linux samba 配置ldap认证,The primary group domain sid(S-1-5-21-xxx) does not match the domain sid

祁俊喆
2023-12-01

samba 配置LDAP认证不通过

报错类似

 Primary group S-1-5-21-xxx  for user testuser is a UNKNOWN and not a domain group
 Forcing Primary Group to 'Domain Users' for testuser
  The primary group domain sid(S-1-5-21-xxx) does not match the domain sid(S-1-5-21-188xx ) for testuser(S-1-5-21-x)

或者 NT_STATUS_NO_SUCH_USER

check_sam_security: make_server_info_sam() failed with 'NT_STATUS_INVALID_SID'

  Got user=[test666] domain=[AAA] workstation=[server-test] len1=24 len2=242
[2022/05/17 15:57:55.861027,  3] ../../source3/auth/auth.c:202(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [AAA]\[test666]@[server-test] with the new password interface
[2022/05/17 15:57:55.861064,  3] ../../source3/auth/auth.c:205(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [AAA]\[test666]@[server-test]
[2022/05/17 15:57:55.862405,  2] ../../source3/passdb/pdb_ldap.c:532(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: test666
[2022/05/17 15:57:55.865783,  2] ../../source3/passdb/pdb_ldap.c:2415(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 1000001
[2022/05/17 15:57:55.866586,  3] ../../source3/passdb/lookup_sid.c:1704(get_primary_group_sid)
  Primary group S-1-5-21-1886146278-2710169434-1767538749-1000 for user test666 is a UNKNOWN and not a domain group
[2022/05/17 15:57:55.866623,  3] ../../source3/passdb/lookup_sid.c:1711(get_primary_group_sid)
 Forcing Primary Group to 'Domain Users' for test666
[2022/05/17 15:57:55.867169,  1] ../../source3/auth/server_info.c:487(SamInfo3_handle_sids)
  The primary group domain sid(S-1-5-21-704720473-2748480791-66770105-513) does not match the domain sid(S-1-5-21-1886146278-2710169434-1767538749) for test666(S-1-5-21-1886146278-2710169434-1767538749-1008)
[root@server-test ]# net getdomainsid
SID for domain LDAP is:   S-1-5-21-2063164327-2821526992-1524058643
[root@server-test ]# net getlocalsid
SID for domain server-test is: S-1-5-21-1886146278-2710169434-1767538749

发现并不一致
导致SID错误
 pdbedit -L 如下

[root@server-test ]# pdbedit -L
added interface eth1 ip=10.18.13.41 bcast=10.18.13.255 netmask=255.255.255.0
added interface eth0 ip=10.18.13.107 bcast=10.18.13.255 netmask=255.255.255.0
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=server-test))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_paged: base => [dc=ldap,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1000]
smbldap_search_paged: search was successful
sid S-1-5-21-2063164327-2821526992-1524058643-1005 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1006 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1007 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1008 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1009 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1010 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1011 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1012 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1014 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1019 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1020 does not belong to our domain

可知无法用域用户登录本机的samba

google得知,需要修改本机的SID
如下命令
[root@server-test ]#  net setlocalsid S-1-5-21-2063164327-2821526992-1524058643
但是发现不生效

[root@server-test ]# net getlocalsid
SID for domain server-test is: S-1-5-21-1886146278-2710169434-1767538749
修改不成功

 net setlocalsid 失败

 net setlocalsid 不成功

需要在samba 配置中新增

需要在samba配置 /etc/samba/smb.conf
中新增配置项
server role = classic backup domain controller

 类似资料: