samba - Jul 2018 - pdb search

Hi All,

We have classic PDC with an ldap backened. We're trying to add some member
servers which will act as print and file servers. We've joined the member
servers to the domain using net rpc join. The problem we are having is we
are seeing the following when using
pdbedit -L -v -d10 from a member server

smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=WINTF))]
smbldap_open_connection: connection opened
Skipping entry uid=robertb,ou=users,dc=tog
sid S-1-5-21-x-x-x-3034 does not belong to our domain

net getlocalsid
ID for local machine WINTF is: S-1-5-21-4632170330-5278305567-71232245
SID for domain TOG is: S-1-5-21-7852576374-8644348213-3812465877


The same when running from the LDAP server, we get

Unix username:        robertb
NT username:          robertb
Account Flags:        [U          ]
User SID:             S-1-5-21-x-x-x-x-3034
Primary Group SID:    S-1-5-21-x-x-x-x-513
Full Name:            Robert Barat
Domain:               TOG

The user details can be accessed using getent passwd robertb from the
member server.

The smb.conf of the member server is
        workgroup = TOG
        netbios name = WINTF
        security = user
       idmap config * : backend = ldap
       idmap config * : range = 3000-7999

  passdb backend = ldapsam:ldap://10.10.10.1
  ldap admin dn = cn=admin,dc=tog
  ldap suffix = dc=tog
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  idmap backend = ldap
  ldap idmap suffix = ou=idmap
  idmap config * : ldap_url = ldap://10.10.10.1
  idmap config * : ldap_base_dn = ou=idmap,dc=tog
  idmap config * : ldap_user_dn = cn=admin,dc=tog

    domain logons = no

Any suggestions?

RT

On Tue, 31 Jul 2018 15:01:30 +1000
Rob Thoman via samba <samba at lists.samba.org> wrote:
> Hi All,
> 
> We have classic PDC with an ldap backened. We're trying to add some
> member servers which will act as print and file servers. We've joined
> the member servers to the domain using net rpc join. The problem we
> are having is we are seeing the following when using
> pdbedit -L -v -d10 from a member server
> 
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=WINTF))]
> smbldap_open_connection: connection opened
> Skipping entry uid=robertb,ou=users,dc=tog
> sid S-1-5-21-x-x-x-3034 does not belong to our domain
> 
> net getlocalsid
> ID for local machine WINTF is: S-1-5-21-4632170330-5278305567-71232245
> SID for domain TOG is: S-1-5-21-7852576374-8644348213-3812465877
> 
> 
> The same when running from the LDAP server, we get
> 
> Unix username:        robertb
> NT username:          robertb
> Account Flags:        [U          ]
> User SID:             S-1-5-21-x-x-x-x-3034
> Primary Group SID:    S-1-5-21-x-x-x-x-513
> Full Name:            Robert Barat
> Domain:               TOG
> 
> The user details can be accessed using getent passwd robertb from the
> member server.
> 
> The smb.conf of the member server is
>         workgroup = TOG
>         netbios name = WINTF
>         security = user
>        idmap config * : backend = ldap
>        idmap config * : range = 3000-7999
> 
>   passdb backend = ldapsam:ldap://10.10.10.1
>   ldap admin dn = cn=admin,dc=tog
>   ldap suffix = dc=tog
>   ldap group suffix = ou=groups
>   ldap machine suffix = ou=computers
>   ldap user suffix = ou=users
>   idmap backend = ldap
>   ldap idmap suffix = ou=idmap
>   idmap config * : ldap_url = ldap://10.10.10.1
>   idmap config * : ldap_base_dn = ou=idmap,dc=tog
>   idmap config * : ldap_user_dn = cn=admin,dc=tog
> 
>     domain logons = no
> 
> Any suggestions?
> 
> RT
Yes, upgrade to AD as soon as possible, if you have any Windows 10
machines, you may come in one morning and find that NOTHING works.

In the mean time, there wasn't much point in sanitizing the SIDS if
didn't sanitize them all, in fact you have made it worse because we now
don't know which SID is 'x-x-x-x', are they all the same SID or are
the
different SIDs ?

You could try setting the local SID to be the same as the domain SID.

Rowland

On Tue, 2018-07-31 at 15:01 +1000, Rob Thoman via samba
wrote:
> Hi All,
> 
> We have classic PDC with an ldap backened. We're trying to add some
member
> servers which will act as print and file servers. We've joined the
member
> servers to the domain using net rpc join. The problem we are having is we
> are seeing the following when using
> pdbedit -L -v -d10 from a member server
You don't run pdbedit on a member server.  You have to use winbindd on
the member server.

Any machine connected to the same ldap backend as the PDC must also be
a DC, there is only one SID for the domain, and as Rowland kind of
hinted at, the local and domain sid need to be the same.  What wasn't
explicit is that this only happens on a DC.

I hope this clarifies things,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba