[Samba] SambaSID - Samba

This is a discussion on [Samba] SambaSID - Samba ; I have a samba server configured that is member of a samba domain called PRODESAN.COM.BR. After we had to reinstall the domain controller some samba shares stopped working on the member server. I get this when I try to use ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: [Samba] SambaSID

  1. [Samba] SambaSID

    I have a samba server configured that is member of a samba domain called
    PRODESAN.COM.BR. After we had to reinstall the domain controller some samba
    shares stopped working on the member server. I get this when I try to use
    the share:

    [2007/05/29 17:26:28, 3] auth/auth.c:check_ntlm_password(219)
    * check_ntlm_password: *Checking password for unmapped user
    [WORKGROUP]\[USER1]@[HOST6] with the new password interface
    [2007/05/29 17:26:28, 3] auth/auth.c:check_ntlm_password(222)
    * check_ntlm_password: *mapped user is: [PRODESAN.COM.BR]\[USER1]@[HOST6]
    [2007/05/29 17:26:28, 3] smbd/sec_ctx.cush_sec_ctx(256)
    * push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
    [2007/05/29 17:26:28, 3] smbd/uid.cush_conn_ctx(365)
    * push_conn_ctx(0) : conn_ctx_stack_ndx = 0
    [2007/05/29 17:26:28, 3] smbd/sec_ctx.c:set_sec_ctx(288)
    * setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2007/05/29 17:26:28, 3] smbd/sec_ctx.cop_sec_ctx(386)
    * pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2007/05/29 17:26:28, 3] smbd/sec_ctx.cush_sec_ctx(256)
    * push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
    [2007/05/29 17:26:28, 3] smbd/uid.cush_conn_ctx(365)
    * push_conn_ctx(0) : conn_ctx_stack_ndx = 0
    [2007/05/29 17:26:28, 3] smbd/sec_ctx.c:set_sec_ctx(288)
    * setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2007/05/29 17:26:28, 3] smbd/sec_ctx.cop_sec_ctx(386)
    * pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2007/05/29 17:26:28, 2] auth/auth.c:check_ntlm_password(312)
    * check_ntlm_password: *Authentication for user [USER1] -> [USER1] FAILED
    with error NT_STATUS_NO_SUCH_USER

    However when I try to use the same user on the domain controller things work
    perfectly:

    [2007/05/29 17:32:39, 2] lib/smbldap.c:smbldap_open_connection(788)
    * smbldap_open_connection: connection opened
    [2007/05/29 17:32:39, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
    * init_sam_from_ldap: Entry found for user: pr907899
    [2007/05/29 17:32:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
    * init_group_from_ldap: Entry found for group: 513
    [2007/05/29 17:32:39, 2] auth/auth.c:check_ntlm_password(309)
    * check_ntlm_password: *authentication for user [USER1] -> [USER1] ->
    [pr907899] succeeded

    I can see the domain users using wbinfo -u on the member server and
    we have kept the domain SID setting from the original Samba PDC (using net
    rpc getsid at the old server) and we still can't authenticate the users.

    We have tried to delete the old machine account from our server in order to
    try to rejoin it, but now we can't. Here is what happens at the server:

    # net join -U root
    root's password:
    [2007/05/30 14:58:44, 0] utils/net_ads.c:ads_startup(191)
    * ads_connect: No results returned
    Creation of workstation account failed
    Unable to join domain PRODESAN.COM.BR.

    And here are the logs for that machine on the PDC:

    [2007/05/30 14:58:55, 2] lib/smbldap.c:smbldap_open_connection(788)
    * smbldap_open_connection: connection opened
    [2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
    * init_sam_from_ldap: Entry found for user: root
    [2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
    * init_group_from_ldap: Entry found for group: 513
    [2007/05/30 14:58:55, 2] auth/auth.c:check_ntlm_password(309)
    * check_ntlm_password: *authentication for user [root] -> [root] -> [root]
    succeeded
    [2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
    * init_sam_from_ldap: Entry found for user: root
    [2007/05/30 14:58:55, 2] smbd/reply.c:reply_tcon_and_X(711)
    * Serving IPC$ as a Dfs root

    There doesn't seem to be any visible errors, so I went to check the LDAP
    logs and I only thought this looked a bit strange:

    May 30 15:02:42 servsso slapd[22129]: conn=79 op=6 SRCH
    base="ou=grupos,dc=prodesan,dc=com,dc=br" scope=2 deref=0 filter="(&(|
    (objectClass=sambaGroupMapping)(sambaGroupType=4)) (|
    (sambaSIDList=s-1-5-21-3756370324-611414431-635963119-501)
    (sambaSIDList=s-1-1-0)(sambaSIDList=s-1-5-2)(sambaSIDList=s-1-5-32-546)))"
    May 30 15:02:42 servsso slapd[22129]: conn=79 op=6 SRCH attr=sambaSID
    May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates:
    (sambaGroupType) index_param failed (18)
    May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates:
    (sambaSIDList) index_param failed (18)
    May 30 15:02:42 servsso last message repeated 3 times
    May 30 15:02:42 servsso slapd[22129]: conn=79 op=6 SEARCH RESULT tag=101
    err=0
    nentries=0 text=
    May 30 15:02:42 servsso slapd[22129]: conn=79 op=7 SRCH
    base="ou=grupos,dc=prodesan,dc=com,dc=br" scope=2 deref=0 filter="(&(|
    (objectClass=sambaGroupMapping)(sambaGroupType=4)) (|
    (sambaSIDList=s-1-5-21-3756370324-611414431-635963119-501)
    (sambaSIDList=s-1-1-0)(sambaSIDList=s-1-5-2)(sambaSIDList=s-1-5-32-546)))"
    May 30 15:02:42 servsso slapd[22129]: conn=79 op=7 SRCH attr=sambaSID
    May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates:
    (sambaGroupType) index_param failed (18)
    May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates:
    (sambaSIDList) index_param failed (18)
    May 30 15:02:42 servsso last message repeated 3 times

    When I check the LDAP I can see that the
    entry "uid=servproducao$,ou=computadores,dc=prodesan,dc=c om,dc=br" was
    created but it doesn't have the sambaSamAccount objectclass attribute, and
    therefore no samba attributes set.

    Simply importing the old account from the old PDC doesn't seem to work, as I
    get some access denied when the server tries to connect to LDAP.
    ================================================== ===========

    Just adding some more information:

    I am currently unable to join any new machines to the domain. Whenever I try
    to join the domain I get this message on the clients:

    $ sudo net join -U root
    Password:
    Creation of workstation account failed
    Unable to join domain PRODESAN.COM.BR.

    On the PDC side I get this:

    [2007/05/30 17:11:15, 2] lib/smbldap.c:smbldap_open_connection(788)
    * smbldap_open_connection: connection opened
    [2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
    * init_sam_from_ldap: Entry found for user: root
    [2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
    * init_group_from_ldap: Entry found for group: 513
    [2007/05/30 17:11:15, 2] auth/auth.c:check_ntlm_password(309)
    * check_ntlm_password: *authentication for user [root] -> [root] -> [root]
    succeeded
    [2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
    * init_sam_from_ldap: Entry found for user: root
    [2007/05/30 17:11:15, 2] smbd/reply.c:reply_tcon_and_X(711)
    * Serving IPC$ as a Dfs root

    On my LDAP backend I have this entry:

    dn: sambaDomainName=PRODESAN.COM.BR,dc=prodesan,dc=com ,dc=br
    sambaAlgorithmicRidBase: 1000
    sambaNextUserRid: 41000
    sambaNextGroupRid: 41001
    objectClass: sambaDomain
    objectClass: sambaUnixIdPool
    sambaSID: S-1-5-21-3756370324-611414431-635963119
    sambaDomainName: prodesan.com.br
    gidNumber: 1055
    uidNumber: 1454

    The sambaSID is the same that was before the migration. Do I need to set
    this
    SID somewhere else?




    --
    Esta mensagem foi verificada pelo sistema de antivírus e
    acredita-se estar livre de perigo.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Unable to join new machines to the domain

    I have a samba server configured that is the domain controller of a samba
    domain called PRODESAN.COM.BR. After we had to reinstall the domain
    controller, we are currently unable to join any new machines to the domain.
    Whenever I try to join the domain I get this message on the clients:

    # net join -U root
    root's password:
    [2007/06/19 14:27:41, 0] utils/net_ads.c:ads_startup(191)
    ads_connect: No results returned
    Creation of workstation account failed
    Unable to join domain PRODESAN.COM.BR.

    On the PDC side I get this:

    [2007/06/19 14:25:27, 2] lib/smbldap.c:smbldap_open_connection(788)
    smbldap_open_connection: connection opened
    [2007/06/19 14:25:27, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
    init_sam_from_ldap: Entry found for user: root
    [2007/06/19 14:25:27, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
    init_group_from_ldap: Entry found for group: 513
    [2007/06/19 14:25:27, 2] auth/auth.c:check_ntlm_password(309)
    check_ntlm_password: authentication for user [root] -> [root] -> [root]
    succeeded
    [2007/06/19 14:25:27, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
    init_sam_from_ldap: Entry found for user: root
    [2007/06/19 14:25:27, 2] smbd/reply.c:reply_tcon_and_X(711)
    Serving IPC$ as a Dfs root
    [2007/06/19 14:25:28, 0] passdb/pdb_interface.cdb_default_create_user(368)
    _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -
    w "servproducao$"' gave 9

    On my LDAP backend I have this entry:

    gidNumber 1058
    objectClass sambaDomain
    objectClass sambaUnixIdPool
    sambaAlgorithmicRidBase 1000
    sambaDomainName prodesan.com.br
    sambaNextGroupRid 41001
    sambaNextUserRid 41000
    sambaSID S-1-5-21-3756370324-611414431-635963119
    uidNumber 1519

    The sambaSID is the same that was before the migration. Do I need to set
    this SID somewhere else?






    --
    Esta mensagem foi verificada pelo sistema de antivírus e
    acredita-se estar livre de perigo.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Unable to join new machines to the domain

    On Tuesday 19 June 2007, Sandra wrote:
    > [2007/06/19 14:27:41, 0] utils/net_ads.c:ads_startup(191)
    > * ads_connect: No results returned
    > Creation of workstation account failed
    > Unable to join domain PRODESAN.COM.BR.


    Correct me if I'm wrong as I have no experience with ldap setups but AFAIK
    Samba domains are NetBIOS domains which are flat, not hierarchical. If so
    your domain name should be something more like PRODESAN and not
    PRODESAN.COM.BR.

    Also you didn't post your smb.conf but I'm curious about the use of
    ads_connect, which seems like you're trying to work with an AD domain instead
    of a NetBIOS (Samba) domain. So I'm wondering if you have something other
    than "security - user" in the PDC's smb.conf and "security - domain" in the
    member servers smb.conf.

    Chris
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Unable to join new machines to the domain

    Here is the PDC's smb.conf:

    [global]
    netbios name = servsso
    workgroup = prodesan.com.br
    log file = /var/log/samba/%m.log
    max log size = 500
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *New*password* %n\n *Retype*new*password* %
    n\n *passwd:*all*authentication*tokens*updated*success fully*
    smb passwd file = /etc/samba/smbpasswd
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

    domain logons = yes
    os level = 180
    preferred master = yes
    domain master = yes
    security = user
    guest ok = no
    invalid users = bin daemon sys man postfix mail ftp
    admin users = root
    encrypt passwords = yes
    logon script = scripts\logon.bat
    ldap ssl = no
    printing = lprng
    hide dot files = yes
    time server = yes
    log level = 2

    passdb backend = ldapsam:ldap://127.0.0.1
    ldap passwd sync = yes
    ldap delete dn = Yes
    ldap admin dn = cn=admin,dc=prodesan,dc=com,dc=br
    ldap suffix = dc=prodesan,dc=com,dc=br
    ldap machine suffix = ou=computadores
    ldap user suffix = ou=pessoas
    ldap group suffix = ou=grupos
    ldap idmap suffix = ou=Idmap
    idmap backend = ldap:ldap://127.0.0.1
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind separator = \
    winbind enum users = yes
    winbind enum groups = yes

    add user script = /usr/sbin/smbldap-useradd -m "%u"
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    delete group script = /usr/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%
    g"
    set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
    add machine script = /usr/sbin/smbldap-useradd -w "%u"

    And here is the member server's smb.conf:

    [global]
    workgroup = prodesan.com.br
    realm = PRODESAN.COM.BR
    preferred master = no
    netbios name = Servproducao
    server string = Servproducao
    security = domain
    encrypt passwords = true
    log level = 3
    log file = /var/log/samba/%m
    max log size = 50
    winbind separator = +
    printcap name = cups
    printing = cups
    idmap uid = 10000-20000
    idmap gid = 10000-20000

    passdb backend = ldapsam:ldap://192.168.131.104
    ldap passwd sync = yes
    ldap delete dn = Yes
    ldap admin dn = cn=admin,dc=prodesan,dc=com,dc=br
    ldap suffix = dc=prodesan,dc=com,dc=br
    ldap machine suffix = ou=computadores
    ldap user suffix = ou=pessoas
    ldap group suffix = ou=grupos
    ldap idmap suffix = ou=Idmap
    idmap backend = ldap:ldap://192.168.131.104
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind separator = \
    winbind enum users = yes
    winbind enum groups = yes

    add user script = /usr/sbin/smbldap-useradd -m "%u"
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    delete group script = /usr/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
    add machine script = /usr/sbin/smbldap-useradd -w "%u"




    On Tue, 19 Jun 2007 14:18:58 -0400, Chris Smith wrote
    > On Tuesday 19 June 2007, Sandra wrote:
    > > [2007/06/19 14:27:41, 0] utils/net_ads.c:ads_startup(191)
    > > * ads_connect: No results returned
    > > Creation of workstation account failed
    > > Unable to join domain PRODESAN.COM.BR.

    >
    > Correct me if I'm wrong as I have no experience with ldap setups but
    > AFAIK Samba domains are NetBIOS domains which are flat, not
    > hierarchical. If so your domain name should be something more like
    > PRODESAN and not PRODESAN.COM.BR.
    >
    > Also you didn't post your smb.conf but I'm curious about the use of
    > ads_connect, which seems like you're trying to work with an AD
    > domain instead of a NetBIOS (Samba) domain. So I'm wondering if you
    > have something other than "security - user" in the PDC's smb.conf
    > and "security - domain" in the member servers smb.conf.
    >
    > Chris
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >
    > --
    > Esta mensagem foi verificada pelo sistema de antivírus e
    > acredita-se estar livre de perigo.



    Sandra Nascimento
    Analista de Suporte
    sandra-nascimento@prodesan.com.br
    (13)3229.8000 Ramal 135/176
    --
    Prefeitura Municipal de Santos (http://www.santos.sp.gov.br)


    --
    Esta mensagem foi verificada pelo sistema de antivírus e
    acredita-se estar livre de perigo.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: [Samba] Unable to join new machines to the domain

    On Tuesday 19 June 2007, Sandra wrote:
    > ********workgroup***************= prodesan.com.br


    I thought this should read:

    workgroup = PRODESAN

    ...in both smb.conf files.

    But apparently it is OK as is and I can't seem to find any docs that support
    my thought, prodesan.com.br does meet the max 15 character limit and
    apparently .'s are an allowed character in NetBIOS names (although i
    personally never use them). It also seems, in general, that NetBIOS names are
    by convention capitalized in the smb.conf file.

    Sorry to lead you down a false trail.

    Chris

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread