L.P.H. van Belle
2016-Dec-20 13:18 UTC
[Samba] Unable to convert first SID ( user DOMAIN\Administrator )
Hai, ! this problem came and is gone again but its an intresting thing thats why im putting it on the samba list. I added time in the message to make more clear when what is done. Upgrade samba from 4.4.5-3 to 4.5.3 yesterday. Time : 10:15 in the morning. Environment: DC1 : debian Jessie samba 4.5.3 DC2 : debian Jessie samba 4.5.3 MEMBERs : in general samba 4.5.3 ( few 4.4.5-3 , 4.2.10, 3.6.6 ) Today i rebooted my management pc (win7 64bit) , and logged in as DOMAIN\Administrator. This works fine, GPO is applied correctly untill I needed to edit my GPO. Starting GPO editoring, give mesage RPC server is not available. Now im unable to browse to \\dc1.domain.tld with explore but I can browse to \\dc2.domain.tld. DC1 is the DC with the FSMO roles. I cant edit GPO through both servers atm, sometimes im able to connect to dc2, not every attempt. I noticed the following in the logs. ( DC1 ) [2016/12/20 11:14:04.328604, 0] ../source4/auth/unix_token.c:79(security_token_to_unix_token) Unable to convert first SID (S-1-5-21-2934682428-1234567789-696969692-500) in user token to a UID. Conversion was returned as type 0, full token: [2016/12/20 11:14:04.328687, 0] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (14): SID[ 0]: S-1-5-21-2934682428-1234567789-696969692-500 SID[ 1]: S-1-5-21-2934682428-1234567789-696969692-513 SID[ 2]: S-1-5-21-2934682428-1234567789-696969692-520 SID[ 3]: S-1-5-21-2934682428-1234567789-696969692-572 SID[ 4]: S-1-5-21-2934682428-1234567789-696969692-519 SID[ 5]: S-1-5-21-2934682428-1234567789-696969692-518 SID[ 6]: S-1-5-21-2934682428-1234567789-696969692-512 SID[ 7]: S-1-5-21-2934682428-1234567789-696969692-1399 SID[ 8]: S-1-1-0 SID[ 9]: S-1-5-2 SID[ 10]: S-1-5-11 SID[ 11]: S-1-5-32-544 SID[ 12]: S-1-5-32-545 SID[ 13]: S-1-5-32-554 Privileges (0x 1FFFFFF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeSecurityPrivilege Privilege[ 9]: SeSystemtimePrivilege Privilege[ 10]: SeShutdownPrivilege Privilege[ 11]: SeDebugPrivilege Privilege[ 12]: SeSystemEnvironmentPrivilege Privilege[ 13]: SeSystemProfilePrivilege Privilege[ 14]: SeProfileSingleProcessPrivilege Privilege[ 15]: SeIncreaseBasePriorityPrivilege Privilege[ 16]: SeLoadDriverPrivilege Privilege[ 17]: SeCreatePagefilePrivilege Privilege[ 18]: SeIncreaseQuotaPrivilege Privilege[ 19]: SeChangeNotifyPrivilege Privilege[ 20]: SeUndockPrivilege Privilege[ 21]: SeManageVolumePrivilege Privilege[ 22]: SeImpersonatePrivilege Privilege[ 23]: SeCreateGlobalPrivilege Privilege[ 24]: SeEnableDelegationPrivilege Rights (0x 403): Right[ 0]: SeInteractiveLogonRight Right[ 1]: SeNetworkLogonRight Right[ 2]: SeRemoteInteractiveLogonRight Few tests. Time : 10:45 in the morning. ( yeah i have more todo.. ) wbinfo --sid-aliases S-1-5-21-2934682428-1234567789-696969692-500 reports nothing wbinfo --user-sids S-1-5-21-2934682428-1234567789-696969692-500 S-1-5-21-2934682428-1234567789-696969692-500 S-1-5-21-2934682428-1234567789-696969692-513 S-1-5-21-2934682428-1234567789-696969692-520 S-1-5-21-2934682428-1234567789-696969692-1399 S-1-5-21-2934682428-1234567789-696969692-519 S-1-5-21-2934682428-1234567789-696969692-512 S-1-5-21-2934682428-1234567789-696969692-518 S-1-5-21-2934682428-1234567789-696969692-572 S-1-5-32-545 S-1-5-32-544 Time : 13:00 in the midday. wbinfo --user-sidinfo S-1-5-21-2934682428-1234567789-696969692-500 NTDOM\administrator:*:0:10000::/home/users/administrator:/bin/bash wbinfo -s S-1-5-21-2934682428-1234567789-696969692-500 NTDOM\Administrator 1 wbinfo -S S-1-5-21-2934682428-1234567789-696969692-500 0 And DC2 logs (* i cleared them all after the upgrade yesterday) 4.4.5 => 4.5.3 The only log message and looks ok. log.smbd [2016/12/20 08:00:45.047802, 0] ../source3/smbd/smbd_cleanupd.c:172(smbd_cleanupd_process_exited) smbd_cleanupd_process_exited: got 0 cleanup events, expected at least 1 Time : 13:15 in the midday. Both database replicatons tested are without errors. samba-tool ldapcmp --filter='whenChanged' ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld samba-tool drs showrepl Time : 13:20 in the midday. After i noticed the log messages i did ran: samba-tool dbcheck --cross-ncs --fix and that fixed 936 errors out of 910 object :-/ ? ! the problem still exists after the fix. smb.conf of both DC’s. are the same except the IP and hostnames. [global] workgroup = NTDOM realm = INTERNAL.REALM # By default the netbios name is the system hostname. netbios name = DC1 server role = active directory domain controller server services = -dns interfaces = 192.168.0.1 127.0.0.1 bind interfaces only = yes time server = yes ## Dont forget to set the idmap_ldb on ALL DC's if you use it idmap_ldb:use rfc2307 = yes ## Keep this off!! ## This is only used for modify-ing the AD Schema and only done on the DC with the FSMO Roles. sdb:schema update allowed = no winbind nss info = rfc2307 winbind expand groups = 4 template shell = /bin/bash template homedir = /home/users/%U # disable printing completely, no error messages in the logs. load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # disable usershares creating, when set empty, no error messages in the logs. usershare path # Add and Update TLS Key tls enabled = yes tls keyfile = /etc/ssl/local/private/dc1.key.pem tls certfile = /etc/ssl/local/certs/dc1.cert.pem tls cafile = /etc/ssl/certs/company-ca.pem # log level = 10 # debug timestamp = yes [sysvol] path = /home/samba/sysvol read only = No acl_xattr:ignore system acls = yes [netlogon] path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts read only = No acl_xattr:ignore system acls = yes Im only wondering why my Domain Administrator account gives these messages. I can login with me “extra” domain admin account everything works fine. Beside that, everything else sofar checked works fine. So im bit puzzled here. What happend to the Administrator account, and why only on DC1? Time : 14:00 Anyone? Any tips? P.S. time 14:15 Now i did check for a last time, and suddenly everything is working again. And i didnt touch the samba servers, only login with the “domain\Administrator” again. Very strange. Or Rowland, tel me what i forgot :-)) ;-) Greetz, Louis
L.P.H. van Belle
2016-Dec-20 13:37 UTC
[Samba] Unable to convert first SID ( user DOMAIN\Administrator )
Ok i found. https://bugzilla.samba.org/show_bug.cgi?id=12410 now i can related to this. Yesterday i was having the old idmap config ... in the smb.conf. Today at around 8:30 i cleanup my smb.conf to match the 4.5.x defaults on both DC's. I rebooted the servers after the change, but problem was still there. The problem is probely fixed after running : net cache flush At around 14:10 it only took a few min after that i noticed that it worked. Sorry for the noice. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > via samba > Verzonden: dinsdag 20 december 2016 14:19 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Unable to convert first SID ( user DOMAIN\Administrator > ) > > Hai, > > > > ! this problem came and is gone again but its an intresting thing thats > why im putting it on the samba list. > > I added time in the message to make more clear when what is done. > > > > Upgrade samba from 4.4.5-3 to 4.5.3 yesterday. > > > > Time : 10:15 in the morning. > > Environment: > > DC1 : debian Jessie samba 4.5.3 > > DC2 : debian Jessie samba 4.5.3 > > MEMBERs : in general samba 4.5.3 ( few 4.4.5-3 , 4.2.10, 3.6.6 ) > > > > Today i rebooted my management pc (win7 64bit) , and logged in as > DOMAIN\Administrator. > > This works fine, GPO is applied correctly untill I needed to edit my GPO. > > > > Starting GPO editoring, give mesage RPC server is not available. > > > > Now im unable to browse to \\dc1.domain.tld with explore but I can browse > to \\dc2.domain.tld. > > > > DC1 is the DC with the FSMO roles. > > I cant edit GPO through both servers atm, sometimes im able to connect to > dc2, not every attempt. > > > > I noticed the following in the logs. ( DC1 ) > > > > [2016/12/20 11:14:04.328604, 0] > ../source4/auth/unix_token.c:79(security_token_to_unix_token) > > Unable to convert first SID (S-1-5-21-2934682428-1234567789-696969692- > 500) in user token to a UID. Conversion was returned as type 0, full > token: > > [2016/12/20 11:14:04.328687, 0] > ../libcli/security/security_token.c:63(security_token_debug) > > Security token SIDs (14): > > SID[ 0]: S-1-5-21-2934682428-1234567789-696969692-500 > > SID[ 1]: S-1-5-21-2934682428-1234567789-696969692-513 > > SID[ 2]: S-1-5-21-2934682428-1234567789-696969692-520 > > SID[ 3]: S-1-5-21-2934682428-1234567789-696969692-572 > > SID[ 4]: S-1-5-21-2934682428-1234567789-696969692-519 > > SID[ 5]: S-1-5-21-2934682428-1234567789-696969692-518 > > SID[ 6]: S-1-5-21-2934682428-1234567789-696969692-512 > > SID[ 7]: S-1-5-21-2934682428-1234567789-696969692-1399 > > SID[ 8]: S-1-1-0 > > SID[ 9]: S-1-5-2 > > SID[ 10]: S-1-5-11 > > SID[ 11]: S-1-5-32-544 > > SID[ 12]: S-1-5-32-545 > > SID[ 13]: S-1-5-32-554 > > Privileges (0x 1FFFFFF0): > > Privilege[ 0]: SeMachineAccountPrivilege > > Privilege[ 1]: SeTakeOwnershipPrivilege > > Privilege[ 2]: SeBackupPrivilege > > Privilege[ 3]: SeRestorePrivilege > > Privilege[ 4]: SeRemoteShutdownPrivilege > > Privilege[ 5]: SePrintOperatorPrivilege > > Privilege[ 6]: SeAddUsersPrivilege > > Privilege[ 7]: SeDiskOperatorPrivilege > > Privilege[ 8]: SeSecurityPrivilege > > Privilege[ 9]: SeSystemtimePrivilege > > Privilege[ 10]: SeShutdownPrivilege > > Privilege[ 11]: SeDebugPrivilege > > Privilege[ 12]: SeSystemEnvironmentPrivilege > > Privilege[ 13]: SeSystemProfilePrivilege > > Privilege[ 14]: SeProfileSingleProcessPrivilege > > Privilege[ 15]: SeIncreaseBasePriorityPrivilege > > Privilege[ 16]: SeLoadDriverPrivilege > > Privilege[ 17]: SeCreatePagefilePrivilege > > Privilege[ 18]: SeIncreaseQuotaPrivilege > > Privilege[ 19]: SeChangeNotifyPrivilege > > Privilege[ 20]: SeUndockPrivilege > > Privilege[ 21]: SeManageVolumePrivilege > > Privilege[ 22]: SeImpersonatePrivilege > > Privilege[ 23]: SeCreateGlobalPrivilege > > Privilege[ 24]: SeEnableDelegationPrivilege > > Rights (0x 403): > > Right[ 0]: SeInteractiveLogonRight > > Right[ 1]: SeNetworkLogonRight > > Right[ 2]: SeRemoteInteractiveLogonRight > > > > > > Few tests. > > Time : 10:45 in the morning. ( yeah i have more todo.. ) > > wbinfo --sid-aliases S-1-5-21-2934682428-1234567789-696969692-500 > > reports nothing > > > > wbinfo --user-sids S-1-5-21-2934682428-1234567789-696969692-500 > > S-1-5-21-2934682428-1234567789-696969692-500 > > S-1-5-21-2934682428-1234567789-696969692-513 > > S-1-5-21-2934682428-1234567789-696969692-520 > > S-1-5-21-2934682428-1234567789-696969692-1399 > > S-1-5-21-2934682428-1234567789-696969692-519 > > S-1-5-21-2934682428-1234567789-696969692-512 > > S-1-5-21-2934682428-1234567789-696969692-518 > > S-1-5-21-2934682428-1234567789-696969692-572 > > S-1-5-32-545 > > S-1-5-32-544 > > > > Time : 13:00 in the midday. > > wbinfo --user-sidinfo S-1-5-21-2934682428-1234567789-696969692-500 > > NTDOM\administrator:*:0:10000::/home/users/administrator:/bin/bash > > > > wbinfo -s S-1-5-21-2934682428-1234567789-696969692-500 > > NTDOM\Administrator 1 > > > > wbinfo -S S-1-5-21-2934682428-1234567789-696969692-500 > > 0 > > > > And DC2 logs (* i cleared them all after the upgrade yesterday) 4.4.5 => > 4.5.3 > > The only log message and looks ok. > > log.smbd > > [2016/12/20 08:00:45.047802, 0] > ../source3/smbd/smbd_cleanupd.c:172(smbd_cleanupd_process_exited) > > smbd_cleanupd_process_exited: got 0 cleanup events, expected at least 1 > > > > Time : 13:15 in the midday. > > Both database replicatons tested are without errors. > > samba-tool ldapcmp --filter='whenChanged' ldap://dc1.internal.domain.tld > ldap://dc2.internal.domain.tld > > samba-tool drs showrepl > > > > Time : 13:20 in the midday. > > After i noticed the log messages i did ran: > > samba-tool dbcheck --cross-ncs --fix and that fixed 936 errors out of 910 > object :-/ ? > > > > ! the problem still exists after the fix. > > > > smb.conf of both DC?s. are the same except the IP and hostnames. > > > > [global] > > workgroup = NTDOM > > realm = INTERNAL.REALM > > > > # By default the netbios name is the system hostname. > > netbios name = DC1 > > > > server role = active directory domain controller > > server services = -dns > > > > interfaces = 192.168.0.1 127.0.0.1 > > bind interfaces only = yes > > time server = yes > > > > ## Dont forget to set the idmap_ldb on ALL DC's if you use it > > idmap_ldb:use rfc2307 = yes > > > > ## Keep this off!! > > ## This is only used for modify-ing the AD Schema and only done on > the DC with the FSMO Roles. > > sdb:schema update allowed = no > > > > winbind nss info = rfc2307 > > winbind expand groups = 4 > > > > template shell = /bin/bash > > template homedir = /home/users/%U > > > > # disable printing completely, no error messages in the logs. > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > # disable usershares creating, when set empty, no error messages > in the logs. > > usershare path > > > > # Add and Update TLS Key > > tls enabled = yes > > tls keyfile = /etc/ssl/local/private/dc1.key.pem > > tls certfile = /etc/ssl/local/certs/dc1.cert.pem > > tls cafile = /etc/ssl/certs/company-ca.pem > > > > # log level = 10 > > # debug timestamp = yes > > > > [sysvol] > > path = /home/samba/sysvol > > read only = No > > acl_xattr:ignore system acls = yes > > > > [netlogon] > > path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts > > read only = No > > acl_xattr:ignore system acls = yes > > > > > > Im only wondering why my Domain Administrator account gives these > messages. > > I can login with me ?extra? domain admin account everything works fine. > > Beside that, everything else sofar checked works fine. > > > > So im bit puzzled here. What happend to the Administrator account, and why > only on DC1? > > > > Time : 14:00 > > Anyone? Any tips? > > > > P.S. time 14:15 > > Now i did check for a last time, and suddenly everything is working again. > > And i didnt touch the samba servers, only login with the > ?domain\Administrator? again. > > Very strange. > > > > Or Rowland, tel me what i forgot :-)) ;-) > > > > > > Greetz, > > > > Louis > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2016-Dec-20 13:43 UTC
[Samba] Unable to convert first SID ( user DOMAIN\Administrator )
On Tue, 20 Dec 2016 14:18:38 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > > > ! this problem came and is gone again but its an intresting thing > thats why im putting it on the samba list. > > I added time in the message to make more clear when what is done. > > > > Upgrade samba from 4.4.5-3 to 4.5.3 yesterday. > > > > Time : 10:15 in the morning. > > Environment: > > DC1 : debian Jessie samba 4.5.3 > > DC2 : debian Jessie samba 4.5.3 > > MEMBERs : in general samba 4.5.3 ( few 4.4.5-3 , 4.2.10, 3.6.6 ) > > > > Today i rebooted my management pc (win7 64bit) , and logged in as > DOMAIN\Administrator. > > This works fine, GPO is applied correctly untill I needed to edit my > GPO. > > > > Starting GPO editoring, give mesage RPC server is not available. > > > > Now im unable to browse to \\dc1.domain.tld with explore but I can > browse to \\dc2.domain.tld. > > > > DC1 is the DC with the FSMO roles. > > I cant edit GPO through both servers atm, sometimes im able to > connect to dc2, not every attempt. > > > > I noticed the following in the logs. ( DC1 ) > > > > [2016/12/20 11:14:04.328604, > 0] ../source4/auth/unix_token.c:79(security_token_to_unix_token) > > Unable to convert first SID > (S-1-5-21-2934682428-1234567789-696969692-500) in user token to a > UID. Conversion was returned as type 0, full token: > > [2016/12/20 11:14:04.328687, > 0] ../libcli/security/security_token.c:63(security_token_debug) > > Security token SIDs (14): > > SID[ 0]: S-1-5-21-2934682428-1234567789-696969692-500 > > SID[ 1]: S-1-5-21-2934682428-1234567789-696969692-513 > > SID[ 2]: S-1-5-21-2934682428-1234567789-696969692-520 > > SID[ 3]: S-1-5-21-2934682428-1234567789-696969692-572 > > SID[ 4]: S-1-5-21-2934682428-1234567789-696969692-519 > > SID[ 5]: S-1-5-21-2934682428-1234567789-696969692-518 > > SID[ 6]: S-1-5-21-2934682428-1234567789-696969692-512 > > SID[ 7]: S-1-5-21-2934682428-1234567789-696969692-1399 > > SID[ 8]: S-1-1-0 > > SID[ 9]: S-1-5-2 > > SID[ 10]: S-1-5-11 > > SID[ 11]: S-1-5-32-544 > > SID[ 12]: S-1-5-32-545 > > SID[ 13]: S-1-5-32-554 > > Privileges (0x 1FFFFFF0): > > Privilege[ 0]: SeMachineAccountPrivilege > > Privilege[ 1]: SeTakeOwnershipPrivilege > > Privilege[ 2]: SeBackupPrivilege > > Privilege[ 3]: SeRestorePrivilege > > Privilege[ 4]: SeRemoteShutdownPrivilege > > Privilege[ 5]: SePrintOperatorPrivilege > > Privilege[ 6]: SeAddUsersPrivilege > > Privilege[ 7]: SeDiskOperatorPrivilege > > Privilege[ 8]: SeSecurityPrivilege > > Privilege[ 9]: SeSystemtimePrivilege > > Privilege[ 10]: SeShutdownPrivilege > > Privilege[ 11]: SeDebugPrivilege > > Privilege[ 12]: SeSystemEnvironmentPrivilege > > Privilege[ 13]: SeSystemProfilePrivilege > > Privilege[ 14]: SeProfileSingleProcessPrivilege > > Privilege[ 15]: SeIncreaseBasePriorityPrivilege > > Privilege[ 16]: SeLoadDriverPrivilege > > Privilege[ 17]: SeCreatePagefilePrivilege > > Privilege[ 18]: SeIncreaseQuotaPrivilege > > Privilege[ 19]: SeChangeNotifyPrivilege > > Privilege[ 20]: SeUndockPrivilege > > Privilege[ 21]: SeManageVolumePrivilege > > Privilege[ 22]: SeImpersonatePrivilege > > Privilege[ 23]: SeCreateGlobalPrivilege > > Privilege[ 24]: SeEnableDelegationPrivilege > > Rights (0x 403): > > Right[ 0]: SeInteractiveLogonRight > > Right[ 1]: SeNetworkLogonRight > > Right[ 2]: SeRemoteInteractiveLogonRight > > > > > > Few tests. > > Time : 10:45 in the morning. ( yeah i have more todo.. ) > > wbinfo --sid-aliases S-1-5-21-2934682428-1234567789-696969692-500 > > reports nothing > > > > wbinfo --user-sids S-1-5-21-2934682428-1234567789-696969692-500 > > S-1-5-21-2934682428-1234567789-696969692-500 > > S-1-5-21-2934682428-1234567789-696969692-513 > > S-1-5-21-2934682428-1234567789-696969692-520 > > S-1-5-21-2934682428-1234567789-696969692-1399 > > S-1-5-21-2934682428-1234567789-696969692-519 > > S-1-5-21-2934682428-1234567789-696969692-512 > > S-1-5-21-2934682428-1234567789-696969692-518 > > S-1-5-21-2934682428-1234567789-696969692-572 > > S-1-5-32-545 > > S-1-5-32-544 > > > > Time : 13:00 in the midday. > > wbinfo --user-sidinfo S-1-5-21-2934682428-1234567789-696969692-500 > > NTDOM\administrator:*:0:10000::/home/users/administrator:/bin/bash > > > > wbinfo -s S-1-5-21-2934682428-1234567789-696969692-500 > > NTDOM\Administrator 1 > > > > wbinfo -S S-1-5-21-2934682428-1234567789-696969692-500 > > 0 > > > > And DC2 logs (* i cleared them all after the upgrade yesterday) > 4.4.5 => 4.5.3 > > The only log message and looks ok. > > log.smbd > > [2016/12/20 08:00:45.047802, > 0] ../source3/smbd/smbd_cleanupd.c:172(smbd_cleanupd_process_exited) > > smbd_cleanupd_process_exited: got 0 cleanup events, expected at > least 1 > > > > Time : 13:15 in the midday. > > Both database replicatons tested are without errors. > > samba-tool ldapcmp --filter='whenChanged' > ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld > > samba-tool drs showrepl > > > > Time : 13:20 in the midday. > > After i noticed the log messages i did ran: > > samba-tool dbcheck --cross-ncs --fix and that fixed 936 errors out of > 910 object :-/ ? > > > > ! the problem still exists after the fix. > > > > smb.conf of both DC’s. are the same except the IP and hostnames. > > > > [global] > > workgroup = NTDOM > > realm = INTERNAL.REALM > > > > # By default the netbios name is the system hostname. > > netbios name = DC1 > > > > server role = active directory domain controller > > server services = -dns > > > > interfaces = 192.168.0.1 127.0.0.1 > > bind interfaces only = yes > > time server = yes > > > > ## Dont forget to set the idmap_ldb on ALL DC's if you use it > > idmap_ldb:use rfc2307 = yes > > > > ## Keep this off!! > > ## This is only used for modify-ing the AD Schema and only > done on the DC with the FSMO Roles. > > sdb:schema update allowed = no > > > > winbind nss info = rfc2307 > > winbind expand groups = 4 > > > > template shell = /bin/bash > > template homedir = /home/users/%U > > > > # disable printing completely, no error messages in the logs. > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > # disable usershares creating, when set empty, no error > messages in the logs. > > usershare path > > > > # Add and Update TLS Key > > tls enabled = yes > > tls keyfile = /etc/ssl/local/private/dc1.key.pem > > tls certfile = /etc/ssl/local/certs/dc1.cert.pem > > tls cafile = /etc/ssl/certs/company-ca.pem > > > > # log level = 10 > > # debug timestamp = yes > > > > [sysvol] > > path = /home/samba/sysvol > > read only = No > > acl_xattr:ignore system acls = yes > > > > [netlogon] > > path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts > > read only = No > > acl_xattr:ignore system acls = yes > > > > > > Im only wondering why my Domain Administrator account gives these > messages. > > I can login with me “extra” domain admin account everything works > fine. > > Beside that, everything else sofar checked works fine. > > > > So im bit puzzled here. What happend to the Administrator account, > and why only on DC1? > > > > Time : 14:00 > > Anyone? Any tips? > > > > P.S. time 14:15 > > Now i did check for a last time, and suddenly everything is working > again. > > And i didnt touch the samba servers, only login with the > “domain\Administrator” again. > > Very strange. > > > > Or Rowland, tel me what i forgot :-)) ;-) >net cache flush ??? It looks like something got refreshed and so now everything is now working correctly Could be something similar to this bug: https://bugzilla.samba.org/show_bug.cgi?id=12410 Rowland