Thanks Gaiseric Making progress but still messed up :-(
Turned up error messages in samba and getting some error message such as: _samr_SetUserInfo2: root does possess sufficient rights Odd as the I'm not using root. My administrator account is administrator not root. Set up over 4 years ago and the populate script created account like this: dn: uid=administrator,ou=People,dc=advocap,dc=org objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: sambaSamAccount cn: administrator uid: administrator gidNumber: 512 homeDirectory: /root givenName: Windows sn: Administrator gecos: Windows Administrator description: Windows Administrator shadowMin: 1 shadowWarning: 10 shadowInactive: 10 shadowLastChange: 12726 displayName: Windows Administrator sambaHomeDrive: U: sambaDomainName: ADVOCAP creatorsName: cn=Manager,dc=advocap,dc=org createTimestamp: 20041104200736Z loginShell: /bin/bash sambaLMPassword: xx sambaPwdLastSet: 1102083012 sambaNTPassword: xx userPassword:: xx shadowMax: 99999 shadowExpire: 22278 sambaPwdCanChange: 1072850418 sambaPwdMustChange: 1922119808 sambaAcctFlags: [UX ] uidNumber: 0 structuralObjectClass: inetOrgPerson entryUUID: 5673eb48-e80e-1029-9225-dc2725e62f91 sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512 sambaSID: S-1-5-21-3708734655-3086812103-629500990-20998 entryCSN: 20100827183656.000000Z#000000#000#000000 I just ran smbldap-populate and it created: dn: uid=root,ou=People,dc=advocap,dc=org cn: root sn: root objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 0 uid: root uidNumber: 0 homeDirectory: /home/root sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomeDrive: U: sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-3708734655-3086812103-629500990-500 loginShell: /bin/false gecos: Netbios Domain Administrator I have read some comments from people saying to have the administrator account to be named root. Has smldap-tools or samba been changed to require the administrator to have uid of root? On Monday 30 August 2010 07:54:55 am Gaiseric Vandal wrote: > The localsid on a DC should be the domain sid. You should be able to > fix this with "net setlocalsid" command. > > Generally in Windows you want to assign permissions and rights to a > group rather than directly to a user. As long as your Administrator > account is in the "Domain Admins" group and that group has a sid of > "*****-512" you should be OK. I don't think Samba automatically adds > any rights or permissions to the Administrator user. I had explicitly > added some rights to my Administrator account after upgrading to Samba > 3.4.8 when trying to fix some other issue- it may not have been > necessary though. > > > # net rpc rights list Administrator -S myserver -U Administrator > Enter Administrator's password: > SeMachineAccountPrivilege > SeAddUsersPrivilege > > > I am pretty sure if you run gpedit on a windows machine and look at > rights you will see that the rights are assigned to the Administrator > group not the domain administrator. > > On 08/27/2010 02:56 PM, John McMonagle wrote: > > How about some more specific problems. > > > > noticed that there is no localsid. > > net getlocalsid > > [2010/08/27 13:48:15, 0] utils/net.c:net_getlocalsid(708) > > Can't fetch domain SID for name: OSHKOSH > > > > I have seen mention that the localsid should be the same as the domainsid > > when using ldap. > > Is that true? > > > > Seen comments that the user sid for the administrator must end with -500. > > Is that true? > > Mine is not. it will be painfull to change but I can deal with it. > > > > Thanks > > > > John > > > > On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote: > >> Should have read this first: > >> http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749 > >> > >> Problem is I did it the wrong way on a few production systems. > >> Odds are this is the second time I did it wrong. > >> > >> Running Debian Lenny using smbldap. > >> It mostly works. > >> Existing members of the domain are working OK. > >> The first thing that got my attention is was not able to join a new xp > >> workstation to the domain. > >> > >> Also noticed that the server is not a member of the domain. > >> net rpc testjoin > >> [2010/08/26 14:20:26, 0] > >> rpc_client/cli_pipe.c:get_schannel_session_key_common(2449) > >> get_schannel_session_key: could not fetch trust account password for > >> domain 'ADVOCAP' > >> [2010/08/26 14:20:26, 0] utils/net_rpc_join.c:net_rpc_join_ok(87) > >> net_rpc_join_ok: failed to get schannel session key from server FONDY > >> for domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO > >> Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > >> > >> Can not join domain: > >> net join -U administrator > >> Enter administrator's password: > >> [2010/08/26 14:25:48, 0] > >> utils/net_rpc_join.c:net_rpc_join_newstyle(349) error setting trust > >> account password: NT_STATUS_ACCESS_DENIED > >> > >> tdbdump secrets.tdb > >> does not show any entry for the server > >> > >> Looked at one of the old servers secrets.tdb > >> and it did not have and entry for that server either. > >> > >> Any suggestions on the best way to fix this? > >> > >> John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
