RE: [Samba] Windows member servers have lost their minds... - Samba

This is a discussion on RE: [Samba] Windows member servers have lost their minds... - Samba ; ----- Original Message ----- From: Gerald (Jerry) Carter Sent: Tue, 6/12/2007 8:22am To: Rubin Bennett Cc: samba@lists.samba.org Subject: Re: [Samba] Windows member servers have lost their minds... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >Rubin, >> I'm having a serious problem ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: RE: [Samba] Windows member servers have lost their minds...

  1. RE: [Samba] Windows member servers have lost their minds...

    ----- Original Message -----
    From: Gerald (Jerry) Carter
    Sent: Tue, 6/12/2007 8:22am
    To: Rubin Bennett
    Cc: samba@lists.samba.org
    Subject: Re: [Samba] Windows member servers have lost their minds...

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    >Rubin,


    >> I'm having a serious problem after a Samba upgrade from 3.0.20 to
    >> 3.0.23c.


    >You read the release notes regarding the SID changes in
    >3.0.23 right ? The next step is to look at a level 10
    >debug log frmo smbd when you are receiving the ACCESS_DENIED
    >error.


    Hi, Jerry-
    Thanks for your reply!

    I did read the release notes, and the RID/ SID mappings were one of the first things I looked at, along with the output from net groupmap list.

    What I'm seeing is that the domain authentication is working just fine, but that I don't have administrative rights on the member servers when I log in as DOMAIN\root.

    If I go to the Event log, I can read everything but hte Security log, which errors out with:
    Unable to complete the operation on "Security".
    A required privilege is not held by the client

    If I try to set services to run as the domain adminsitrator, they won't start. I've unjoined and rejoined the machines to the domain several times, I've removed the machine accounts from the Linux and Samba databases, I've double and triple checked profiles and net groupmap listings etc. etc. etc. and get no joy.

    For a brief moment last night, things appeared to be almost working correctly on one of the servers (i.e. I could shut the server down etc. when logged in as the domain administrator and could get into the Security event log), but this morning, after no changes were made, things weren't happy again. The SQL server was not running and the file shares were unaccessible from the network.

    There are no errors on the Samba box and log level = 10.
    On the Windows server, the only error that I can find is a 3210, "Failed to authenticate with \\PDC, a Windows NT or 2000 domain controller for domain DOMAIN.

    *head bloody from banging on wall*...
    Rubin


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. RE: [Samba] Windows member servers have lost their minds...

    Ok, I think I've narrowed the issue down now to the following snippet
    from pdbedit -Lv:

    pdb_getsampwrid (TDB): error looking up RID 513 by key RID_00000201.
    Error: Record does not exist
    tdbsam_close: Reference count is now 1.
    sid_to_gid: S-1-5-21-217398797-1463318779-1850952788-513 -> 100
    store_gid_sid_cache: gid 100 in cache ->
    S-1-5-21-217398797-1463318779-1850952788-513
    pdb_set_group_sid: setting group sid
    S-1-5-21-217398797-1463318779-1850952788-513
    pdb_set_group_sid_from_rid:
    setting group sid S-1-5-21-217398797-1463318779-1850952788-513
    from rid 513

    This appears to tell me that the mapping of RID 513 doesn't exist.
    However, net groupmap list shows:

    Domain Users (S-1-5-21-217398797-1463318779-1850952788-513) -> users

    I've googled on the error above and found a couple of "me too" posts,
    but no answer. If I've done something stupid and it's so obvious that I
    shoulda caught it immediately, I apologise, but I hope that someone will
    see their way to enlighten me so that future id10ts who make the same
    error will have a solution to reward their Googling efforts

    Thank you as always,
    Rubin

    Rubin Bennett
    RB Technologies
    http://thatitguy.com
    rbennett@thatitguy.com
    (802)223-4448
    "They that can give up essential liberty to obtain a little temporary
    security deserve neither liberty nor safety" --Benjamin Franklin,
    Historical Review of Pennsylvania, 1759

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Windows member servers have lost their minds...

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Rubin Bennett wrote:

    > pdb_getsampwrid (TDB): error looking up RID 513 by key RID_00000201.
    > Error: Record does not exist
    > tdbsam_close: Reference count is now 1.
    > sid_to_gid: S-1-5-21-217398797-1463318779-1850952788-513 -> 100
    > store_gid_sid_cache: gid 100 in cache ->
    > S-1-5-21-217398797-1463318779-1850952788-513
    > pdb_set_group_sid: setting group sid
    > S-1-5-21-217398797-1463318779-1850952788-513
    > pdb_set_group_sid_from_rid:
    > setting group sid S-1-5-21-217398797-1463318779-1850952788-513
    > from rid 513
    >
    > This appears to tell me that the mapping of RID 513 doesn't exist.
    > However, net groupmap list shows:
    >
    > Domain Users (S-1-5-21-217398797-1463318779-1850952788-513) -> users


    The error says that the RID 513 does not exist as a user
    which is correct. WHen resolving a RID (or SID) to a name
    we lookup thye value as a user and then failure over to looking
    it up as a group. So the error you see is normal.




    cheers, jerry
    ================================================== ===================
    Samba ------- http://www.samba.org
    Centeris ----------- http://www.centeris.com
    "What man is a man who does not make the world better?" --Balian
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFGcT/0IR7qMdg1EfYRArWqAJ9tEEsY+gMbTGmSkake2BVqkZtbxgCfa chE
    dw1nILJWnS05gKjvPvb4BwQ=
    =jwEz
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread