17.07.2015, 17:30, "Rowland Penny" <rowlandpenny241155 at
gmail.com>:> On 17/07/15 12:03, Andrej Surkov wrote:
>> I've got this on the backup DC
>>
>> root at bdc:~# wbinfo --sid-to-gid
S-1-5-21-1166961617-3197558402-3341820450-516
>> 3000000
>
> OK, you have problems there, but not what you think. On my first DC
> (note I don't have a 'primary' or a 'backup' DC, I just
have DC's) if I
> run 'wbinfo --name-to-sid=Domain\ Controllers' , I get:
>
> S-1-5-21-2025076216-3455336656-3842161122-516 SID_DOM_GROUP (2)
>
> If I then run 'wbinfo
> --sid-to-gid=S-1-5-21-2025076216-3455336656-3842161122-516' , I get:
>
> 3000025
>
> But if I run the same command on my other DC, I get:
>
> 3000021
>
> This is because idmap.ldb is not replicated between DC's . This can be
> checked by running 'ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb'
> on both machines and then searching for the relevant xidNumber. On the
> first DC, I get:
>
> dn: CN=S-1-5-21-2025076216-3455336656-3842161122-516
> cn: S-1-5-21-2025076216-3455336656-3842161122-516
> objectClass: sidMap
> objectSid: S-1-5-21-2025076216-3455336656-3842161122-516
> type: ID_TYPE_BOTH
> xidNumber: 3000025
> distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-516
>
> On the second DC, I get:
>
> dn: CN=S-1-5-21-2025076216-3455336656-3842161122-516
> cn: S-1-5-21-2025076216-3455336656-3842161122-516
> objectClass: sidMap
> objectSid: S-1-5-21-2025076216-3455336656-3842161122-516
> type: ID_TYPE_BOTH
> xidNumber: 3000021
> distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-516
>
disagree, note - I've 3000019 in idmap.ldb, while wbinfo gives me 3000000 on
the same DC, it is rather weird!
> So, provided you only use the DC's for authentication, this will not be
> a problem.
>
> Now we come to your problem, you seem somehow to have '3000000'
mapped
> to 'Domain Controllers', on *both* my DC's, if I search in
idmap.ldb for
> '3000000' I get this on both:
>
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
>
> Running 'wbinfo --sid-to-name=S-1-5-32-544' produces:
>
> BUILTIN\Administrators 4
>
> This is correct and it this you need to fix, have you any idea how your
> 'Domain Controllers' group got mapped to the
'Administrators' group?
I've not any ... but this DC is a debian OS in the lxc container, which was
actually cloned from another DC in another domain. samba-tool join was applied
then, idmap.ldb was replicated of the primary DC (the first DC in the domiain,
if you compian about primary). BTW, it is vanilla samba 4.2.0.
>
> Rowland
>
>> while
>>
>> root at bdc:~# ldbedit -H /usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-1166961617-3197558402-3341820450-516
>> shows correct xid 3000019
>>
>> and on the primary DC I've got
>>
>> itk at dc:/$ wbinfo --sid-to-gid
S-1-5-21-1166961617-3197558402-3341820450-516
>> 3000019
>>
>> which is actually correct.
>>
>> How's that passible?
>>
>> Andrej
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba