samba - Sep 2016 - Failed to find sambaDomain object to get sambaAlgorithmicRidBase

Hello group,

When I try to add sambaSAMAccount object class to a user with
smbldap-usermod, I have the following error:

smbldap-usermod -a bernard.fay

Failed to find sambaDomain object to get sambaAlgorithmicRidBase at
/usr/share/perl5/vendor_perl/smbldap_tools.pm line 1235.


Someone have an idea of the problem?

Thanks,
Bernard

On Thu, 29 Sep 2016 14:54:14 -0400
Bernard Fay via samba <samba at lists.samba.org> wrote:
> Hello group,
> 
> When I try to add sambaSAMAccount object class to a user with
> smbldap-usermod, I have the following error:
> 
> smbldap-usermod -a bernard.fay
> 
> Failed to find sambaDomain object to get sambaAlgorithmicRidBase at
> /usr/share/perl5/vendor_perl/smbldap_tools.pm line 1235.
> 
> 
> Someone have an idea of the problem?
> 
> Thanks,
> Bernard
Well, you will probably ignore me again, but can you please give us a
lot more info ????

What OS ?
What version of Samba ??

Post your smb.conf

Anything else you think might be relevant.

Rowland

On Thu, 29 Sep 2016 15:30:30 -0400
Bernard Fay <bernard.fay at gmail.com> wrote:
> CentOS 7
> 
> smbd -V
> Version 4.2.10
> 
> 
> [root at CTSFILE01 ~]# testparm -sn
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[homes]"
> Processing section "[software]"
> Processing section "[tftp]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
> 
> # Global parameters
> [global]
>     workgroup = CTS
>     server string = CTS File Server 01 - Samba version %v
>     interfaces = lo eth0
>     security = USER
>     passdb backend = ldapsam:ldap://ctsldap01/
>     log file = /var/log/samba/log.%m
>     max log size = 50
>     load printers = No
>     printcap name = /dev/null
>     disable spoolss = Yes
>     add user script = /sbin/smbldap-useradd -m "%u"
>     add group script = /sbin/smbldap-groupadd -p "%g"
>     add user to group script = /sbin/smbldap-groupmod -m "%u"
"%g"
>     delete user from group script = /sbin/smbldap-groupmod -x
"%u"
> "%g" set primary group script = /sbin/smbldap-usermod -g
"%g" "%u"
>     add machine script = /sbin/smbldap-useradd -w "%u"
>     ldap admin dn = cn=Manager,dc=cts,dc=com
>     ldap delete dn = Yes
>     ldap group suffix = ou=Groups
>     ldap machine suffix = ou=Computers
>     ldap passwd sync = yes
>     ldap suffix = "dc=cts,dc=com"
>     ldap ssl = no
>     ldap user suffix = ou=Users
>     idmap config * : backend = tdb
>     printing = bsd
> 
> ... snipped the shares definition
> 
> 
> I do not know what else can be relevant as I am far to be a pro in
> Samba. :-(
> 
> If something else could be useful let me know.
> 
> Thanks,
> Bernard
> 
Didn't this:

Server role: ROLE_STANDALONE

Give you a hint ??

Try adding these lines:

server role = classic primary domain controller
domain master = yes

Rowland

As suggested I added the two lines below and restarted smb.
server role = classic primary domain controller
domain master = yes


[root at CTSFILE01 samba]# testparm -sn| head -32
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[software]"
Processing section "[tftp]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC

# Global parameters
[global]
    workgroup = CTS
    server string = CTS File Server 01 - Samba version %v
    interfaces = lo eth0
    server role = classic primary domain controller
    security = USER
    passdb backend = ldapsam:ldap://ctsldap01/
    log file = /var/log/samba/log.%m
    max log size = 50
    load printers = No
    printcap name = /dev/null
    disable spoolss = Yes
    add user script = /sbin/smbldap-useradd -m "%u"
    add group script = /sbin/smbldap-groupadd -p "%g"
    add user to group script = /sbin/smbldap-groupmod -m "%u"
"%g"
    delete user from group script = /sbin/smbldap-groupmod -x "%u"
"%g"
    set primary group script = /sbin/smbldap-usermod -g "%g"
"%u"
    add machine script = /sbin/smbldap-useradd -w "%u"
    domain master = Yes
    ldap admin dn = cn=Manager,dc=cts,dc=com
    ldap delete dn = Yes
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Computers
    ldap passwd sync = yes
    ldap suffix = "dc=cts,dc=com"
    ldap ssl = no
    ldap user suffix = ou=Users
    idmap config * : backend = tdb
    printing = bsd


No more perl error, which is a good thing, I think but...

smbldap-usermod -a bernard.fay
Warning: sambaPrimaryGroupSID could not be set beacuse group of user
bernard.fay is not a mapped Domain group!
To get a list of groups mapped to Domain groups, use "net groupmap
list" on
a Domain member machine.


net groupmap list
It returns nothing then I modified the group Administrators to add a SID as
I think is the problem:

smbldap-groupmod -a Administrators


Then one more time I try to add the object class sambaSAMAccount:
[root at CTSFILE01 samba]# smbldap-usermod -a bernard.fay
Error: Account for user bernard.fay already _is_ a Samba account!
Omit option -a!


What??? Now have the objectClass sambaSAMAccount even before modifying it
wit smbldap-usermod???  Mystery or there is something I don't understand???

ldapsearch -x -b "uid=bernard.fay,ou=people,dc=cts,dc=com" objectClass
...
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: sambaSamAccount


I retried "net groupmap list":

[root at CTSFILE01 samba]# net groupmap list
Administrators (S-1-5-21-3886818290-2676185228-3116881835-513-21001) ->
Administrators

ok, let's define a password with smbldap-passwd... everything ok with that.

Sounds good so far.... let's try to map the home share from a Windows 7
machine.

BANG!!! In Windows Explorer when I try to map a samba share drive:
"the mapped network drive could not be created because the following error
has occured:
The security ID structure is invalid."


pdbedit -L
No builtin backend found, trying to load plugin
Module 'ldapsam' loaded
smbldap_search_domain_info: Searching
for:[(&(objectClasssambaDomain)(sambaDomainName=CTS))]
smbldap_open_connection: connection opened
sid S-1-5-21-3886818290-2676185228-3116881835-513-21000 does not belong to
our domain



What is going on again.....




On Thu, Sep 29, 2016 at 4:02 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 29 Sep 2016 15:30:30 -0400
> Bernard Fay <bernard.fay at gmail.com> wrote:
>
> > CentOS 7
> >
> > smbd -V
> > Version 4.2.10
> >
> >
> > [root at CTSFILE01 ~]# testparm -sn
> > Load smb config files from /etc/samba/smb.conf
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384) Processing section "[homes]"
> > Processing section "[software]"
> > Processing section "[tftp]"
> > Loaded services file OK.
> > Server role: ROLE_STANDALONE
> >
> > # Global parameters
> > [global]
> >     workgroup = CTS
> >     server string = CTS File Server 01 - Samba version %v
> >     interfaces = lo eth0
> >     security = USER
> >     passdb backend = ldapsam:ldap://ctsldap01/
> >     log file = /var/log/samba/log.%m
> >     max log size = 50
> >     load printers = No
> >     printcap name = /dev/null
> >     disable spoolss = Yes
> >     add user script = /sbin/smbldap-useradd -m "%u"
> >     add group script = /sbin/smbldap-groupadd -p "%g"
> >     add user to group script = /sbin/smbldap-groupmod -m
"%u" "%g"
> >     delete user from group script = /sbin/smbldap-groupmod -x
"%u"
> > "%g" set primary group script = /sbin/smbldap-usermod -g
"%g" "%u"
> >     add machine script = /sbin/smbldap-useradd -w "%u"
> >     ldap admin dn = cn=Manager,dc=cts,dc=com
> >     ldap delete dn = Yes
> >     ldap group suffix = ou=Groups
> >     ldap machine suffix = ou=Computers
> >     ldap passwd sync = yes
> >     ldap suffix = "dc=cts,dc=com"
> >     ldap ssl = no
> >     ldap user suffix = ou=Users
> >     idmap config * : backend = tdb
> >     printing = bsd
> >
> > ... snipped the shares definition
> >
> >
> > I do not know what else can be relevant as I am far to be a pro in
> > Samba. :-(
> >
> > If something else could be useful let me know.
> >
> > Thanks,
> > Bernard
> >
>
> Didn't this:
>
> Server role: ROLE_STANDALONE
>
> Give you a hint ??
>
> Try adding these lines:
>
> server role = classic primary domain controller
> domain master = yes
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 30 Sep 2016 08:17:23 -0400
Bernard Fay <bernard.fay at gmail.com> wrote:
> As suggested I added the two lines below and restarted smb.
> server role = classic primary domain controller
> domain master = yes
> 
> 
> [root at CTSFILE01 samba]# testparm -sn| head -32
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[homes]"
> Processing section "[software]"
> Processing section "[tftp]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_PDC
> 
> # Global parameters
> [global]
>     workgroup = CTS
>     server string = CTS File Server 01 - Samba version %v
>     interfaces = lo eth0
>     server role = classic primary domain controller
>     security = USER
>     passdb backend = ldapsam:ldap://ctsldap01/
>     log file = /var/log/samba/log.%m
>     max log size = 50
>     load printers = No
>     printcap name = /dev/null
>     disable spoolss = Yes
>     add user script = /sbin/smbldap-useradd -m "%u"
>     add group script = /sbin/smbldap-groupadd -p "%g"
>     add user to group script = /sbin/smbldap-groupmod -m "%u"
"%g"
>     delete user from group script = /sbin/smbldap-groupmod -x
"%u"
> "%g" set primary group script = /sbin/smbldap-usermod -g
"%g" "%u"
>     add machine script = /sbin/smbldap-useradd -w "%u"
>     domain master = Yes
>     ldap admin dn = cn=Manager,dc=cts,dc=com
>     ldap delete dn = Yes
>     ldap group suffix = ou=Groups
>     ldap machine suffix = ou=Computers
>     ldap passwd sync = yes
>     ldap suffix = "dc=cts,dc=com"
>     ldap ssl = no
>     ldap user suffix = ou=Users
>     idmap config * : backend = tdb
>     printing = bsd
> 
> 
> No more perl error, which is a good thing, I think but...
> 
> smbldap-usermod -a bernard.fay
> Warning: sambaPrimaryGroupSID could not be set beacuse group of user
> bernard.fay is not a mapped Domain group!
> To get a list of groups mapped to Domain groups, use "net groupmap
> list" on a Domain member machine.
> 
> 
> net groupmap list
> It returns nothing then I modified the group Administrators to add a
> SID as I think is the problem:
> 
> smbldap-groupmod -a Administrators
> 
> 
> Then one more time I try to add the object class sambaSAMAccount:
> [root at CTSFILE01 samba]# smbldap-usermod -a bernard.fay
> Error: Account for user bernard.fay already _is_ a Samba account!
> Omit option -a!
> 
> 
> What??? Now have the objectClass sambaSAMAccount even before
> modifying it wit smbldap-usermod???  Mystery or there is something I
> don't understand???
> 
> ldapsearch -x -b "uid=bernard.fay,ou=people,dc=cts,dc=com"
objectClass
> ...
> objectClass: top
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> 
> 
> I retried "net groupmap list":
> 
> [root at CTSFILE01 samba]# net groupmap list
> Administrators (S-1-5-21-3886818290-2676185228-3116881835-513-21001)
> -> Administrators
> 
> ok, let's define a password with smbldap-passwd... everything ok with
> that.
> 
> Sounds good so far.... let's try to map the home share from a Windows
> 7 machine.
> 
> BANG!!! In Windows Explorer when I try to map a samba share drive:
> "the mapped network drive could not be created because the following
> error has occured:
> The security ID structure is invalid."
> 
> 
> pdbedit -L
> No builtin backend found, trying to load plugin
> Module 'ldapsam' loaded
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=CTS))]
> smbldap_open_connection: connection opened
> sid S-1-5-21-3886818290-2676185228-3116881835-513-21000 does not
> belong to our domain
> 
> 
> 
> What is going on again.....
> 
> 
I think what is going on is that you ran 'smbldap-populate' against
something that wasn't a PDC.

Can I ask why you are trying to create a new NT4-style PDC ?

Wouldn't you be better creating an AD DC ?

Rowland

I didn't use smbldap-populate. I used ldif files to add groups to LDAP with
ldapadd.

You have rather good questions, NT4 or AD style, I don't know.  I am a Unix
guy with very few knowledge in Windows stuff and I try to stay away from it
as much as I can. I have been asked to setup a new LDAP directory with
Samba passwords stored in this LDAP directory.

I base my work on an actual LDAP and Samba server that is working in our
environment.  This server as role ROLE_STANDALONE.  I also use recipe found
on Internet.

If you can point me to a recipe for an AD DC, I will try it. But what is
the actual difference between both?

I also seriously think about splitting LDAP and samba, no integration at
all between both.

Thanks,


On Fri, Sep 30, 2016 at 8:22 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 30 Sep 2016 08:17:23 -0400
> Bernard Fay <bernard.fay at gmail.com> wrote:
>
> > As suggested I added the two lines below and restarted smb.
> > server role = classic primary domain controller
> > domain master = yes
> >
> >
> > [root at CTSFILE01 samba]# testparm -sn| head -32
> > Load smb config files from /etc/samba/smb.conf
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384) Processing section "[homes]"
> > Processing section "[software]"
> > Processing section "[tftp]"
> > Loaded services file OK.
> > Server role: ROLE_DOMAIN_PDC
> >
> > # Global parameters
> > [global]
> >     workgroup = CTS
> >     server string = CTS File Server 01 - Samba version %v
> >     interfaces = lo eth0
> >     server role = classic primary domain controller
> >     security = USER
> >     passdb backend = ldapsam:ldap://ctsldap01/
> >     log file = /var/log/samba/log.%m
> >     max log size = 50
> >     load printers = No
> >     printcap name = /dev/null
> >     disable spoolss = Yes
> >     add user script = /sbin/smbldap-useradd -m "%u"
> >     add group script = /sbin/smbldap-groupadd -p "%g"
> >     add user to group script = /sbin/smbldap-groupmod -m
"%u" "%g"
> >     delete user from group script = /sbin/smbldap-groupmod -x
"%u"
> > "%g" set primary group script = /sbin/smbldap-usermod -g
"%g" "%u"
> >     add machine script = /sbin/smbldap-useradd -w "%u"
> >     domain master = Yes
> >     ldap admin dn = cn=Manager,dc=cts,dc=com
> >     ldap delete dn = Yes
> >     ldap group suffix = ou=Groups
> >     ldap machine suffix = ou=Computers
> >     ldap passwd sync = yes
> >     ldap suffix = "dc=cts,dc=com"
> >     ldap ssl = no
> >     ldap user suffix = ou=Users
> >     idmap config * : backend = tdb
> >     printing = bsd
> >
> >
> > No more perl error, which is a good thing, I think but...
> >
> > smbldap-usermod -a bernard.fay
> > Warning: sambaPrimaryGroupSID could not be set beacuse group of user
> > bernard.fay is not a mapped Domain group!
> > To get a list of groups mapped to Domain groups, use "net
groupmap
> > list" on a Domain member machine.
> >
> >
> > net groupmap list
> > It returns nothing then I modified the group Administrators to add a
> > SID as I think is the problem:
> >
> > smbldap-groupmod -a Administrators
> >
> >
> > Then one more time I try to add the object class sambaSAMAccount:
> > [root at CTSFILE01 samba]# smbldap-usermod -a bernard.fay
> > Error: Account for user bernard.fay already _is_ a Samba account!
> > Omit option -a!
> >
> >
> > What??? Now have the objectClass sambaSAMAccount even before
> > modifying it wit smbldap-usermod???  Mystery or there is something I
> > don't understand???
> >
> > ldapsearch -x -b "uid=bernard.fay,ou=people,dc=cts,dc=com"
objectClass
> > ...
> > objectClass: top
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: inetOrgPerson
> > objectClass: sambaSamAccount
> >
> >
> > I retried "net groupmap list":
> >
> > [root at CTSFILE01 samba]# net groupmap list
> > Administrators (S-1-5-21-3886818290-2676185228-3116881835-513-21001)
> > -> Administrators
> >
> > ok, let's define a password with smbldap-passwd... everything ok
with
> > that.
> >
> > Sounds good so far.... let's try to map the home share from a
Windows
> > 7 machine.
> >
> > BANG!!! In Windows Explorer when I try to map a samba share drive:
> > "the mapped network drive could not be created because the
following
> > error has occured:
> > The security ID structure is invalid."
> >
> >
> > pdbedit -L
> > No builtin backend found, trying to load plugin
> > Module 'ldapsam' loaded
> > smbldap_search_domain_info: Searching
> > for:[(&(objectClass=sambaDomain)(sambaDomainName=CTS))]
> > smbldap_open_connection: connection opened
> > sid S-1-5-21-3886818290-2676185228-3116881835-513-21000 does not
> > belong to our domain
> >
> >
> >
> > What is going on again.....
> >
> >
>
> I think what is going on is that you ran 'smbldap-populate' against
> something that wasn't a PDC.
>
> Can I ask why you are trying to create a new NT4-style PDC ?
>
> Wouldn't you be better creating an AD DC ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>