samba - Nov 2014 - SID of member server in Samba domain (smbldap_search_domain_info: NT_STATUS_UNSUCCESSFUL)

I have a domain with Samba 3 acting as PDC, and using LDAP (passdb backend =
ldapsam).

I now wanted to add a second Samba 3 machine as a simple file server. I get
errors
with getdomainsid and getlocalsid, so there is obviously still something wrong
with
my config.

The PDC runs Samba 3.5.6 on Debian Squeeze. Sid queries return:

    # net getdomainsid
    SID for local machine MY_PDC_HOST is:
S-1-5-21-4174501313-1202754954-1084205825
    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825

    # net getlocalsid
    SID for domain MY_PDC_HOST is: S-1-5-21-4174501313-1202754954-1084205825

(So, all SIDs are the same. And there is no error)


The other server runs Samba 3.6.6 on Debian stable ("Wheezy"). At
first, it wouldn't
let me access it's shares, and SID queries returned:

    # net getdomainsid
    SID for local machine OTHER is: S-1-5-21-2241737573-1899521008-914752976
    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825

    # net getlocalsid
    SID for domain OTHER is: S-1-5-21-2241737573-1899521008-914752976

But the log file complained about mismatched domain SIDs, and wouldn't let
me
authenticate:

    auth/server_info.c:386(samu_to_SamInfo3)
       The primary group domain
sid(S-1-5-21-2241737573-1899521008-914752976-513)
    does not match the domain sid(S-1-5-21-4174501313-1202754954-1084205825) for
    mi(S-1-5-21-4174501313-1202754954-1084205825-3000)

    auth/check_samsec.c:492(check_sam_security)
       check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'

    auth/auth.c:319(check_ntlm_password)
       check_ntlm_password:  Authentication for user [mi] -> [mi] FAILED with
error
    NT_STATUS_UNSUCCESSFUL



So I tried to change the SID with

    # net setlocalsid S-1-5-21-4174501313-1202754954-1084205825


Now, I can access the share but SID queries give errors:

    # net getdomainsid
    *smbldap_search_domain_info: Adding domain info for OTHER failed with
    NT_STATUS_UNSUCCESSFUL*
    SID for local machine OTHER is: S-1-5-21-4174501313-1202754954-1084205825
    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825

    # net getlocalsid
    *smbldap_search_domain_info: Adding domain info for OTHER failed with
    NT_STATUS_UNSUCCESSFUL*
    SID for domain OTHER is: S-1-5-21-4174501313-1202754954-1084205825


Is it correct to have the same SID for a machine in the domain as for the domain
itself, or shouldn't that only be the case on the PDC?

Where do I start looking?

For a domain controller (PDC or BDC), the localsid should be the same as 
the domainsid.     For a member server, the local sid will be unique to 
that machine, so what you are seeing is normal.        I think it is a 
little funny that "net getlocalsid" refers to the machine name of the 
local computer as a domain but  that is what I see too.

The only time you would need to change the localsid is if you where 
changing a member server into a domain controller.


I find samba  member servers to be more problems than domain 
controllers.    On my member servers  I have LDAP running for the unix 
account info but not samba accounts.     The domain controllers use LDAP 
for both unix and samba account info. I don't use winbind on the member 
servers.      If I look at file permissions in windows on files I own, 
it shows them as owned my UNIX\myname not MYDOMAIN\myname.        So 
samba doesn't recognize that the windows users is a member of the domain 
but at least it maps the samba user to the LDAP unix user when granting 
file access.     (It makes changing  permissions via windows difficult, 
but users can also ssh to the server.)



I tried configuring the samba member servers to use LDAP for the idmap 
backend to keep the SID-to-ID consistent on all systems but with no luck.



On 11/02/14 12:00, MI wrote:
> I have a domain with Samba 3 acting as PDC, and using LDAP (passdb 
> backend = ldapsam).
>
> I now wanted to add a second Samba 3 machine as a simple file server. 
> I get errors with getdomainsid and getlocalsid, so there is obviously 
> still something wrong with my config.
>
> The PDC runs Samba 3.5.6 on Debian Squeeze. Sid queries return:
>
>    # net getdomainsid
>    SID for local machine MY_PDC_HOST is: 
> S-1-5-21-4174501313-1202754954-1084205825
>    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>
>    # net getlocalsid
>    SID for domain MY_PDC_HOST is: 
> S-1-5-21-4174501313-1202754954-1084205825
>
> (So, all SIDs are the same. And there is no error)
>
>
> The other server runs Samba 3.6.6 on Debian stable ("Wheezy"). At
> first, it wouldn't let me access it's shares, and SID queries
returned:
>
>    # net getdomainsid
>    SID for local machine OTHER is: 
> S-1-5-21-2241737573-1899521008-914752976
>    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>
>    # net getlocalsid
>    SID for domain OTHER is: S-1-5-21-2241737573-1899521008-914752976
>
> But the log file complained about mismatched domain SIDs, and wouldn't 
> let me authenticate:
>
>    auth/server_info.c:386(samu_to_SamInfo3)
>       The primary group domain 
> sid(S-1-5-21-2241737573-1899521008-914752976-513)
>    does not match the domain 
> sid(S-1-5-21-4174501313-1202754954-1084205825) for
>    mi(S-1-5-21-4174501313-1202754954-1084205825-3000)
>
>    auth/check_samsec.c:492(check_sam_security)
>       check_sam_security: make_server_info_sam() failed with 
> 'NT_STATUS_UNSUCCESSFUL'
>
>    auth/auth.c:319(check_ntlm_password)
>       check_ntlm_password:  Authentication for user [mi] -> [mi] 
> FAILED with error
>    NT_STATUS_UNSUCCESSFUL
>
>
>
> So I tried to change the SID with
>
>    # net setlocalsid S-1-5-21-4174501313-1202754954-1084205825
>
>
> Now, I can access the share but SID queries give errors:
>
>    # net getdomainsid
>    *smbldap_search_domain_info: Adding domain info for OTHER failed with
>    NT_STATUS_UNSUCCESSFUL*
>    SID for local machine OTHER is: 
> S-1-5-21-4174501313-1202754954-1084205825
>    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
>
>    # net getlocalsid
>    *smbldap_search_domain_info: Adding domain info for OTHER failed with
>    NT_STATUS_UNSUCCESSFUL*
>    SID for domain OTHER is: S-1-5-21-4174501313-1202754954-1084205825
>
>
> Is it correct to have the same SID for a machine in the domain as for 
> the domain itself, or shouldn't that only be the case on the PDC?
>
> Where do I start looking?
>
>

On 02-11-2014 15:00, MI wrote:
> The PDC runs Samba 3.5.6 on Debian Squeeze. Sid queries return:
>    # net getdomainsid
>    SID for local machine MY_PDC_HOST is: 
> S-1-5-21-4174501313-1202754954-1084205825
>    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
(...)
> The other server runs Samba 3.6.6 on Debian stable ("Wheezy"). At
> first, it wouldn't let me access it's shares, and SID queries
returned:
>    # net getdomainsid
>    SID for local machine OTHER is: 
> S-1-5-21-2241737573-1899521008-914752976
>    SID for domain MY_DOMAIN is: S-1-5-21-4174501313-1202754954-1084205825
(...)
> But the log file complained about mismatched domain SIDs, and wouldn't 
> let me authenticate:
>    auth/server_info.c:386(samu_to_SamInfo3)
>       The primary group domain 
> sid(S-1-5-21-2241737573-1899521008-914752976-513)
>    does not match the domain 
> sid(S-1-5-21-4174501313-1202754954-1084205825) for
>    mi(S-1-5-21-4174501313-1202754954-1084205825-3000)
Hi,

I'm not a samba guru, but I believe your group's SID is wrong:

*S-1-5-21-4174501313-1202754954-1084205825* ->Domain SID
*S-1-5-21-4174501313-1202754954-1084205825*-3000 -> User SID
*S-1-5-21-2241737573-1899521008-914752976*-513 -> Group SID

AFAIK, domain groups and users must match their SID with the domain, so 
I think your group SID should be:

S-1-5-21-4174501313-1202754954-1084205825-513

Samba boffins will correct me if wrong.

Best regards.

-- 
*Marcio Merlone*