On Wed, 11 Jul 2007 John Drescher (John Drescher <[EMAIL PROTECTED]>)
wrote
I had the same issue going to 3.0.25a but I do not remember the
solution. I do remember though I had to make changes in my smb.conf
file.
It seems I had made a mistake... I had been running winbind on my PDC,
which one is not supposed to do ? [I guess winbindd is a client, not a
server ?]
Stopping winbind didn't solve the problem, however. I struggle for some
time trying to see what was actually going wrong -- winding up logging,
doing things and then trawling logs for plausible looking error
messages. All to no avail.
So... I resorted to Voodoo and deleted samba from my PDC and started
again from scratch.
It took a couple of attempts to recreate both the machine and domain SID
(on PDC these seem to be set to be the same thing, by default). net
setlocalsid will set the machine SID in secrets.tdb, but not the domain
SID... The tick appears to be to delete secrets.tdb, do a net
setlocalsid and then do the net groupmap things you need, which puts the
domain SID into secrets.tdb as a side effect.
I struggled and failed to get pdbedit to recreate a new passdb.tdb with
the same SIDs as per previous installation. The -U parameter seems to
be ignored with -a or at least -am. Can use -r and -U together, but
that fails to update the key that maps RID to User Name -- leaving the
passdb broken. Solution for that was to export the passdb.tdb to
sbmpaswwd form and then import it again !
After the complete reinstall and reconfigure exercise, things are
working again. I only wish I could see why !!
One thing I noted, however: I have root (UID 0) as one of the Domain
Administrators (RID 512); I had a group (GID 200) mapped to Domain
Administrators; root is a member of Groups GID 0 and GID 200; pdbedit
kept whinging that the primary group for user root was a local group not
a domain group; I have now mapped group GID 0 to Domain Administrators;
pdbedit has stopped whinging. However, I have no idea if this is the
reason that things are now working.
------------------------------------------------------------------------
I note that in smb.conf "valid users" and other such settings have
changed in 3.0.23b. The release notes give the example:
valid users = +"DOMAIN\Linux Admins" +srvadmin
I assume the first is an NT Group name ? Since this is implicitly a
group, does it need the '+'. Does it make any difference if one uses
'@' ? I tried various combinations when I was trying to make things
work, without success... [I'm reluctant now to touch a working config !
Which uses "@DOMAIN\Domain Admins" etc.]
I assume the second is a UNIX Group name ?
Now, I have groups mapped as follows:
net groupmap add ntgroup="Domain Users" rid=513 unixgroup=SMB_USER \
type=d
My guess was that:
valid users = +"DOMAIN\Domain Users"
and:
valid users = +SMB_USER
would mean the same thing... but I'm not convinced that it does.
FWIW it would really make things clearer if the documentation was
careful to point out when a name is an NT name or a UNIX name. Examples
showing a UNIX Group with the name "Domain Admins" seems to me to be
muddying the waters !
------------------------------------------------------------------------
Finally, I'm still puzzling about the machine SID and the domain SID on
my PDC... it really seems to me that these should be different ?
Chris
On 7/11/07, Chris Hall <[EMAIL PROTECTED]> wrote:
Help...
I'm running Samba v3.0.25b, recently upgraded from v3.0.23a.
I use tdbsam, winbindd etc.
Winbind appears to be broken. When I do:
* getent passwd
none of the DOMAIN\xxxx users are listed
* getent group
the BUILTIN\administrators and BUILTIN\users groups are listed,
but none of the DOMAIN\xxxx groups
* wbinfo -u
gives an enigmatic "Error looking up domain users"
* wbinfo -g
gives just the BUILTIN\administrators and BUILTIN\users groups
I have wound up the logging, but have not been able to see anything
obviously related to the above...
...where do I start looking, please ??
Thanks,
Chris
--
Chris Hall @ Home +44 (0)7970 277 383
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
Chris Hall @ Home +44 (0)7970 277 383
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
