--===============1918186614==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=-k3/nVk7DbyHeFE2seW2a"


--=-k3/nVk7DbyHeFE2seW2a
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

I am trying to get two Samba PDC/Domains setup with a trust between
them. They are separate domains because they are separate companies
(one is a subsidiary of the other) located in different cites.

I am using Centos 5.1 x86_64 and Samba 3.0.28a packages built by me from
Fedora 8 source RPMs.

Based on what I have read, in order to do the trust thing I need to use
Winbind/idmap to handle the non local SIDS (not that I have got to the
point of trying to do the trust yet). Correct?

I have set up DOMAs PDC with the following idmap/winbind configuration.
There doesn't seem to be any up to date documentation on this stuff, so
I admit that I have been guessing at this, so it is probably is
completely wrong.

idmap domains =3D OTHERDOMAINS DOMA DOMB

idmap config OTHERDOMAINS:default =3D yes
idmap config OTHERDOMAINS:backend =3D tdb
idmap config OTHERDOMAINS:range =3D 10000 - 20000

idmap config DOMA:default =3D no
idmap config DOMA:backend =3D tdb
idmap config DOMA:range =3D 20001 - 30000

idmap config DOMB:default =3D no
idmap config DOMB:backend =3D tdb
idmap config DOMB:range =3D 30001 - 40000

idmap alloc backend =3D tdb
idmap alloc config:range =3D 40001 - 50000

winbind separator =3D \
winbind enum users =3D yes
winbind enum groups =3D Yes
winbind nested groups =3D yes

Are the ranges all supposed to be separate like that? I was just
following and example that I found some where.

The domain "works" in that the PDC comes up, I can join XP clients to
the domain, login, access shares, Roaming profiles are saved to the
server, etc. But when I try to use usrmgr.exe to manage users I just
get a "The specified local group does not exist" error. Not a very
helpful error message, but after setting the log level to 10 in Samba
and searching through the logs I found that windbind seems to be failing
to resolve the Builtin groups to a gid, so am assuming that the Builtin
groups are the "local group" being referred to.

[2008/04/22 17:42:52, 10]
passdb/lookup_sid.c:check_dom_sid_to_level(681)
Accepting SID S-1-5-32 in level 1
[2008/04/22 17:42:52, 10] passdb/lookup_sid.c:lookup_sid(959)
Sid S-1-5-32-549 -> BUILTIN\Server Operators(4)
[2008/04/22 17:42:52, 3] smbd/sec_ctx.cop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx =3D 0
[2008/04/22 17:42:52, 10] passdb/lookup_sid.c:sid_to_gid(1468)
winbind failed to find a gid for sid S-1-5-32-549
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_debug(84)
000000 samr_io_r_open_alias
[2008/04/22 17:42:52, 6] rpc_parse/parse_prs.crs_debug(84)
000000 smb_io_pol_hnd pol
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint32(710)
0000 handle_type: 00000000
[2008/04/22 17:42:52, 7] rpc_parse/parse_prs.crs_debug(84)
000004 smb_io_uuid uuid
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint32(710)
0004 data : 00000000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint16(681)
0008 data : 0000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint16(681)
000a data : 0000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint8s(857)
000c data : 00 00
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint8s(857)
000e data : 00 00 00 00 00 00
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_ntstatus(769)
0014 status: NT_STATUS_NO_SUCH_ALIAS

The Builtin groups all exist and show up in net groupmap list output
correctly. =20

[root@domapdc samba]# net groupmap list
Server Operators (S-1-5-32-549) -> BUILTIN server operators
Replicator (S-1-5-32-552) -> BUILTIN replicator
Guests (S-1-5-32-546) -> BUILTIN guests
RAS Servers (S-1-5-32-553) -> BUILTIN ras servers
Power Users (S-1-5-32-547) -> BUILTIN power users
Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
Print Operators (S-1-5-32-550) -> BUILTIN print operators
Administrators (S-1-5-32-544) -> BUILTIN administrators
Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> BUILTIN pre-windows
2000 compatible access
Account Operators (S-1-5-32-548) -> BUILTIN account operators
Backup Operators (S-1-5-32-551) -> BUILTIN backup operators
Users (S-1-5-32-545) -> BUILTIN users
Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers

The Administrators and Users Builtins were created automatically by
winbind. The others were created with net sam createbuiltingroup.

If I stop the winbind service, with out any other changes, usrmgr.exe
starts correctly and I can add users, change group memberships, etc.

net groupmap list with winbind stopped shows:

[root@domapdc samba]# net groupmap list
Server Operators (S-1-5-32-549) -> 10083
Replicator (S-1-5-32-552) -> 10110
Guests (S-1-5-32-546) -> 10080
RAS Servers (S-1-5-32-553) -> 10111
Power Users (S-1-5-32-547) -> 10081
Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
Print Operators (S-1-5-32-550) -> 10084
Administrators (S-1-5-32-544) -> 10000
Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> 10112
Account Operators (S-1-5-32-548) -> 10082
Backup Operators (S-1-5-32-551) -> 10085
Users (S-1-5-32-545) -> 10001
Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers

Let me know if any other information is required. Any help with this
will be appreciated.

Thanks

Mike

--=-k3/nVk7DbyHeFE2seW2a
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQBIDX+J6xLAi5x3faQRAmsuAJ9ddEFTpuJWyc1h1dJTSG pqI4IYPQCeIBK9
NhK8FUwDd1hbBJQN9emZniY=
=k5v/
-----END PGP SIGNATURE-----

--=-k3/nVk7DbyHeFE2seW2a--


--===============1918186614==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--===============1918186614==--