explorer.exe: no mapping between names and security ids was done

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

explorer.exe: no mapping between names and security ids was done

Samba - General mailing list
... I just want to put this somewhere easily searchable based on the users error message.

Upgrading a domain controller to Debian 8  (samba 3 to 4) resulted in the message "no mapping between names and security
ids was done" at times. The message appears on the windows 7 domain pcs when running explorer.exe. Also other basic
things did not work: internet explorer, or mapping between file types and extensions.  But only at times.

The problem is apparent when running set in a command on the affected windows pc. Look for the USERDOMAIN variable
somewhere at the bottom of the list. It is not set to the real domain name. In my case it was the name of the server
before it became a domain controller. I suspect the system was hanging together due to netbios names - eek. Mostly and
for years running Debian 7, and samba 3 this was accidentally reliable.

A quick fix is possible on the samba domain controller:

sudo pdbedt -I "MYDOMAIN" -u username

.. the next login should return things to normal for the user.

 From the pdbedit manpage:

        -I|--domain
            This option can be used while adding or modifying a user account. It will specify the user's domain field.

            Example: -I "MYDOMAIN"

Hope this helps someone

Bernie

Ref: This hint - https://lists.samba.org/archive/samba/2005-December/115411.html from way back


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: explorer.exe: no mapping between names and security ids was done

Samba - General mailing list
On Thu, 3 Aug 2017 09:59:44 +0100
Bernie Elbourn via samba <[hidden email]> wrote:

> ... I just want to put this somewhere easily searchable based on the
> users error message.
>
> Upgrading a domain controller to Debian 8  (samba 3 to 4) resulted in
> the message "no mapping between names and security ids was done" at
> times. The message appears on the windows 7 domain pcs when running
> explorer.exe. Also other basic things did not work: internet
> explorer, or mapping between file types and extensions.  But only at
> times.
>
> The problem is apparent when running set in a command on the affected
> windows pc. Look for the USERDOMAIN variable somewhere at the bottom
> of the list. It is not set to the real domain name. In my case it was
> the name of the server before it became a domain controller. I
> suspect the system was hanging together due to netbios names - eek.
> Mostly and for years running Debian 7, and samba 3 this was
> accidentally reliable.
>
> A quick fix is possible on the samba domain controller:
>

Yes, but is this an NT4-style PDC or an AD DC ?

It is probably a PDC, if so, can I suggest that as you have upgraded the
OS, it might be a good idea to think about moving to Active Directory.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: explorer.exe: no mapping between names and security ids was done

Samba - General mailing list
Howdy Rowland,

On 03/08/17 10:51, Rowland Penny via samba wrote:

> On Thu, 3 Aug 2017 09:59:44 +0100
> Bernie Elbourn via samba <[hidden email]> wrote:
>
>> ... I just want to put this somewhere easily searchable based on the
>> users error message.
>>
>> Upgrading a domain controller to Debian 8  (samba 3 to 4) resulted in
>> the message "no mapping between names and security ids was done" at
>> times. The message appears on the windows 7 domain pcs when running
>> explorer.exe. Also other basic things did not work: internet
>> explorer, or mapping between file types and extensions.  But only at
>> times.
>>
>> The problem is apparent when running set in a command on the affected
>> windows pc. Look for the USERDOMAIN variable somewhere at the bottom
>> of the list. It is not set to the real domain name. In my case it was
>> the name of the server before it became a domain controller. I
>> suspect the system was hanging together due to netbios names - eek.
>> Mostly and for years running Debian 7, and samba 3 this was
>> accidentally reliable.
>>
>> A quick fix is possible on the samba domain controller:
>>
> Yes, but is this an NT4-style PDC or an AD DC ?
>
> It is probably a PDC, if so, can I suggest that as you have upgraded the
> OS, it might be a good idea to think about moving to Active Directory.
>
> Rowland
>
Your guess is right. It is a smb.conf security = user flavour domain ... with all the inherent historical configuration
ouchies.

Ad is indeed possible but so far not needed.

Bernie



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: explorer.exe: no mapping between names and security ids was done

Samba - General mailing list
On Thu, 3 Aug 2017 16:16:55 +0100
Bernie Elbourn via samba <[hidden email]> wrote:

> Howdy Rowland,
>
> On 03/08/17 10:51, Rowland Penny via samba wrote:
> > On Thu, 3 Aug 2017 09:59:44 +0100
> > Bernie Elbourn via samba <[hidden email]> wrote:
> >
> >> ... I just want to put this somewhere easily searchable based on
> >> the users error message.
> >>
> >> Upgrading a domain controller to Debian 8  (samba 3 to 4) resulted
> >> in the message "no mapping between names and security ids was
> >> done" at times. The message appears on the windows 7 domain pcs
> >> when running explorer.exe. Also other basic things did not work:
> >> internet explorer, or mapping between file types and extensions.
> >> But only at times.
> >>
> >> The problem is apparent when running set in a command on the
> >> affected windows pc. Look for the USERDOMAIN variable somewhere at
> >> the bottom of the list. It is not set to the real domain name. In
> >> my case it was the name of the server before it became a domain
> >> controller. I suspect the system was hanging together due to
> >> netbios names - eek. Mostly and for years running Debian 7, and
> >> samba 3 this was accidentally reliable.
> >>
> >> A quick fix is possible on the samba domain controller:
> >>
> > Yes, but is this an NT4-style PDC or an AD DC ?
> >
> > It is probably a PDC, if so, can I suggest that as you have
> > upgraded the OS, it might be a good idea to think about moving to
> > Active Directory.
> >
> > Rowland
> >
> Your guess is right. It is a smb.conf security = user flavour
> domain ... with all the inherent historical configuration ouchies.
>
> Ad is indeed possible but so far not needed.

you might not think you need it now, but Microsoft stopped supporting
them some years ago and now seems to be trying (little by little) to
stop them working with Windows. You may install an update one day and
suddenly find your NT4-style domain no longer works!
I think it is much better to start planning the update to AD now,
rather than waiting for the headless chicken moment ;-)

It is your domain though and you can do whatever you please.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: explorer.exe: no mapping between names and security ids was done

Samba - General mailing list
Hi,

On 03/08/17 16:54, Rowland Penny via samba wrote:

> On Thu, 3 Aug 2017 16:16:55 +0100
> Bernie Elbourn via samba <[hidden email]> wrote:
>
>>
>> Ad is indeed possible but so far not needed.
> you might not think you need it now, but Microsoft stopped supporting
> them some years ago and now seems to be trying (little by little) to
> stop them working with Windows. You may install an update one day and
> suddenly find your NT4-style domain no longer works!
> I think it is much better to start planning the update to AD now,
> rather than waiting for the headless chicken moment ;-)
>
> It is your domain though and you can do whatever you please.
>
> Rowland
>
Good steer! Thanks. Sorry, I was abrupt about AD. I am actually a bit grumpy with the situation at this site .. last
year there was actually a very strong business driver for 2fa last year which needed AD and a bunch of other
investments. That work is still on hold ... leaving a pile of legacy issues. Near the top of the pile was the samba on
Debian wheezy dropping into old old stable :-(

Bernie

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...