The localsid on a DC should be the domain sid. You should be able to
fix this with "net setlocalsid" command.
Generally in Windows you want to assign permissions and rights to a
group rather than directly to a user. As long as your Administrator
account is in the "Domain Admins" group and that group has a sid of
"*****-512" you should be OK. I don't think Samba automatically adds
any rights or permissions to the Administrator user. I had explicitly
added some rights to my Administrator account after upgrading to Samba
3.4.8 when trying to fix some other issue- it may not have been
necessary though.
# net rpc rights list Administrator -S myserver -U Administrator
Enter Administrator's password:
SeMachineAccountPrivilege
SeAddUsersPrivilege
I am pretty sure if you run gpedit on a windows machine and look at
rights you will see that the rights are assigned to the Administrator
group not the domain administrator.
On 08/27/2010 02:56 PM, John McMonagle wrote:
How about some more specific problems.
noticed that there is no localsid.
net getlocalsid
[2010/08/27 13:48:15, 0] utils/net.c:net_getlocalsid(708)
Can't fetch domain SID for name: OSHKOSH
I have seen mention that the localsid should be the same as the domainsid
when using ldap.
Is that true?
Seen comments that the user sid for the administrator must end with -500.
Is that true?
Mine is not. it will be painfull to change but I can deal with it.
Thanks
John
On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote:
Should have read this first:
http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749
Problem is I did it the wrong way on a few production systems.
Odds are this is the second time I did it wrong.
Running Debian Lenny using smbldap.
It mostly works.
Existing members of the domain are working OK.
The first thing that got my attention is was not able to join a new xp
workstation to the domain.
Also noticed that the server is not a member of the domain.
net rpc testjoin
[2010/08/26 14:20:26, 0]
rpc_client/cli_pipe.c:get_schannel_session_key_common(2449)
get_schannel_session_key: could not fetch trust account password for
domain 'ADVOCAP'
[2010/08/26 14:20:26, 0] utils/net_rpc_join.c:net_rpc_join_ok(87)
net_rpc_join_ok: failed to get schannel session key from server FONDY for
domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Can not join domain:
net join -U administrator
Enter administrator's password:
[2010/08/26 14:25:48, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(349)
error setting trust account password: NT_STATUS_ACCESS_DENIED
tdbdump secrets.tdb
does not show any entry for the server
Looked at one of the old servers secrets.tdb
and it did not have and entry for that server either.
Any suggestions on the best way to fix this?
John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
