Re: [Samba] Messed up SIDs: How to change machine SID?
Ok, today I was finally able to join my domain. The problem was a misconfiguration of idmap. Solution as follows: idmap config DEFAULT:backend = ldap idmap config DEFAULT:readonly = no idmap config DEFAULT:default = yes idmap config DEFAULT:ldap_base_dn = ou=people,dc=domain,dc=org idmap config DEFAULT:ldap_user_dn = cn=rootuser,dc=domain,dc=org idmap config DEFAULT:ldap_url = ldap://myldapserver Thanks for everything! -Ursprüngliche Nachricht- Von:Marcus Mundt marcus.mu...@forsa.de Gesendet: Mo 15.07.2013 15:25 Betreff:Re: [Samba] Messed up SIDs: How to change machine SID? An: samba@lists.samba.org; I could fix the SID issues. However the other errors and warinings remain. Struggeling hard to find the cause for not being able to join a domain, getting Access Denied SMB log: [2013/07/12 15:48:03.439574, 2] auth/auth.c:309(check_ntlm_password) check_ntlm_password: authentication for user [admin] - [admin] - [admin] succeeded [2013/07/12 15:48:03.442335, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.442450, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/12 15:48:03.54, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.444555, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? ... [2013/07/12 15:48:03.191990, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate: no challenge sent to client N666 ... [2013/07/12 15:48:03.587205, 3] smbd/connection.c:35(yield_connection) Yielding connection to IPC$ [2013/07/12 15:48:03.589351, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) Questions: Is it mandatory that Domain Admins Domain Users Domain Guests Domain Computers are spelled exactly like that. In GOsa I'm only allowed to use lower case letters and no spaces. Hence I got domainadmins... and so forth. I don't know how to change the windows group name only. Is a root user mandatory or may I use admin? Since I got no root in LDAP, but tried it last week, didn't help. Which of the domain and builtin groups are mandatory? As far as I know only Domain Admins 512 Domain Users 513 Domain Guests 514 and From the builtin domain (didn't know that there is a built in domain until now) Administrators544 Users 545 Guests 546 Thanks for any help in advance! Setting up a PDC seems not too hard, but I have to use our existing LDAP directory and operate on a production system :( Cheers, Marcus I have an LDAP backend. In LDAP, the machine accounts for my windows and linux clients so show the same base SID as the domain SID (ie.. all but the last digits.) However I also have the mismatch with net getdomainsid - which definately explains why they don't behave as I would expect. You may want to try fixing this with net setlocalsid. I guess when you joing unix or linux member server to the domain the localsid is not updated. Re the BUILTIN groups you may want to explicitly map these to unix groups rather than relying on winbind to do it e.g. I created unix groups #getent group Builtin Admins::544: Builtin Users::545: Builtin Guests::546: Then mapped the well know built-in Windows groups to the unix groups #net groupmap add ntgroup=Administrators unixgroup=544 sid=S-1-5-32-544 type=builtin #net groupmap add ntgroup=Users unixgroup=545 sid=S-1-5-32-545 type=builtin #net groupmap add ntgroup=Guests unixgroup=546 sid=S-1-5-32-546 type=builtin # net groupmap list | grep -i builtin Administrators (S-1-5-32-544) - Builtin Admins Users (S-1-5-32-545) - Builtin Users Guests (S-1-5-32-546) - Builtin Guests The linux samba member servers I use mostly for IT use anyway so I never shook out all the bugs. On 07/03/13 11:49, Marcus Mundt wrote: Dear Samba Gurus, I got the following errors: tail -f /var/log/samba/log.wb-DOM1 [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED log.smbd [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? I guess
Re: [Samba] Messed up SIDs: How to change machine SID?
I could fix the SID issues. However the other errors and warinings remain. Struggeling hard to find the cause for not being able to join a domain, getting Access Denied SMB log: [2013/07/12 15:48:03.439574, 2] auth/auth.c:309(check_ntlm_password) check_ntlm_password: authentication for user [admin] - [admin] - [admin] succeeded [2013/07/12 15:48:03.442335, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.442450, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/12 15:48:03.54, 3] groupdb/mapping.c:772(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2013/07/12 15:48:03.444555, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? ... [2013/07/12 15:48:03.191990, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate: no challenge sent to client N666 ... [2013/07/12 15:48:03.587205, 3] smbd/connection.c:35(yield_connection) Yielding connection to IPC$ [2013/07/12 15:48:03.589351, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) Questions: Is it mandatory that Domain Admins Domain Users Domain Guests Domain Computers are spelled exactly like that. In GOsa I'm only allowed to use lower case letters and no spaces. Hence I got domainadmins... and so forth. I don't know how to change the windows group name only. Is a root user mandatory or may I use admin? Since I got no root in LDAP, but tried it last week, didn't help. Which of the domain and builtin groups are mandatory? As far as I know only Domain Admins 512 Domain Users513 Domain Guests 514 and From the builtin domain (didn't know that there is a built in domain until now) Administrators 544 Users 545 Guests 546 Thanks for any help in advance! Setting up a PDC seems not too hard, but I have to use our existing LDAP directory and operate on a production system :( Cheers, Marcus I have an LDAP backend. In LDAP, the machine accounts for my windows and linux clients so show the same base SID as the domain SID (ie.. all but the last digits.) However I also have the mismatch with net getdomainsid - which definately explains why they don't behave as I would expect. You may want to try fixing this with net setlocalsid. I guess when you joing unix or linux member server to the domain the localsid is not updated. Re the BUILTIN groups you may want to explicitly map these to unix groups rather than relying on winbind to do it e.g. I created unix groups #getent group Builtin Admins::544: Builtin Users::545: Builtin Guests::546: Then mapped the well know built-in Windows groups to the unix groups #net groupmap add ntgroup=Administrators unixgroup=544 sid=S-1-5-32-544 type=builtin #net groupmap add ntgroup=Users unixgroup=545 sid=S-1-5-32-545 type=builtin #net groupmap add ntgroup=Guests unixgroup=546 sid=S-1-5-32-546 type=builtin # net groupmap list | grep -i builtin Administrators (S-1-5-32-544) - Builtin Admins Users (S-1-5-32-545) - Builtin Users Guests (S-1-5-32-546) - Builtin Guests The linux samba member servers I use mostly for IT use anyway so I never shook out all the bugs. On 07/03/13 11:49, Marcus Mundt wrote: Dear Samba Gurus, I got the following errors: tail -f /var/log/samba/log.wb-DOM1 [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED log.smbd [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? I guess the reason might be this: net getdomainsid SID for local machine M1 is: S-1-5-21-3981825222-1828954701-2606613544 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 net getdomainsid SID for local machine M2 is: S-1-5-21-2913448378-2543514743-1508345481 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 Shouldn't the SIDs be the same except the last digits??? Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Messed up SIDs: How to change machine SID?
Dear Samba Gurus, I got the following errors: tail -f /var/log/samba/log.wb-DOM1 [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED log.smbd [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? I guess the reason might be this: net getdomainsid SID for local machine M1 is:S-1-5-21-3981825222-1828954701-2606613544 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 net getdomainsid SID for local machine M2 is:S-1-5-21-2913448378-2543514743-1508345481 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 Shouldn't the SIDs be the same except the last digits??? Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 and (pseudo) LDAP backend for users, groups and rights
Hello Marc, first of all thanks for the quick reply. My Samba ADC was setup quite quick following the how to, good work! Since we are running low on time and want to stick with our LDAP server, I hope I can setup a file server for WinXP and Win7 with Samba 4 using smbd and nmbd and keep using the LDAP backend. I guess we don't really need the AD stuff for what we want to achieve, right? I really need to know if it is possible to setup some kind of auto mount for Windows clients. They should mount all of the users drives while logging in, now this happens with some script, which is run after successfully loggin in. The whole users, groups and rights stuff shouldn't be a problem. I did this in production last september (170 users, 230 workstations, and around 25 services getting information from LDAP or authenticating against). After some weeks of building a testing environment with everything, I did the final switch on a weekend (1.5 days for changing and adapting everything). And it's running absolutely great. How did you transfer the information from the (old) LDAP server to the Samba 4 ADS? Or did you separate things, like servers relying on the slapd and other systems communicating with the ADS? My quick guesses of possible solutions: - Samba 4 + Slapd on the same machine. Slapd synced to LDAP-Master - https://wiki.samba.org/index.php/Samba4/beyond#openLDAP_proxy_to_AD - I don't know if I get this one... The beyond samba page is from me. Just let me know, what's unclear. Then I will extend the HowTo and improve the descriptions. Ok, I thought so. I guess I wished for something like an AD to openLDAP proxy :) - Samba 4 importing an ldif-export of our LDAP-Master, problem: how to sync? I wouldn't do that. Much workaround stuff, directory ACLs won't be synced, etc. Tried it and got an error. Won't do it again... Questions: - What about using smbd + nmbd instead of samba? What are the drawbacks and what functionalities would we sacrifice? You need the samba binary, because it provides the AD stuff. If you plan to keep your NT4-style domain, then you can just upgrade. Samba 4 doesn't mean AD only and build-in LDAP only. AD is just an additionally feature of version 4. But AD requires the internal LDAP. As mention above, I will now try using samba 4 but not the samba binary. Now switching back to smbd, nmbd and LDAP backend. Wish me luck :) Thanks for your time and explanations! Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 and (pseudo) LDAP backend for users, groups and rights
Dear List, I am used to Samba 3 and LDAP. But since Samba 4 I'm struggeling hard to understand what has to be done and how a possible solution might look like for our scenario. I already found out that Samba 4 comes with its own LDAP Server and if I want to use a slapd on the same system, it should listen on another port. I know that using a LDAP backend isn't supported in the current version of samba, but I'm looking for a similar solution anyway. Environtment: - LDAP-Master-Server with all the information needed - mostly Windows XP and Windows 7 Clients They should auto mount network drives after login (user, pass and rights from LDAP-Master) Here is what I want to achieve: A LDAP-Master-Server should be the basis for all users, passwords, groups, rights, rights to execute Programs, mails and mounting network drives. We are looking for a single sign on solution based on the LDAP-Master-Server. Our Mail-Server and some other services rely on the LDAP-Master. Now Samba should work as ADS using the Information stored on the LDAP-Master. Meaning getting users, passwords, groups, rights, drives etc. from LDAP. Is that even possible? Any ideas? My quick guesses of possible solutions: - Samba 4 + Slapd on the same machine. Slapd synced to LDAP-Master - https://wiki.samba.org/index.php/Samba4/beyond#openLDAP_proxy_to_AD - I don't know if I get this one... - Samba 4 importing an ldif-export of our LDAP-Master, problem: how to sync? Questions: - What about using smbd + nmbd instead of samba? What are the drawbacks and what functionalities would we sacrifice? - Is using samba 3 + LDAP backend a possible solution? We really waited for Samba 4 and are now a bit overwhelmed by the numerous innovations. But we would like to use the most current software. Any hints or some short step by step list with the required services and their dependencies would be highly appreciated. Thanks for reading. Have a wonderful weekend! Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba