[Samba] LDAP different Group SID -- not supported for NETLOGON calls - Samba

This is a discussion on [Samba] LDAP different Group SID -- not supported for NETLOGON calls - Samba ; Hello list, I have two Samba-LDAP DC's each in different networks, domain AMECC_SAL (192.168.40.0/24) and domain AMECC_GUA (192.168.42./24). I have established a inter-domain trust relationship in both directions. My problem comes when I try to log into a machine in ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [Samba] LDAP different Group SID -- not supported for NETLOGON calls

  1. [Samba] LDAP different Group SID -- not supported for NETLOGON calls

    Hello list,
    I have two Samba-LDAP DC's each in different networks, domain AMECC_SAL
    (192.168.40.0/24) and domain AMECC_GUA (192.168.42./24). I have
    established a inter-domain trust relationship in both directions. My
    problem comes when I try to log into a machine in the AMECC_SAL domain
    using any user from the AMECC_GUA domain. The machine´s name in which I
    want to sign in is cc03.

    The log for the machine account says:
    # tail -f cc03.log
    [2008/03/31 16:55:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
    init_group_from_ldap: Entry found for group: 515
    [2008/03/31 16:55:35, 2] auth/auth.c:check_ntlm_password(309)
    check_ntlm_password: authentication for user [ricky] -> [ricky] ->
    [ricky] succeeded
    [2008/03/31 16:55:35, 1]
    rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(1004)
    _net_sam_logon: user AMECC_GUA\ricky has user sid
    S-1-5-21-2494724867-3922152549-500773586-3022
    but group sid S-1-5-21-3360583363-2600074294-2199971840-513.
    The conflicting domain portions are not supported for NETLOGON calls

    Part of the pdbedit -L -v says:
    Unix username: ricky
    NT username: ricky
    Account Flags: [U ]
    User SID: S-1-5-21-2494724867-3922152549-500773586-3022
    init_group_from_ldap: Entry found for group: 513
    init_group_from_ldap: Entry found for group: 513
    Primary Group SID: S-1-5-21-2494724867-3922152549-500773586-513

    from this output we can tell that Primary Group SID is different from
    that group sid of cc03.log file:
    S-1-5-21-3360583363-2600074294-2199971840-513.
    I am using the following software: FreeBSD 7.0 Release, samba-3.0.28,1,
    openldap-2.3.41 and smbldap-tools-0.9.4_2.

    Please can any one give some help???
    Thank you very much.




    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] LDAP different Group SID -- not supported for NETLOGON calls

    Cesar Amaya wrote:
    > Hello list,
    > I have two Samba-LDAP DC's each in different networks, domain
    > AMECC_SAL (192.168.40.0/24) and domain AMECC_GUA (192.168.42./24). I
    > have established a inter-domain trust relationship in both directions.
    > My problem comes when I try to log into a machine in the AMECC_SAL
    > domain using any user from the AMECC_GUA domain. The machine´s name in
    > which I want to sign in is cc03.
    >
    > The log for the machine account says:
    > # tail -f cc03.log
    > [2008/03/31 16:55:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
    > init_group_from_ldap: Entry found for group: 515
    > [2008/03/31 16:55:35, 2] auth/auth.c:check_ntlm_password(309)
    > check_ntlm_password: authentication for user [ricky] -> [ricky] ->
    > [ricky] succeeded
    > [2008/03/31 16:55:35, 1]
    > rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(1004)
    > _net_sam_logon: user AMECC_GUA\ricky has user sid
    > S-1-5-21-2494724867-3922152549-500773586-3022
    > but group sid S-1-5-21-3360583363-2600074294-2199971840-513.
    > The conflicting domain portions are not supported for NETLOGON calls
    >
    > Part of the pdbedit -L -v says:
    > Unix username: ricky
    > NT username: ricky
    > Account Flags: [U ]
    > User SID: S-1-5-21-2494724867-3922152549-500773586-3022
    > init_group_from_ldap: Entry found for group: 513
    > init_group_from_ldap: Entry found for group: 513
    > Primary Group SID: S-1-5-21-2494724867-3922152549-500773586-513
    >
    > from this output we can tell that Primary Group SID is different from
    > that group sid of cc03.log file:
    > S-1-5-21-3360583363-2600074294-2199971840-513.
    > I am using the following software: FreeBSD 7.0 Release,
    > samba-3.0.28,1, openldap-2.3.41 and smbldap-tools-0.9.4_2.
    >
    > Please can any one give some help???
    > Thank you very much.
    >
    >
    >
    >

    I think this error is because the service nns_ldap is not runing. I got
    this error nss_ldap: could not search LDAP server - Server is unavailable
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread