I am trying to get two Samba PDC/Domains setup with a trust between them. They are separate domains because they are separate companies (one is a subsidiary of the other) located in different cites.
I am using Centos 5.1 x86_64 and Samba 3.0.28a packages built by me from Fedora 8 source RPMs. Based on what I have read, in order to do the trust thing I need to use Winbind/idmap to handle the non local SIDS (not that I have got to the point of trying to do the trust yet). Correct? I have set up DOMAs PDC with the following idmap/winbind configuration. There doesn't seem to be any up to date documentation on this stuff, so I admit that I have been guessing at this, so it is probably is completely wrong. idmap domains = OTHERDOMAINS DOMA DOMB idmap config OTHERDOMAINS:default = yes idmap config OTHERDOMAINS:backend = tdb idmap config OTHERDOMAINS:range = 10000 - 20000 idmap config DOMA:default = no idmap config DOMA:backend = tdb idmap config DOMA:range = 20001 - 30000 idmap config DOMB:default = no idmap config DOMB:backend = tdb idmap config DOMB:range = 30001 - 40000 idmap alloc backend = tdb idmap alloc config:range = 40001 - 50000 winbind separator = \ winbind enum users = yes winbind enum groups = Yes winbind nested groups = yes Are the ranges all supposed to be separate like that? I was just following and example that I found some where. The domain "works" in that the PDC comes up, I can join XP clients to the domain, login, access shares, Roaming profiles are saved to the server, etc. But when I try to use usrmgr.exe to manage users I just get a "The specified local group does not exist" error. Not a very helpful error message, but after setting the log level to 10 in Samba and searching through the logs I found that windbind seems to be failing to resolve the Builtin groups to a gid, so am assuming that the Builtin groups are the "local group" being referred to. [2008/04/22 17:42:52, 10] passdb/lookup_sid.c:check_dom_sid_to_level(681) Accepting SID S-1-5-32 in level 1 [2008/04/22 17:42:52, 10] passdb/lookup_sid.c:lookup_sid(959) Sid S-1-5-32-549 -> BUILTIN\Server Operators(4) [2008/04/22 17:42:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/04/22 17:42:52, 10] passdb/lookup_sid.c:sid_to_gid(1468) winbind failed to find a gid for sid S-1-5-32-549 [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 samr_io_r_open_alias [2008/04/22 17:42:52, 6] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_pol_hnd pol [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint32(710) 0000 handle_type: 00000000 [2008/04/22 17:42:52, 7] rpc_parse/parse_prs.c:prs_debug(84) 000004 smb_io_uuid uuid [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint32(710) 0004 data : 00000000 [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint16(681) 0008 data : 0000 [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint16(681) 000a data : 0000 [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint8s(857) 000c data : 00 00 [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint8s(857) 000e data : 00 00 00 00 00 00 [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_ntstatus(769) 0014 status: NT_STATUS_NO_SUCH_ALIAS The Builtin groups all exist and show up in net groupmap list output correctly. [EMAIL PROTECTED] samba]# net groupmap list Server Operators (S-1-5-32-549) -> BUILTIN server operators Replicator (S-1-5-32-552) -> BUILTIN replicator Guests (S-1-5-32-546) -> BUILTIN guests RAS Servers (S-1-5-32-553) -> BUILTIN ras servers Power Users (S-1-5-32-547) -> BUILTIN power users Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody Print Operators (S-1-5-32-550) -> BUILTIN print operators Administrators (S-1-5-32-544) -> BUILTIN administrators Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> BUILTIN pre-windows 2000 compatible access Account Operators (S-1-5-32-548) -> BUILTIN account operators Backup Operators (S-1-5-32-551) -> BUILTIN backup operators Users (S-1-5-32-545) -> BUILTIN users Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers The Administrators and Users Builtins were created automatically by winbind. The others were created with net sam createbuiltingroup. If I stop the winbind service, with out any other changes, usrmgr.exe starts correctly and I can add users, change group memberships, etc. net groupmap list with winbind stopped shows: [EMAIL PROTECTED] samba]# net groupmap list Server Operators (S-1-5-32-549) -> 10083 Replicator (S-1-5-32-552) -> 10110 Guests (S-1-5-32-546) -> 10080 RAS Servers (S-1-5-32-553) -> 10111 Power Users (S-1-5-32-547) -> 10081 Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody Print Operators (S-1-5-32-550) -> 10084 Administrators (S-1-5-32-544) -> 10000 Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> 10112 Account Operators (S-1-5-32-548) -> 10082 Backup Operators (S-1-5-32-551) -> 10085 Users (S-1-5-32-545) -> 10001 Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers Let me know if any other information is required. Any help with this will be appreciated. Thanks Mike
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba