erpo41 at gmail.com
2013-Dec-17 16:29 UTC
[Samba] "net getdomainsid" reporting "Could not fetch local SID" -- am I using this command appropriately?
Good evening, Distro: ClearOS 6.3 (RHEL-derived with a distro-specific web configuration tool for samba) I'm only about 90% sure it's version 6.3. Samba version: 3.6.10-1.v6 Intended use: NT4-style PDC for Windows XP clients Issue: My distro's "add machine script" uses the output of "net getdomainsid" to help populate the new machine account's sambaSID field in the ldap directory. Samba is already configured to use this information via the ldap passdb backend. Unfortunately, "net getdomainsid" is returning "Could not fetch local SID" instead of the PDC's domain SID, resulting in an invalid sambaSID value in the ldap directory and preventing the machine from joining the domain. Question 1: Is parsing the output of "net getdomainsid" the best way for the add machine script to get the domain SID, or is there a better way to do it? Regardless of whether "net getdomainsid" is the right way to implement an add machine script, I'm still interested in fixing this issue so it won't cause other problems in the future. I was not able to get useful debugging information out of the net command that comes with the distro because it was stripped. However, I was able to get some information by following this procedure: 1. Downloaded and unpacked the source code for samba 3.6.22 2. cd'd to samba-3.6.22/source3 3. Ran ./configure --enable-debug && make -j 8 4. cd'd to bin 5. Ran ./net getdomainsid 6. It complained about not being able to find a shared library, so I ran export LD_LIBRARY_PATH=. and tried again. 7. It complained about not being able to find /usr/local/samba/private/secrets.tdb. This is odd because on my distro that file is located at /var/lib/samba/private/secrets.tdb. I ran mkdir -p /usr/local/samba/private && cp /var/lib/samba/private/secrets.tdb /usr/local/samba/private/ to satisfy it temporarily. 8. It gave me another error that I didn't write down. However, it indicated that ./net wasn't using the right smb.conf, so I ran: ./net -s /etc/samba/smb.conf getdomainsid. 9. Finally, I was able to reproduce the "Could not fetch local SID" error message. Running gdb --args ./net -s /etc/samba/smb.conf getdomainsid revealed that net makes four calls to the secrets_fetch function before failing. Call to secrets_fetch 1: Retrieves the LDAP backend password. Call to secrets_fetch 2: Retrieves the SID for the domain (i.e. SECRETS/SID/RECREATION) Call to secrets_fetch 3: Retrieves the SID for the domain a second time. Call to secrets_fetch 4: Attempts to retrieve the secret SECRETS/SID/GATEWAY. GATEWAY is the netbios name of the PDC. Further investigation reveals that "net -s /etc/samba/smb.conf getdomainsid" is looking in /usr/local/samba/private/secrets.tdb for the SID associated with the PDC's netbios name. However, running tdbdump /usr/local/samba/private/secrets.tdb reveals that SECRETS/SID/GATEWAY is not present in that file. Question 2: Should "net -s /etc/samba/smb.conf getdomainsid" even be trying to use a local secrets.tdb file to look up SECRETS/SID/(netbios name) when /etc/samba/smb.conf indicates that the ldap passdb backend is in use? At this point, looking at the output of tdbdump /usr/local/samba/private/secrets.tdb, I noticed that it did have an entry for SECRETS/SID/MYSERVER. MYSERVER was the default netbios name of the server when I first installed the "Windows Networking" package. I had used the distro's web configuration tool to change the name to GATEWAY and the domain to RECREATION after the installation. Changing the netbios name back to MYSERVER fixed the problem and allowed workstations to join the domain without issues. Question 3: This kind of ties in with question 2, but if a program wants to change a samba PDC's netbios name, is it responsible for updating the PDC's secrets.tdb at the same time? If so, is that the *only* thing it needs to update in addition to /etc/samba/smb.conf? Thanks, Eric
erpo41 at gmail.com
2013-Dec-19 15:45 UTC
[Samba] "net getdomainsid" reporting "Could not fetch local SID" -- am I using this command appropriately?
Good morning, In case anyone else is having the same issue, I have found more information that may be relevant. From http://www.samba.org/samba/docs/man/Samba-Guide/upgrades.html :> Change of hostname > [...] > Many sites have become victims of lost Samba functionality because the UNIX system hostname was changed [or > the netbios name was changed in smb.conf] for one reason or another. Such a change will cause a new machine > SID to be generated. If this happens on a domain controller, it will also change the domain SID. These SIDs can be > updated (restored) using the procedure outlined previously. > > Note > Do NOT change the hostname or the netbios name. If this is changed, be sure to reset the machine SID to the original setting. Otherwise there > may be serious interoperability and/or operational problems.This is interesting because about half of the people reporting this issue with ClearOS indicate that their ldap backend reflects multiple domain SIDs. The procedure referenced in the first passage is:> The local machine SID can be backed up using this procedure (Samba-3): > root# net getlocalsid > /etc/samba/my-local-SID > The contents of the file /etc/samba/my-local-SID will be: > SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429 > This SID can be restored by executing: > root# net setlocalsid S-1-5-21-726309263-4128913605-1168186429 "This still doesn't answer questions 1 through 3, but hopefully it will be enough to get anyone else going who is having the same issue. Thanks, Eric On Tue, Dec 17, 2013 at 9:29 AM, erpo41 at gmail.com <erpo41 at gmail.com> wrote:> Good evening, > > Distro: ClearOS 6.3 (RHEL-derived with a distro-specific web > configuration tool for samba) I'm only about 90% sure it's version > 6.3. > Samba version: 3.6.10-1.v6 > Intended use: NT4-style PDC for Windows XP clients > > Issue: > My distro's "add machine script" uses the output of "net getdomainsid" > to help populate the new machine account's sambaSID field in the ldap > directory. Samba is already configured to use this information via the > ldap passdb backend. Unfortunately, "net getdomainsid" is returning > "Could not fetch local SID" instead of the PDC's domain SID, resulting > in an invalid sambaSID value in the ldap directory and preventing the > machine from joining the domain. > > Question 1: Is parsing the output of "net getdomainsid" the best way > for the add machine script to get the domain SID, or is there a better > way to do it? > > Regardless of whether "net getdomainsid" is the right way to implement > an add machine script, I'm still interested in fixing this issue so it > won't cause other problems in the future. > > I was not able to get useful debugging information out of the net > command that comes with the distro because it was stripped. However, I > was able to get some information by following this procedure: > > 1. Downloaded and unpacked the source code for samba 3.6.22 > 2. cd'd to samba-3.6.22/source3 > 3. Ran ./configure --enable-debug && make -j 8 > 4. cd'd to bin > 5. Ran ./net getdomainsid > 6. It complained about not being able to find a shared library, so I > ran export LD_LIBRARY_PATH=. and tried again. > 7. It complained about not being able to find > /usr/local/samba/private/secrets.tdb. This is odd because on my distro > that file is located at /var/lib/samba/private/secrets.tdb. I ran > mkdir -p /usr/local/samba/private && cp > /var/lib/samba/private/secrets.tdb /usr/local/samba/private/ to > satisfy it temporarily. > 8. It gave me another error that I didn't write down. However, it > indicated that ./net wasn't using the right smb.conf, so I ran: ./net > -s /etc/samba/smb.conf getdomainsid. > 9. Finally, I was able to reproduce the "Could not fetch local SID" > error message. > > Running gdb --args ./net -s /etc/samba/smb.conf getdomainsid revealed > that net makes four calls to the secrets_fetch function before > failing. > > Call to secrets_fetch 1: Retrieves the LDAP backend password. > Call to secrets_fetch 2: Retrieves the SID for the domain (i.e. > SECRETS/SID/RECREATION) > Call to secrets_fetch 3: Retrieves the SID for the domain a second time. > Call to secrets_fetch 4: Attempts to retrieve the secret SECRETS/SID/GATEWAY. > > GATEWAY is the netbios name of the PDC. Further investigation reveals > that "net -s /etc/samba/smb.conf getdomainsid" is looking in > /usr/local/samba/private/secrets.tdb for the SID associated with the > PDC's netbios name. However, running tdbdump > /usr/local/samba/private/secrets.tdb reveals that SECRETS/SID/GATEWAY > is not present in that file. > > Question 2: Should "net -s /etc/samba/smb.conf getdomainsid" even be > trying to use a local secrets.tdb file to look up SECRETS/SID/(netbios > name) when /etc/samba/smb.conf indicates that the ldap passdb backend > is in use? > > At this point, looking at the output of tdbdump > /usr/local/samba/private/secrets.tdb, I noticed that it did have an > entry for SECRETS/SID/MYSERVER. MYSERVER was the default netbios name > of the server when I first installed the "Windows Networking" package. > I had used the distro's web configuration tool to change the name to > GATEWAY and the domain to RECREATION after the installation. Changing > the netbios name back to MYSERVER fixed the problem and allowed > workstations to join the domain without issues. > > Question 3: This kind of ties in with question 2, but if a program > wants to change a samba PDC's netbios name, is it responsible for > updating the PDC's secrets.tdb at the same time? If so, is that the > *only* thing it needs to update in addition to /etc/samba/smb.conf? > > Thanks, > Eric