Bernard Fay
2016-Sep-29 18:54 UTC
[Samba] Failed to find sambaDomain object to get sambaAlgorithmicRidBase
Hello group, When I try to add sambaSAMAccount object class to a user with smbldap-usermod, I have the following error: smbldap-usermod -a bernard.fay Failed to find sambaDomain object to get sambaAlgorithmicRidBase at /usr/share/perl5/vendor_perl/smbldap_tools.pm line 1235. Someone have an idea of the problem? Thanks, Bernard
Rowland Penny
2016-Sep-29 19:11 UTC
[Samba] Failed to find sambaDomain object to get sambaAlgorithmicRidBase
On Thu, 29 Sep 2016 14:54:14 -0400 Bernard Fay via samba <samba at lists.samba.org> wrote:> Hello group, > > When I try to add sambaSAMAccount object class to a user with > smbldap-usermod, I have the following error: > > smbldap-usermod -a bernard.fay > > Failed to find sambaDomain object to get sambaAlgorithmicRidBase at > /usr/share/perl5/vendor_perl/smbldap_tools.pm line 1235. > > > Someone have an idea of the problem? > > Thanks, > BernardWell, you will probably ignore me again, but can you please give us a lot more info ???? What OS ? What version of Samba ?? Post your smb.conf Anything else you think might be relevant. Rowland
Rowland Penny
2016-Sep-29 20:02 UTC
[Samba] Failed to find sambaDomain object to get sambaAlgorithmicRidBase
On Thu, 29 Sep 2016 15:30:30 -0400 Bernard Fay <bernard.fay at gmail.com> wrote:> CentOS 7 > > smbd -V > Version 4.2.10 > > > [root at CTSFILE01 ~]# testparm -sn > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[homes]" > Processing section "[software]" > Processing section "[tftp]" > Loaded services file OK. > Server role: ROLE_STANDALONE > > # Global parameters > [global] > workgroup = CTS > server string = CTS File Server 01 - Samba version %v > interfaces = lo eth0 > security = USER > passdb backend = ldapsam:ldap://ctsldap01/ > log file = /var/log/samba/log.%m > max log size = 50 > load printers = No > printcap name = /dev/null > disable spoolss = Yes > add user script = /sbin/smbldap-useradd -m "%u" > add group script = /sbin/smbldap-groupadd -p "%g" > add user to group script = /sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /sbin/smbldap-groupmod -x "%u" > "%g" set primary group script = /sbin/smbldap-usermod -g "%g" "%u" > add machine script = /sbin/smbldap-useradd -w "%u" > ldap admin dn = cn=Manager,dc=cts,dc=com > ldap delete dn = Yes > ldap group suffix = ou=Groups > ldap machine suffix = ou=Computers > ldap passwd sync = yes > ldap suffix = "dc=cts,dc=com" > ldap ssl = no > ldap user suffix = ou=Users > idmap config * : backend = tdb > printing = bsd > > ... snipped the shares definition > > > I do not know what else can be relevant as I am far to be a pro in > Samba. :-( > > If something else could be useful let me know. > > Thanks, > Bernard >Didn't this: Server role: ROLE_STANDALONE Give you a hint ?? Try adding these lines: server role = classic primary domain controller domain master = yes Rowland
Bernard Fay
2016-Sep-30 12:18 UTC
[Samba] Fwd: Failed to find sambaDomain object to get sambaAlgorithmicRidBase
As suggested I added the two lines below and restarted smb. server role = classic primary domain controller domain master = yes [root at CTSFILE01 samba]# testparm -sn| head -32 Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[homes]" Processing section "[software]" Processing section "[tftp]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC # Global parameters [global] workgroup = CTS server string = CTS File Server 01 - Samba version %v interfaces = lo eth0 server role = classic primary domain controller security = USER passdb backend = ldapsam:ldap://ctsldap01/ log file = /var/log/samba/log.%m max log size = 50 load printers = No printcap name = /dev/null disable spoolss = Yes add user script = /sbin/smbldap-useradd -m "%u" add group script = /sbin/smbldap-groupadd -p "%g" add user to group script = /sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /sbin/smbldap-usermod -g "%g" "%u" add machine script = /sbin/smbldap-useradd -w "%u" domain master = Yes ldap admin dn = cn=Manager,dc=cts,dc=com ldap delete dn = Yes ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap passwd sync = yes ldap suffix = "dc=cts,dc=com" ldap ssl = no ldap user suffix = ou=Users idmap config * : backend = tdb printing = bsd No more perl error, which is a good thing, I think but... smbldap-usermod -a bernard.fay Warning: sambaPrimaryGroupSID could not be set beacuse group of user bernard.fay is not a mapped Domain group! To get a list of groups mapped to Domain groups, use "net groupmap list" on a Domain member machine. net groupmap list It returns nothing then I modified the group Administrators to add a SID as I think is the problem: smbldap-groupmod -a Administrators Then one more time I try to add the object class sambaSAMAccount: [root at CTSFILE01 samba]# smbldap-usermod -a bernard.fay Error: Account for user bernard.fay already _is_ a Samba account! Omit option -a! What??? Now have the objectClass sambaSAMAccount even before modifying it wit smbldap-usermod??? Mystery or there is something I don't understand??? ldapsearch -x -b "uid=bernard.fay,ou=people,dc=cts,dc=com" objectClass ... objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: sambaSamAccount I retried "net groupmap list": [root at CTSFILE01 samba]# net groupmap list Administrators (S-1-5-21-3886818290-2676185228-3116881835-513-21001) -> Administrators ok, let's define a password with smbldap-passwd... everything ok with that. Sounds good so far.... let's try to map the home share from a Windows 7 machine. BANG!!! In Windows Explorer when I try to map a samba share drive: "the mapped network drive could not be created because the following error has occured: The security ID structure is invalid." pdbedit -L No builtin backend found, trying to load plugin Module 'ldapsam' loaded smbldap_search_domain_info: Searching for:[(&(objectClasssambaDomain)(sambaDomainName=CTS))] smbldap_open_connection: connection opened sid S-1-5-21-3886818290-2676185228-3116881835-513-21000 does not belong to our domain What is going on again..... On Thu, Sep 29, 2016 at 4:02 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 29 Sep 2016 15:30:30 -0400 > Bernard Fay <bernard.fay at gmail.com> wrote: > > > CentOS 7 > > > > smbd -V > > Version 4.2.10 > > > > > > [root at CTSFILE01 ~]# testparm -sn > > Load smb config files from /etc/samba/smb.conf > > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > > (16384) Processing section "[homes]" > > Processing section "[software]" > > Processing section "[tftp]" > > Loaded services file OK. > > Server role: ROLE_STANDALONE > > > > # Global parameters > > [global] > > workgroup = CTS > > server string = CTS File Server 01 - Samba version %v > > interfaces = lo eth0 > > security = USER > > passdb backend = ldapsam:ldap://ctsldap01/ > > log file = /var/log/samba/log.%m > > max log size = 50 > > load printers = No > > printcap name = /dev/null > > disable spoolss = Yes > > add user script = /sbin/smbldap-useradd -m "%u" > > add group script = /sbin/smbldap-groupadd -p "%g" > > add user to group script = /sbin/smbldap-groupmod -m "%u" "%g" > > delete user from group script = /sbin/smbldap-groupmod -x "%u" > > "%g" set primary group script = /sbin/smbldap-usermod -g "%g" "%u" > > add machine script = /sbin/smbldap-useradd -w "%u" > > ldap admin dn = cn=Manager,dc=cts,dc=com > > ldap delete dn = Yes > > ldap group suffix = ou=Groups > > ldap machine suffix = ou=Computers > > ldap passwd sync = yes > > ldap suffix = "dc=cts,dc=com" > > ldap ssl = no > > ldap user suffix = ou=Users > > idmap config * : backend = tdb > > printing = bsd > > > > ... snipped the shares definition > > > > > > I do not know what else can be relevant as I am far to be a pro in > > Samba. :-( > > > > If something else could be useful let me know. > > > > Thanks, > > Bernard > > > > Didn't this: > > Server role: ROLE_STANDALONE > > Give you a hint ?? > > Try adding these lines: > > server role = classic primary domain controller > domain master = yes > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2016-Sep-30 12:22 UTC
[Samba] Failed to find sambaDomain object to get sambaAlgorithmicRidBase
On Fri, 30 Sep 2016 08:17:23 -0400 Bernard Fay <bernard.fay at gmail.com> wrote:> As suggested I added the two lines below and restarted smb. > server role = classic primary domain controller > domain master = yes > > > [root at CTSFILE01 samba]# testparm -sn| head -32 > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[homes]" > Processing section "[software]" > Processing section "[tftp]" > Loaded services file OK. > Server role: ROLE_DOMAIN_PDC > > # Global parameters > [global] > workgroup = CTS > server string = CTS File Server 01 - Samba version %v > interfaces = lo eth0 > server role = classic primary domain controller > security = USER > passdb backend = ldapsam:ldap://ctsldap01/ > log file = /var/log/samba/log.%m > max log size = 50 > load printers = No > printcap name = /dev/null > disable spoolss = Yes > add user script = /sbin/smbldap-useradd -m "%u" > add group script = /sbin/smbldap-groupadd -p "%g" > add user to group script = /sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /sbin/smbldap-groupmod -x "%u" > "%g" set primary group script = /sbin/smbldap-usermod -g "%g" "%u" > add machine script = /sbin/smbldap-useradd -w "%u" > domain master = Yes > ldap admin dn = cn=Manager,dc=cts,dc=com > ldap delete dn = Yes > ldap group suffix = ou=Groups > ldap machine suffix = ou=Computers > ldap passwd sync = yes > ldap suffix = "dc=cts,dc=com" > ldap ssl = no > ldap user suffix = ou=Users > idmap config * : backend = tdb > printing = bsd > > > No more perl error, which is a good thing, I think but... > > smbldap-usermod -a bernard.fay > Warning: sambaPrimaryGroupSID could not be set beacuse group of user > bernard.fay is not a mapped Domain group! > To get a list of groups mapped to Domain groups, use "net groupmap > list" on a Domain member machine. > > > net groupmap list > It returns nothing then I modified the group Administrators to add a > SID as I think is the problem: > > smbldap-groupmod -a Administrators > > > Then one more time I try to add the object class sambaSAMAccount: > [root at CTSFILE01 samba]# smbldap-usermod -a bernard.fay > Error: Account for user bernard.fay already _is_ a Samba account! > Omit option -a! > > > What??? Now have the objectClass sambaSAMAccount even before > modifying it wit smbldap-usermod??? Mystery or there is something I > don't understand??? > > ldapsearch -x -b "uid=bernard.fay,ou=people,dc=cts,dc=com" objectClass > ... > objectClass: top > objectClass: posixAccount > objectClass: shadowAccount > objectClass: inetOrgPerson > objectClass: sambaSamAccount > > > I retried "net groupmap list": > > [root at CTSFILE01 samba]# net groupmap list > Administrators (S-1-5-21-3886818290-2676185228-3116881835-513-21001) > -> Administrators > > ok, let's define a password with smbldap-passwd... everything ok with > that. > > Sounds good so far.... let's try to map the home share from a Windows > 7 machine. > > BANG!!! In Windows Explorer when I try to map a samba share drive: > "the mapped network drive could not be created because the following > error has occured: > The security ID structure is invalid." > > > pdbedit -L > No builtin backend found, trying to load plugin > Module 'ldapsam' loaded > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=CTS))] > smbldap_open_connection: connection opened > sid S-1-5-21-3886818290-2676185228-3116881835-513-21000 does not > belong to our domain > > > > What is going on again..... > >I think what is going on is that you ran 'smbldap-populate' against something that wasn't a PDC. Can I ask why you are trying to create a new NT4-style PDC ? Wouldn't you be better creating an AD DC ? Rowland
Bernard Fay
2016-Sep-30 12:50 UTC
[Samba] Failed to find sambaDomain object to get sambaAlgorithmicRidBase
I didn't use smbldap-populate. I used ldif files to add groups to LDAP with ldapadd. You have rather good questions, NT4 or AD style, I don't know. I am a Unix guy with very few knowledge in Windows stuff and I try to stay away from it as much as I can. I have been asked to setup a new LDAP directory with Samba passwords stored in this LDAP directory. I base my work on an actual LDAP and Samba server that is working in our environment. This server as role ROLE_STANDALONE. I also use recipe found on Internet. If you can point me to a recipe for an AD DC, I will try it. But what is the actual difference between both? I also seriously think about splitting LDAP and samba, no integration at all between both. Thanks, On Fri, Sep 30, 2016 at 8:22 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 30 Sep 2016 08:17:23 -0400 > Bernard Fay <bernard.fay at gmail.com> wrote: > > > As suggested I added the two lines below and restarted smb. > > server role = classic primary domain controller > > domain master = yes > > > > > > [root at CTSFILE01 samba]# testparm -sn| head -32 > > Load smb config files from /etc/samba/smb.conf > > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > > (16384) Processing section "[homes]" > > Processing section "[software]" > > Processing section "[tftp]" > > Loaded services file OK. > > Server role: ROLE_DOMAIN_PDC > > > > # Global parameters > > [global] > > workgroup = CTS > > server string = CTS File Server 01 - Samba version %v > > interfaces = lo eth0 > > server role = classic primary domain controller > > security = USER > > passdb backend = ldapsam:ldap://ctsldap01/ > > log file = /var/log/samba/log.%m > > max log size = 50 > > load printers = No > > printcap name = /dev/null > > disable spoolss = Yes > > add user script = /sbin/smbldap-useradd -m "%u" > > add group script = /sbin/smbldap-groupadd -p "%g" > > add user to group script = /sbin/smbldap-groupmod -m "%u" "%g" > > delete user from group script = /sbin/smbldap-groupmod -x "%u" > > "%g" set primary group script = /sbin/smbldap-usermod -g "%g" "%u" > > add machine script = /sbin/smbldap-useradd -w "%u" > > domain master = Yes > > ldap admin dn = cn=Manager,dc=cts,dc=com > > ldap delete dn = Yes > > ldap group suffix = ou=Groups > > ldap machine suffix = ou=Computers > > ldap passwd sync = yes > > ldap suffix = "dc=cts,dc=com" > > ldap ssl = no > > ldap user suffix = ou=Users > > idmap config * : backend = tdb > > printing = bsd > > > > > > No more perl error, which is a good thing, I think but... > > > > smbldap-usermod -a bernard.fay > > Warning: sambaPrimaryGroupSID could not be set beacuse group of user > > bernard.fay is not a mapped Domain group! > > To get a list of groups mapped to Domain groups, use "net groupmap > > list" on a Domain member machine. > > > > > > net groupmap list > > It returns nothing then I modified the group Administrators to add a > > SID as I think is the problem: > > > > smbldap-groupmod -a Administrators > > > > > > Then one more time I try to add the object class sambaSAMAccount: > > [root at CTSFILE01 samba]# smbldap-usermod -a bernard.fay > > Error: Account for user bernard.fay already _is_ a Samba account! > > Omit option -a! > > > > > > What??? Now have the objectClass sambaSAMAccount even before > > modifying it wit smbldap-usermod??? Mystery or there is something I > > don't understand??? > > > > ldapsearch -x -b "uid=bernard.fay,ou=people,dc=cts,dc=com" objectClass > > ... > > objectClass: top > > objectClass: posixAccount > > objectClass: shadowAccount > > objectClass: inetOrgPerson > > objectClass: sambaSamAccount > > > > > > I retried "net groupmap list": > > > > [root at CTSFILE01 samba]# net groupmap list > > Administrators (S-1-5-21-3886818290-2676185228-3116881835-513-21001) > > -> Administrators > > > > ok, let's define a password with smbldap-passwd... everything ok with > > that. > > > > Sounds good so far.... let's try to map the home share from a Windows > > 7 machine. > > > > BANG!!! In Windows Explorer when I try to map a samba share drive: > > "the mapped network drive could not be created because the following > > error has occured: > > The security ID structure is invalid." > > > > > > pdbedit -L > > No builtin backend found, trying to load plugin > > Module 'ldapsam' loaded > > smbldap_search_domain_info: Searching > > for:[(&(objectClass=sambaDomain)(sambaDomainName=CTS))] > > smbldap_open_connection: connection opened > > sid S-1-5-21-3886818290-2676185228-3116881835-513-21000 does not > > belong to our domain > > > > > > > > What is going on again..... > > > > > > I think what is going on is that you ran 'smbldap-populate' against > something that wasn't a PDC. > > Can I ask why you are trying to create a new NT4-style PDC ? > > Wouldn't you be better creating an AD DC ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- Fwd: Failed to find sambaDomain object to get sambaAlgorithmicRidBase
- Failed to find sambaDomain object to get sambaAlgorithmicRidBase
- Failed to find sambaDomain object to get sambaAlgorithmicRidBase
- Failed to find sambaDomain object to get sambaAlgorithmicRidBase
- Failed to find sambaDomain object to get sambaAlgorithmicRidBase