[Samba] second samba pdc

Hello List,

I have 2 samba domain on 2 physical Servers but the User Administration is
over 1 LDAP Server. At the moment i become some errors on my first PDC box:

smbd[16074]: sid S-1-5-21-3194266148-564761370-2586249389-101652 does not
belong to our domain (Thats all hosts from the second PDC)

* first samba Server SID = S-1-5-21-3991578539-3149662252-1894531253
* second samba Server SID = S-1-5-21-3194266148-564761370-2586249389

when i do:
pdbedit -Lv pc011$
Unix username: pc011$
NT username: pc011$
Account Flags: [W ]
User SID: S-1-5-21-3194266148-564761370-2586249389-101708
Primary Group SID: S-1-5-21-3991578539-3149662252-1894531253-513 <----
Full Name: pcpo011
Home Directory: \\192.18.0.11\pc011_\.9xprofile
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path: \\192.168.0.11\profiles\.msprofile
Domain: DomB
Account desc: pc011
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Mo, 09 Jun 2008 11:41:49 CEST
Password can change: Mo, 09 Jun 2008 11:41:49 CEST
Password must change: So, 07 Sep 2008 11:41:49 CEST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

I become under Primary Group SID S-1-5-21-3991578539-3149662252-1894531253-513
the SID from my first PDC

but when i do on the second PDC the same command looks OK

pdbedit -Lv pc011$
Unix username: pc011$
NT username: pc011$
Account Flags: [W ]
User SID: S-1-5-21-3194266148-564761370-2586249389-101708
Primary Group SID: S-1-5-21-3194266148-564761370-2586249389-515
Full Name: pc011
Home Directory: \\samba-node2\pc011_\.9xprofile
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path: \\samba-node2\profiles\.msprofile
Domain: DomB
Account desc: pc011
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Mon, 09 Jun 2008 11:41:49 CEST
Password can change: Mon, 09 Jun 2008 11:41:49 CEST
Password must change: Wed, 09 Jul 2008 11:41:49 CEST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

now my ask, need i the same samba localsid on both servers? or is it useless ?


I hope someone can help

MFG

Sven
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

why isn't one of the servers a BDC?

Sven Buchstaller wrote:
> Hello List,
>
> I have 2 samba domain on 2 physical Servers but the User Administration is
> over 1 LDAP Server. At the moment i become some errors on my first PDC box:
>
> smbd[16074]: sid S-1-5-21-3194266148-564761370-2586249389-101652 does not
> belong to our domain (Thats all hosts from the second PDC)
>
> * first samba Server SID = S-1-5-21-3991578539-3149662252-1894531253
> * second samba Server SID = S-1-5-21-3194266148-564761370-2586249389
>
> when i do:
> pdbedit -Lv pc011$
> Unix username: pc011$
> NT username: pc011$
> Account Flags: [W ]
> User SID: S-1-5-21-3194266148-564761370-2586249389-101708
> Primary Group SID: S-1-5-21-3991578539-3149662252-1894531253-513 <----
> Full Name: pcpo011
> Home Directory: \\192.18.0.11\pc011_\.9xprofile
> HomeDir Drive: H:
> Logon Script: logon.bat
> Profile Path: \\192.168.0.11\profiles\.msprofile
> Domain: DomB
> Account desc: pc011
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: never
> Kickoff time: never
> Password last set: Mo, 09 Jun 2008 11:41:49 CEST
> Password can change: Mo, 09 Jun 2008 11:41:49 CEST
> Password must change: So, 07 Sep 2008 11:41:49 CEST
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> I become under Primary Group SID S-1-5-21-3991578539-3149662252-1894531253-513
> the SID from my first PDC
>
> but when i do on the second PDC the same command looks OK
>
> pdbedit -Lv pc011$
> Unix username: pc011$
> NT username: pc011$
> Account Flags: [W ]
> User SID: S-1-5-21-3194266148-564761370-2586249389-101708
> Primary Group SID: S-1-5-21-3194266148-564761370-2586249389-515
> Full Name: pc011
> Home Directory: \\samba-node2\pc011_\.9xprofile
> HomeDir Drive: H:
> Logon Script: logon.bat
> Profile Path: \\samba-node2\profiles\.msprofile
> Domain: DomB
> Account desc: pc011
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: never
> Kickoff time: never
> Password last set: Mon, 09 Jun 2008 11:41:49 CEST
> Password can change: Mon, 09 Jun 2008 11:41:49 CEST
> Password must change: Wed, 09 Jul 2008 11:41:49 CEST
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> now my ask, need i the same samba localsid on both servers? or is it useless ?
>
>
> I hope someone can help
>
> MFG
>
> Sven
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Hi Adam

I have for DomA an BDC and work fine, but this is a second domain in an subnet
for other users.

MFG

Sven

Am Montag, 9. Juni 2008 15:14:17 schrieben Sie:
> why isn't one of the servers a BDC?
>
> Sven Buchstaller wrote:
> > Hello List,
> >
> > I have 2 samba domain on 2 physical Servers but the User Administration
> > is over 1 LDAP Server. At the moment i become some errors on my first PDC
> > box:
> >
> > smbd[16074]: sid S-1-5-21-3194266148-564761370-2586249389-101652 does
> > not belong to our domain (Thats all hosts from the second PDC)
> >
> > * first samba Server SID = S-1-5-21-3991578539-3149662252-1894531253
> > * second samba Server SID = S-1-5-21-3194266148-564761370-2586249389
> >
> > when i do:
> > pdbedit -Lv pc011$
> > Unix username: pc011$
> > NT username: pc011$
> > Account Flags: [W ]
> > User SID: S-1-5-21-3194266148-564761370-2586249389-101708
> > Primary Group SID: S-1-5-21-3991578539-3149662252-1894531253-513
> > <---- Full Name: pcpo011
> > Home Directory: \\192.18.0.11\pc011_\.9xprofile
> > HomeDir Drive: H:
> > Logon Script: logon.bat
> > Profile Path: \\192.168.0.11\profiles\.msprofile
> > Domain: DomB
> > Account desc: pc011
> > Workstations:
> > Munged dial:
> > Logon time: 0
> > Logoff time: never
> > Kickoff time: never
> > Password last set: Mo, 09 Jun 2008 11:41:49 CEST
> > Password can change: Mo, 09 Jun 2008 11:41:49 CEST
> > Password must change: So, 07 Sep 2008 11:41:49 CEST
> > Last bad password : 0
> > Bad password count : 0
> > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> >
> > I become under Primary Group SID
> > S-1-5-21-3991578539-3149662252-1894531253-513 the SID from my first PDC
> >
> > but when i do on the second PDC the same command looks OK
> >
> > pdbedit -Lv pc011$
> > Unix username: pc011$
> > NT username: pc011$
> > Account Flags: [W ]
> > User SID: S-1-5-21-3194266148-564761370-2586249389-101708
> > Primary Group SID: S-1-5-21-3194266148-564761370-2586249389-515
> > Full Name: pc011
> > Home Directory: \\samba-node2\pc011_\.9xprofile
> > HomeDir Drive: H:
> > Logon Script: logon.bat
> > Profile Path: \\samba-node2\profiles\.msprofile
> > Domain: DomB
> > Account desc: pc011
> > Workstations:
> > Munged dial:
> > Logon time: 0
> > Logoff time: never
> > Kickoff time: never
> > Password last set: Mon, 09 Jun 2008 11:41:49 CEST
> > Password can change: Mon, 09 Jun 2008 11:41:49 CEST
> > Password must change: Wed, 09 Jul 2008 11:41:49 CEST
> > Last bad password : 0
> > Bad password count : 0
> > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> >
> > now my ask, need i the same samba localsid on both servers? or is it
> > useless ?
> >
> >
> > I hope someone can help
> >
> > MFG
> >
> > Sven


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

they are different servers, hence the different SIDs. i'm not sure why
you'd want to have 2 different servers with the same local SID if you're
not doing a migration.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On 6/9/08, Sven Buchstaller <ask@quickline.de> wrote:
> Hello List,
>
> I have 2 samba domain on 2 physical Servers but the User Administration is
> over 1 LDAP Server. At the moment i become some errors on my first PDC box:

I have the same setup, using 2 PDCs and one OpenLDAP server.

However, for this to work you need either two distinct LDAP databases
or at least two different LDAP BASEDNs, e.g.

dc=domain1,dc=mycompany,dc=net
dc=domain2,dc=mycompady,dc=net

Otherwise the two domains will store user/machine/group data in the
same LDAP hierarchy which will of cource cause trouble.

HTH

- Richard
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

HI Richard,

THX for replay, thats not good news for me :(


Am Mittwoch, 11. Juni 2008 12:56:33 schrieben Sie:
> On 6/9/08, Sven Buchstaller <ask@quickline.de> wrote:
> > Hello List,
> >
> > I have 2 samba domain on 2 physical Servers but the User Administration
> > is over 1 LDAP Server. At the moment i become some errors on my first PDC
> > box:
>
> I have the same setup, using 2 PDCs and one OpenLDAP server.
>
> However, for this to work you need either two distinct LDAP databases
> or at least two different LDAP BASEDNs, e.g.
>
> dc=domain1,dc=mycompany,dc=net
> dc=domain2,dc=mycompady,dc=net
>
> Otherwise the two domains will store user/machine/group data in the
> same LDAP hierarchy which will of cource cause trouble.
>
> HTH
>
> - Richard


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Wednesday 11 June 2008 05:56:33 Richard Foltyn wrote:
> On 6/9/08, Sven Buchstaller <ask@quickline.de> wrote:
> > Hello List,
> >
> > I have 2 samba domain on 2 physical Servers but the User Administration
> > is over 1 LDAP Server. At the moment i become some errors on my first PDC
> > box:
>
> I have the same setup, using 2 PDCs and one OpenLDAP server.
>
> However, for this to work you need either two distinct LDAP databases
> or at least two different LDAP BASEDNs, e.g.
>
> dc=domain1,dc=mycompany,dc=net
> dc=domain2,dc=mycompady,dc=net
>
> Otherwise the two domains will store user/machine/group data in the
> same LDAP hierarchy which will of cource cause trouble.
>
> HTH
>
> - Richard

Actually, there are a few sites that run multiple domains in the same DIT. It
does work, though there are a few challenges. Interdomain trusts need to be
set up manually if a single DIT is shared across multiple domains (each
having its own SID of course). The net utility can not be used to create the
trust accounts. Also, the way winbind handles foreign SIDs needs to be
handled carefulyl to avoid conflicts.

The short answer is that it is a very bad practice to use and poor design to
use a single DIT across multiple domains. It is much smarter to design and
implement a separate DIT per domain as shown above.

Cheers,
- John T.
--
John H Terpstra
Samba-Team Member
Phone: +1 (512) 970-0256
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

We just upgraded from samba-2.2.8 to samba-3.0.30 on Digital Unix
4.0F (thanks for good work patching it, Volker).
The file/folder structure has changed, so I wonder what would be the
simplest way to transfer the user passwords form old to new.
Right now all users are gone.

Bengt Nilsson

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba