[Samba] Help cleaning up domain SID mess...

Next: fedora 7

Author

Message

Bjørn_Tore_Sund
External

Since: Jan 18, 2007
Posts: 5

Posted: Sun Jul 29, 2007 3:50 pm Post subject: [Samba] Help cleaning up domain SID mess... Archived from groups: linux>samba (more info?)

I have four SLES 10 servers working as Samba servers on the same domain with an LDAP account backend. Relevant smb.conf entries are: [global] workgroup = UNIX realm = UNIX.UIB.NO server string = ukl-samba netbios name = ukl-samba security = user allow trusted domains = yes domain master = yes local master = yes encrypt passwords = yes Only one of the servers is set as domain and local master, server string and netbios name obviously differ while workgroup and realm are set to the same. When I first set them up (smbpasswd -w, etc.) they created seperate sambaDomain entries in the LDAP root, with separate SIDs. the sambaDomain entries are named after each server. The user SIDs we simply set to be based on the SID of the first server we set up. It all worked, so I never questioned it. Then just before the weekend I took the first server up to SLES 10 SP1, which brought Samba up from 3.0.21 to 3.0.24, and this server was effectively broken. On startup, every single user (all 35.0000 of them...) would get a line in /var/log/messages: ukl-samba smbd[16336]: User <SNIP> with invalid SID <SNIP> in passdb Nobody could get at the Samba shares until I edited the LDAP tree to switch the SIDs between this server and the server with the SID the user SIDs were based on. Clearly, I need to clean something up before upgrading the next server to SLES 10 SP1, or things will be really, really broken. Either a setting to switch of the SID validation, or Someting(tm) to clean up the LDAP tree. The latter is probably better, but I have no idea where to start. I was hoping someone here had an answer which saved me the trouble of setting up a full test domain with LDAP and Samba-servers... Can I just set the same SID on all four domains? Or delete three of the four domains and rename the one with the correct SID to the _domain_ name in sted of the server name? Thanks, Bjørn -- Bj¯rn Tore Sund Phone: 555-84894 Email: bjorn.sund.TakeThisOut@it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Phil Burrow
External

Since: Jul 30, 2007
Posts: 4

Posted: Mon Jul 30, 2007 2:13 am Post subject: Re: [Samba] Help cleaning up domain SID mess... [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)

Bjørn Tore Sund wrote: > > I have four SLES 10 servers working as Samba servers on the same domain > with an LDAP account backend. Relevant smb.conf entries are: > [global] > workgroup = UNIX > realm = UNIX.UIB.NO > server string = ukl-samba > netbios name = ukl-samba > security = user > allow trusted domains = yes > domain master = yes > local master = yes > encrypt passwords = yes > > > Only one of the servers is set as domain and local master, server string > and netbios name obviously differ while workgroup and realm are set to > the same. When I first set them up (smbpasswd -w, etc.) they created > seperate sambaDomain entries in the LDAP root, with separate SIDs. the > sambaDomain entries are named after each server. The user SIDs we > simply set to be based on the SID of the first server we set up. > effectively broken. On startup, every single user (all 35.0000 of > them...) would get a line in /var/log/messages: > ukl-samba smbd[16336]: User <SNIP> with invalid SID <SNIP> in passdb > > Nobody could get at the Samba shares until I edited the LDAP tree to > switch the SIDs between this server and the server with the SID the user > SIDs were based on. > > start. I was hoping someone here had an answer which saved me the > trouble of setting up a full test domain with LDAP and Samba-servers... > Can I just set the same SID on all four domains? Or delete three of the > four domains and rename the one with the correct SID to the _domain_ > name in sted of the server name? > > Thanks, > > Bjørn > Hi Bjørn, From what you mention here it sounds like you have four sambaDomainName=UNIX entries (objectClass: sambaDomain) with different sambaSID attributes. Effectively 4 different domains, on 4 different servers all with the same name. Users have a sambaSID entry in their LDAP record, and the first portion of this needs to be the same as the sambaSID for the domain they are logging on to. If it's not then it wont work. In answer to your point at the end, yes you can do this and it is what you are "supposed" to do, as far as I know. If you do "net getlocalsid" on each of your SLES machines, the SID that is returned should be the same for all of them if you want them all to be controllers on your domain. If it's not, pick the SID you want - i.e. the sambaSID all your users have in their LDAP records - then "net setlocalsid MYDOMAINSID" on the servers you wish to change to that SID. (NB: On a domain, "net getlocalsid" and "net getlocalsid MYDOMAIN" should return the same.) Then go into your LDAP directory and delete all but one of the sambaDomainName=UNIX entries, and ensure the remaining one has sambaSID set to MYDOMAINSID. That is probably all you need to do. HTH, Phil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Bjoern Tore Sund
External

Since: Dec 13, 2006
Posts: 4

Posted: Mon Jul 30, 2007 7:50 am Post subject: Re: [Samba] Help cleaning up domain SID mess... [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)

Phil Burrow wrote: > Bjørn Tore Sund wrote: > > > > I have four SLES 10 servers working as Samba servers on the same domain > > with an LDAP account backend. Relevant smb.conf entries are: > > [global] > > workgroup = UNIX > > realm = UNIX.UIB.NO > > server string = ukl-samba > > netbios name = ukl-samba > > security = user > > allow trusted domains = yes > > domain master = yes > > local master = yes > > encrypt passwords = yes > > > > > > Only one of the servers is set as domain and local master, server string > > and netbios name obviously differ while workgroup and realm are set to > > the same. When I first set them up (smbpasswd -w, etc.) they created > > seperate sambaDomain entries in the LDAP root, with separate SIDs. the > > sambaDomain entries are named after each server. The user SIDs we > > simply set to be based on the SID of the first server we set up. > > > effectively broken. On startup, every single user (all 35.0000 of > > them...) would get a line in /var/log/messages: > > ukl-samba smbd[16336]: User <SNIP> with invalid SID <SNIP> in passdb > > > > Nobody could get at the Samba shares until I edited the LDAP tree to > > switch the SIDs between this server and the server with the SID the user > > SIDs were based on. > > > > start. I was hoping someone here had an answer which saved me the > > trouble of setting up a full test domain with LDAP and Samba-servers... > > Can I just set the same SID on all four domains? Or delete three of the > > four domains and rename the one with the correct SID to the _domain_ > > name in sted of the server name? > > > > Thanks, > > > > Bjørn > > > > Hi Bjørn, > > From what you mention here it sounds like you have four > sambaDomainName=UNIX entries (objectClass: sambaDomain) with different > sambaSID attributes. Effectively 4 different domains, on 4 different > servers all with the same name. Thanks, but no: my sambaDomainnames are named after the servers, not the domain. So I have a sambaDomainname=ukl-samba for the server I quote from above, and similary for the other three. I gather this isn't what should have happened when the servers automatically registered themselves in the LDAP backend, but it did. > Users have a sambaSID entry in their LDAP record, and the first portion > of this needs to be the same as the sambaSID for the domain they are > logging on to. If it's not then it wont work. It did work with 3.0.21. I found the fine new code snippet which means it won't work with 3.0.24, and I don't disagree with the principle as long as my mess can be sorted out despite of it. > In answer to your point at the end, yes you can do this and it is what > you are "supposed" to do, as far as I know. That was my assumption. Now for gathering up courage... > If you do "net getlocalsid" on each of your SLES machines, the SID that > is returned should be the same for all of them if you want them all to > be controllers on your domain. If it's not, pick the SID you want - i.e. > the sambaSID all your users have in their LDAP records - then "net > setlocalsid MYDOMAINSID" on the servers you wish to change to that SID. > (NB: On a domain, "net getlocalsid" and "net getlocalsid MYDOMAIN" > should return the same.) > > Then go into your LDAP directory and delete all but one of the > sambaDomainName=UNIX entries, and ensure the remaining one has sambaSID > set to MYDOMAINSID. > > That is probably all you need to do. Thanks a lot. The last remaining quiestion is then what happens when I rename sambaDomainname=ukl-samba to sambaDomainname=unix and proceed from there? -BT -- Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund.DeleteThis@it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Phil Burrow
External

Since: Jul 30, 2007
Posts: 4

Posted: Mon Jul 30, 2007 10:40 am Post subject: Re: [Samba] Help cleaning up domain SID mess... [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)

Bjoern Tore Sund wrote: >> If you do "net getlocalsid" on each of your SLES machines, the SID >> that is returned should be the same for all of them if you want them >> all to be controllers on your domain. If it's not, pick the SID you >> want - i.e. the sambaSID all your users have in their LDAP records - >> then "net setlocalsid MYDOMAINSID" on the servers you wish to change >> to that SID. (NB: On a domain, "net getlocalsid" and "net getlocalsid >> MYDOMAIN" should return the same.) >> >> Then go into your LDAP directory and delete all but one of the >> sambaDomainName=UNIX entries, and ensure the remaining one has >> sambaSID set to MYDOMAINSID. >> >> That is probably all you need to do. > > Thanks a lot. The last remaining quiestion is then what happens when I > rename sambaDomainname=ukl-samba to sambaDomainname=unix and proceed > from there? This is why you need to test it before doing it If your intention is to consolidate your 4 domains into one, with a PDC and some BDCs then provided the sambaSID in the user records is the same as the domain SID then your setup - with your 4 servers each having the same SID - should work correctly. You might need to re-add your client machines to the new domain. I dont know if Windows could handle the domain name changing but having the same SID. If you are using roaming profiles or things such as this you might encounter Windows complaining if the SID changes, but if you use the sambaSID you used already have then it shouldn't do. Cheers, Phil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Bjoern Tore Sund
External

Since: Dec 13, 2006
Posts: 4

Posted: Mon Jul 30, 2007 1:30 pm Post subject: Re: [Samba] Help cleaning up domain SID mess... [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)

Phil Burrow wrote: > Bjoern Tore Sund wrote: > > >> If you do "net getlocalsid" on each of your SLES machines, the SID > >> that is returned should be the same for all of them if you want them > >> all to be controllers on your domain. If it's not, pick the SID you > >> want - i.e. the sambaSID all your users have in their LDAP records - > >> then "net setlocalsid MYDOMAINSID" on the servers you wish to change > >> to that SID. (NB: On a domain, "net getlocalsid" and "net getlocalsid > >> MYDOMAIN" should return the same.) It seems clear that my Samba servers are rather opinionated about what a domain is and which one they are members of: ukl-felles:~ # net getlocalsid SID for domain UKL-FELLES is: S-1-5-21-1347351597-3932655379-226643757 ukl-felles:~ # net setlocalsid S-1-5-21-556026149-4105021892-2038178009 ukl-felles:~ # net getlocalsid SID for domain UKL-FELLES is: S-1-5-21-1347351597-3932655379-226643757 The sambasid entry in LDAP for sambadomainname=ukl-felles didn't change. This server also has, and always has had: [global] workgroup = UNIX realm = UNIX.UIB.NO server string = ukl-felles netbios name = ukl-felles os level = 30 security = user allow trusted domains = yes domain master = no local master = no encrypt passwords = yes The problem is security=user, I assume, on the other hand all docs I've looked at say this is the setting when running samba with an LDAP backend, as opposed to an AD backend. security=domain means the server stops responding to SMB connections. > >> Then go into your LDAP directory and delete all but one of the > >> sambaDomainName=UNIX entries, and ensure the remaining one has > >> sambaSID set to MYDOMAINSID. > >> > >> That is probably all you need to do. > > > > Thanks a lot. The last remaining quiestion is then what happens when I > > rename sambaDomainname=ukl-samba to sambaDomainname=unix and proceed > > from there? > > This is why you need to test it before doing it Yes, but ever so carefully, and based on as much of other people's pain as possible. > If your intention is to consolidate your 4 domains into one, with a PDC > and some BDCs then provided the sambaSID in the user records is the same > as the domain SID then your setup - with your 4 servers each having the > same SID - should work correctly. The problem becomes one of how to convince all the servers that they are not their own domain, they want to go with the common one as their domain name. > You might need to re-add your client machines to the new domain. I dont > know if Windows could handle the domain name changing but having the > same SID. > > If you are using roaming profiles or things such as this you might > encounter Windows complaining if the SID changes, but if you use the > sambaSID you used already have then it shouldn't do. No Windows here, this is the cifs disk server for 800 Linux clients. None of which are members of the domain in any meaningful way. I just want all the servers to authenticate against the same LDAP server, the domain is irrelevant for functionality. Hmmm. Which means that I might just get away with setting the same SID on all four domains and leave it at that... ? -BT -- Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund.TakeThisOut@it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Phil Burrow
External

Since: Jul 30, 2007
Posts: 4

Posted: Tue Jul 31, 2007 2:12 am Post subject: Re: [Samba] Help cleaning up domain SID mess... [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)

Bjoern Tore Sund wrote: > No Windows here, this is the cifs disk server for 800 Linux clients. > None of which are members of the domain in any meaningful way. I just > want all the servers to authenticate against the same LDAP server, the > domain is irrelevant for functionality. Hmmm. Which means that I might > just get away with setting the same SID on all four domains and leave it > at that... ? > > -BT Makes sense if thats all you need and theres no Windows stuff to break, yep Sorry for being presumptuous about your setup! You would need to remove three of the sambaDomainName entries if you only want a single domain though, and ensure that the only one present is sambaDomainName=UNIX. When you do net getlocalsid, it should be looking up the details for the domain you specified in smb.conf (UNIX) in your LDAP directory. Check your logs, see if it's happening and see what questions it's asking your LDAP server, that way you can see where it's getting its unusual SID information from and why it may not be setting the SID like it should. i.e. on one of my broken systems that I use for playing about with stuff, I just booted to test it and I can see that if I do net getlocalsid its looking for: smbldap_search_domain_info: Query was: dc=mydomain,dc=co,dc=uk, (&(objectClass=sambaDomain)(sambaDomainName=MYDOMAINFROMSMB-CONF)) Phil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Bjørn_Tore_Sund
External

Since: Jan 18, 2007
Posts: 5

Posted: Thu Aug 02, 2007 4:30 pm Post subject: Re: [Samba] Help cleaning up domain SID mess... [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)

Phil Burrow wrote: > Bjoern Tore Sund wrote: > > > No Windows here, this is the cifs disk server for 800 Linux clients. > > None of which are members of the domain in any meaningful way. I just > > want all the servers to authenticate against the same LDAP server, the > > domain is irrelevant for functionality. Hmmm. Which means that I > might > > just get away with setting the same SID on all four domains and > leave it > > at that... ? > > > > -BT > > Makes sense if thats all you need and theres no Windows stuff to > break, yep Sorry for being presumptuous about your setup! > > You would need to remove three of the sambaDomainName entries if you > only want a single domain though, and ensure that the only one present > is sambaDomainName=UNIX. > > When you do net getlocalsid, it should be looking up the details for > the domain you specified in smb.conf (UNIX) in your LDAP directory. > Check your logs, see if it's happening and see what questions it's > asking your LDAP server, that way you can see where it's getting its > unusual SID information from and why it may not be setting the SID > like it should. > > i.e. on one of my broken systems that I use for playing about with > stuff, I just booted to test it and I can see that if I do net > getlocalsid its looking for: > > smbldap_search_domain_info: Query was: dc=mydomain,dc=co,dc=uk, > (&(objectClass=sambaDomain)(sambaDomainName=MYDOMAINFROMSMB-CONF)) Just feedback, since things are working ok now. The domain question isn't relevant, so I really don't care whether I have one or four. Which is just as well, because the servers all ignore the domainName=UNIX entry. If I delete their LDAP entry, they'll simply create a new one. Which is consistent with documentation, with security=user, any workgroup- or realm-setting is ignored, and with security=anything-but-user, ldapsam doesn't work. I've checked and confirmed that 'net lookup sid' in all cases return the local domain and as long as I have no need to connect the domains I'm fine. Thanks for your help! Bjørn -- Bj¯rn Tore Sund Phone: 555-84894 Email: bjorn.sund.RemoveThis@it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Display posts from previous: