Bluehost.com Web Hosting $6.95

[Samba] Problems with winbind, idmap and usrmgr.exe

This is a discussion on [Samba] Problems with winbind, idmap and usrmgr.exe within the Samba forums, part of the Networking and Network Related category; --===============1918186614== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-k3/nVk7DbyHeFE2seW2a" --=-k3/...


Go Back   Usenet Forums > Networking and Network Related > Samba

Reload this Page [Samba] Problems with winbind, idmap and usrmgr.exe

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 04-22-2008
Mike Brady
 
Posts: n/a
Default [Samba] Problems with winbind, idmap and usrmgr.exe

--===============1918186614==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=-k3/nVk7DbyHeFE2seW2a"


--=-k3/nVk7DbyHeFE2seW2a
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

I am trying to get two Samba PDC/Domains setup with a trust between
them. They are separate domains because they are separate companies
(one is a subsidiary of the other) located in different cites.

I am using Centos 5.1 x86_64 and Samba 3.0.28a packages built by me from
Fedora 8 source RPMs.

Based on what I have read, in order to do the trust thing I need to use
Winbind/idmap to handle the non local SIDS (not that I have got to the
point of trying to do the trust yet). Correct?

I have set up DOMAs PDC with the following idmap/winbind configuration.
There doesn't seem to be any up to date documentation on this stuff, so
I admit that I have been guessing at this, so it is probably is
completely wrong.

idmap domains =3D OTHERDOMAINS DOMA DOMB

idmap config OTHERDOMAINS:default =3D yes
idmap config OTHERDOMAINS:backend =3D tdb
idmap config OTHERDOMAINS:range =3D 10000 - 20000

idmap config DOMA:default =3D no
idmap config DOMA:backend =3D tdb
idmap config DOMA:range =3D 20001 - 30000

idmap config DOMB:default =3D no
idmap config DOMB:backend =3D tdb
idmap config DOMB:range =3D 30001 - 40000

idmap alloc backend =3D tdb
idmap alloc config:range =3D 40001 - 50000

winbind separator =3D \
winbind enum users =3D yes
winbind enum groups =3D Yes
winbind nested groups =3D yes

Are the ranges all supposed to be separate like that? I was just
following and example that I found some where.

The domain "works" in that the PDC comes up, I can join XP clients to
the domain, login, access shares, Roaming profiles are saved to the
server, etc. But when I try to use usrmgr.exe to manage users I just
get a "The specified local group does not exist" error. Not a very
helpful error message, but after setting the log level to 10 in Samba
and searching through the logs I found that windbind seems to be failing
to resolve the Builtin groups to a gid, so am assuming that the Builtin
groups are the "local group" being referred to.

[2008/04/22 17:42:52, 10]
passdb/lookup_sid.c:check_dom_sid_to_level(681)
Accepting SID S-1-5-32 in level 1
[2008/04/22 17:42:52, 10] passdb/lookup_sid.c:lookup_sid(959)
Sid S-1-5-32-549 -> BUILTIN\Server Operators(4)
[2008/04/22 17:42:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx =3D 0
[2008/04/22 17:42:52, 10] passdb/lookup_sid.c:sid_to_gid(1468)
winbind failed to find a gid for sid S-1-5-32-549
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_debug(84)
000000 samr_io_r_open_alias
[2008/04/22 17:42:52, 6] rpc_parse/parse_prs.c:prs_debug(84)
000000 smb_io_pol_hnd pol
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint32(710)
0000 handle_type: 00000000
[2008/04/22 17:42:52, 7] rpc_parse/parse_prs.c:prs_debug(84)
000004 smb_io_uuid uuid
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint32(710)
0004 data : 00000000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint16(681)
0008 data : 0000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint16(681)
000a data : 0000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint8s(857)
000c data : 00 00
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint8s(857)
000e data : 00 00 00 00 00 00
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_ntstatus(769)
0014 status: NT_STATUS_NO_SUCH_ALIAS

The Builtin groups all exist and show up in net groupmap list output
correctly. =20

[root@domapdc samba]# net groupmap list
Server Operators (S-1-5-32-549) -> BUILTIN server operators
Replicator (S-1-5-32-552) -> BUILTIN replicator
Guests (S-1-5-32-546) -> BUILTIN guests
RAS Servers (S-1-5-32-553) -> BUILTIN ras servers
Power Users (S-1-5-32-547) -> BUILTIN power users
Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
Print Operators (S-1-5-32-550) -> BUILTIN print operators
Administrators (S-1-5-32-544) -> BUILTIN administrators
Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> BUILTIN pre-windows
2000 compatible access
Account Operators (S-1-5-32-548) -> BUILTIN account operators
Backup Operators (S-1-5-32-551) -> BUILTIN backup operators
Users (S-1-5-32-545) -> BUILTIN users
Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers

The Administrators and Users Builtins were created automatically by
winbind. The others were created with net sam createbuiltingroup.

If I stop the winbind service, with out any other changes, usrmgr.exe
starts correctly and I can add users, change group memberships, etc.

net groupmap list with winbind stopped shows:

[root@domapdc samba]# net groupmap list
Server Operators (S-1-5-32-549) -> 10083
Replicator (S-1-5-32-552) -> 10110
Guests (S-1-5-32-546) -> 10080
RAS Servers (S-1-5-32-553) -> 10111
Power Users (S-1-5-32-547) -> 10081
Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
Print Operators (S-1-5-32-550) -> 10084
Administrators (S-1-5-32-544) -> 10000
Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> 10112
Account Operators (S-1-5-32-548) -> 10082
Backup Operators (S-1-5-32-551) -> 10085
Users (S-1-5-32-545) -> 10001
Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers

Let me know if any other information is required. Any help with this
will be appreciated.

Thanks

Mike

--=-k3/nVk7DbyHeFE2seW2a
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQBIDX+J6xLAi5x3faQRAmsuAJ9ddEFTpuJWyc1h1dJTSG pqI4IYPQCeIBK9
NhK8FUwDd1hbBJQN9emZniY=
=k5v/
-----END PGP SIGNATURE-----

--=-k3/nVk7DbyHeFE2seW2a--


--===============1918186614==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--===============1918186614==--

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 09:20 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0