Marco Gaiarin
2018-Mar-21 16:55 UTC
[Samba] Again 'Failed to find domain 'NT AUTHORITY'. Check connection to trusted domains!'
I've hitted the error in subject trying a backup of my sysvol. Mar 21 11:13:31 vdcsv1 winbindd[3494]: [2018/03/21 11:13:31.234373, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent) Mar 21 11:13:31 vdcsv1 winbindd[3494]: Failed to find domain 'NT AUTHORITY'. Check connection to trusted domains! Looking on internet/list archive leadme to recent post (november 2017) and this bug: https://bugzilla.samba.org/show_bug.cgi?id=12164 But i've not understood how is related. The ACLs of my sysvol are: root at vdcsv1:~# getfacl /var/lib/samba/sysvol/ getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol/ # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:BUILTIN\134administrators:rwx group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\134administrators:rwx default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- The trouble came from 'root' or groups '3000002' and '3000003'? How can i fix them? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland Penny
2018-Mar-21 17:07 UTC
[Samba] Again 'Failed to find domain 'NT AUTHORITY'. Check connection to trusted domains!'
On Wed, 21 Mar 2018 17:55:17 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > I've hitted the error in subject trying a backup of my sysvol. > > Mar 21 11:13:31 vdcsv1 winbindd[3494]: [2018/03/21 11:13:31.234373, > 0] ../source3/winbindd/winbindd_group.c:45(fill_grent) Mar 21 > 11:13:31 vdcsv1 winbindd[3494]: Failed to find domain 'NT > AUTHORITY'. Check connection to trusted domains! > > > Looking on internet/list archive leadme to recent post (november 2017) > and this bug: > https://bugzilla.samba.org/show_bug.cgi?id=12164 > > But i've not understood how is related. > > The ACLs of my sysvol are: > > root at vdcsv1:~# getfacl /var/lib/samba/sysvol/ > getfacl: Removing leading '/' from absolute path names > # file: var/lib/samba/sysvol/ > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > group::rwx > group:BUILTIN\134administrators:rwx > group:BUILTIN\134server\040operators:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:group::--- > default:group:BUILTIN\134administrators:rwx > default:group:BUILTIN\134server\040operators:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > The trouble came from 'root' or groups '3000002' and '3000003'?No and very very probably no & no ;-)> > How can i fix them? Thanks.Fix what? The owner has to be 'root', and you can find out just who '3000002' & '3000003' are by opening /var/lib/samba/private/idmap.ldb with ldbedit and searching for them. The 'cn' will contain the windows SID and if you look here: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems You will be able to see who there are. Rowland
Marco Gaiarin
2018-Mar-21 17:50 UTC
[Samba] Again 'Failed to find domain 'NT AUTHORITY'. Check connection to trusted domains!'
Mandi! Rowland Penny via samba In chel di` si favelave...> > The trouble came from 'root' or groups '3000002' and '3000003'? > No and very very probably no & no ;-)> > How can i fix them? Thanks. > Fix what? The owner has to be 'root', and you can find out just who > '3000002' & '3000003' are by opening /var/lib/samba/private/idmap.ldb > with ldbedit and searching for them.# record 48 dn: CN=S-1-5-18 cn: S-1-5-18 objectClass: sidMap objectSid: S-1-5-18 type: ID_TYPE_BOTH xidNumber: 3000002 distinguishedName: CN=S-1-5-18 # record 6 dn: CN=S-1-5-11 cn: S-1-5-11 objectClass: sidMap objectSid: S-1-5-11 type: ID_TYPE_BOTH xidNumber: 3000003 distinguishedName: CN=S-1-5-11> The 'cn' will contain the windows SID and if you look here: > https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems > You will be able to see who there are.OK, 'Local System' and 'Authenticated Users'. Now? I've to add an explicit map? How? On a DC, i suppose all SID get mapped, via xidNumber... becasue these are missing? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)