I didn't use smldap-tools. But I think you have to configure them with
the appropriate ldap user credentials- which is typically NOT root.
Although it looks like ldap perms are not the issue since stuff is being
created.
So you have both a root and administrator account in /etc/passwd?
Do you have all the unix users in /etc/passwd on the new machine (or are
you using NIS or LDAP for a common unix account backend?)
I suspect that you may need to use pdbedit or smbpasswd to manually
create the Administrator samba account on the new machine.
On 08/30/2010 03:57 PM, John McMonagle wrote:
Thanks Gaiseric
Making progress but still messed up :-(
Turned up error messages in samba and getting some error message such as:
_samr_SetUserInfo2: root does possess sufficient rights
Odd as the I'm not using root.
My administrator account is administrator not root.
Set up over 4 years ago and the populate script created account like this:
dn: uid=administrator,ou=People,dc=advocap,dc=org
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: sambaSamAccount
cn: administrator
uid: administrator
gidNumber: 512
homeDirectory: /root
givenName: Windows
sn: Administrator
gecos: Windows Administrator
description: Windows Administrator
shadowMin: 1
shadowWarning: 10
shadowInactive: 10
shadowLastChange: 12726
displayName: Windows Administrator
sambaHomeDrive: U:
sambaDomainName: ADVOCAP
creatorsName: cn=Manager,dc=advocap,dc=org
createTimestamp: 20041104200736Z
loginShell: /bin/bash
sambaLMPassword: xx
sambaPwdLastSet: 1102083012
sambaNTPassword: xx
userPassword:: xx
shadowMax: 99999
shadowExpire: 22278
sambaPwdCanChange: 1072850418
sambaPwdMustChange: 1922119808
sambaAcctFlags: [UX ]
uidNumber: 0
structuralObjectClass: inetOrgPerson
entryUUID: 5673eb48-e80e-1029-9225-dc2725e62f91
sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512
sambaSID: S-1-5-21-3708734655-3086812103-629500990-20998
entryCSN: 20100827183656.000000Z#000000#000#000000
I just ran smbldap-populate and it created:
dn: uid=root,ou=People,dc=advocap,dc=org
cn: root
sn: root
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomeDrive: U:
sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512
sambaLMPassword: XXX
sambaNTPassword: XXX
sambaAcctFlags: [U ]
sambaSID: S-1-5-21-3708734655-3086812103-629500990-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
I have read some comments from people saying to have the administrator account
to be named root. Has smldap-tools or samba been changed to require the
administrator to have uid of root?
On Monday 30 August 2010 07:54:55 am Gaiseric Vandal wrote:
The localsid on a DC should be the domain sid. You should be able to
fix this with "net setlocalsid" command.
Generally in Windows you want to assign permissions and rights to a
group rather than directly to a user. As long as your Administrator
account is in the "Domain Admins" group and that group has a sid of
"*****-512" you should be OK. I don't think Samba automatically adds
any rights or permissions to the Administrator user. I had explicitly
added some rights to my Administrator account after upgrading to Samba
3.4.8 when trying to fix some other issue- it may not have been
necessary though.
# net rpc rights list Administrator -S myserver -U Administrator
Enter Administrator's password:
SeMachineAccountPrivilege
SeAddUsersPrivilege
I am pretty sure if you run gpedit on a windows machine and look at
rights you will see that the rights are assigned to the Administrator
group not the domain administrator.
On 08/27/2010 02:56 PM, John McMonagle wrote:
How about some more specific problems.
noticed that there is no localsid.
net getlocalsid
[2010/08/27 13:48:15, 0] utils/net.c:net_getlocalsid(708)
Can't fetch domain SID for name: OSHKOSH
I have seen mention that the localsid should be the same as the domainsid
when using ldap.
Is that true?
Seen comments that the user sid for the administrator must end with -500.
Is that true?
Mine is not. it will be painfull to change but I can deal with it.
Thanks
John
On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote:
Should have read this first:
http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749
Problem is I did it the wrong way on a few production systems.
Odds are this is the second time I did it wrong.
Running Debian Lenny using smbldap.
It mostly works.
Existing members of the domain are working OK.
The first thing that got my attention is was not able to join a new xp
workstation to the domain.
Also noticed that the server is not a member of the domain.
net rpc testjoin
[2010/08/26 14:20:26, 0]
rpc_client/cli_pipe.c:get_schannel_session_key_common(2449)
get_schannel_session_key: could not fetch trust account password for
domain 'ADVOCAP'
[2010/08/26 14:20:26, 0] utils/net_rpc_join.c:net_rpc_join_ok(87)
net_rpc_join_ok: failed to get schannel session key from server FONDY
for domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Can not join domain:
net join -U administrator
Enter administrator's password:
[2010/08/26 14:25:48, 0]
utils/net_rpc_join.c:net_rpc_join_newstyle(349) error setting trust
account password: NT_STATUS_ACCESS_DENIED
tdbdump secrets.tdb
does not show any entry for the server
Looked at one of the old servers secrets.tdb
and it did not have and entry for that server either.
Any suggestions on the best way to fix this?
John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
