't know how to change the windows group name > only. > > Is a root user mandatory or may I use "admin"? Since I got no root in LDAP, but > tried it last week, didn't help. > > Which of the domain and builtin groups are mandatory? As far as I know only > Domain Admins 512 > Domain Users 513 > Domain Guests 514 > > and > > From the builtin domain (didn't know that there is a built in domain until now) > Administrators 544 > Users 545 > Guests 546 > > Thanks for any help in advance! Setting up a PDC seems not too hard, but I have > to use our existing LDAP directory and operate on a production system :( > > Cheers, > Marcus > > > > > I have an LDAP backend. > > > > In LDAP, the machine accounts for my windows and linux clients so show > > the same base SID as the domain SID (ie.. all but the last digits.) > > > > However I also have the mismatch with "net getdomainsid" - which > > definately explains why they don't behave as I would expect. You may > > want to try fixing this with "net setlocalsid." I guess when you joing > > unix or linux member server to the domain the localsid is not updated. > > > > Re the BUILTIN groups you may want to explicitly map these to unix > > groups rather than relying on winbind to do it > > > > > > e.g. I created unix groups > > > > #getent group .... > > Builtin Admins::544: > > Builtin Users::545: > > Builtin Guests::546: > > > > Then mapped the well know built-in Windows groups to the unix groups > > > > > > #net groupmap add ntgroup="Administrators" unixgroup=544 > > sid=S-1-5-32-544 type=builtin > > #net groupmap add ntgroup="Users" unixgroup=545 sid=S-1-5-32-545 > > type=builtin > > #net groupmap add ntgroup="Guests" unixgroup=546 sid=S-1-5-32-546 > > type=builtin > > > > # net groupmap list | grep -i builtin > > > > Administrators (S-1-5-32-544) -> Builtin Admins > > Users (S-1-5-32-545) -> Builtin Users > > Guests (S-1-5-32-546) -> Builtin Guests > > > > > > > > The linux samba member servers I use mostly for IT use anyway so I never > > shook out all the bugs. > > > > > > > > > > On 07/03/13 11:49, Marcus Mundt wrote: > > > Dear Samba Gurus, > > > > > > I got the following errors: > > > tail -f /var/log/samba/log.wb-DOM1 > > > [2013/07/02 15:49:19.990168, 2] > winbindd/winbindd_rpc.c:320(rpc_name_to_sid) > > > name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED > > > > > > log.smbd > > > [2013/07/02 15:40:51.809516, 2] > > auth/token_util.c:455(finalize_local_nt_token) > > > WARNING: Failed to create BUILTIN\Administrators group! Can Winbind > > allocate gids? > > > [2013/07/02 15:40:51.811330, 2] > > auth/token_util.c:479(finalize_local_nt_token) > > > WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? > > > > > > > > > I guess the reason might be this: > > > net getdomainsid > > > SID for local machine M1 is: S-1-5-21-3981825222-1828954701-2606613544 > > > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 > > > > > > net getdomainsid > > > SID for local machine M2 is: S-1-5-21-2913448378-2543514743-1508345481 > > > SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 > > > > > > > > > Shouldn't the SIDs be the same except the last digits??? > > > > > > Cheers, > > > Marcus > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >