Franta Hanzlík
2019-Mar-26 04:18 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
Hi Tim and Rowland, thanks for Your support! I was thinking about e.g. Python 2.7.15 compatibility (as newer Samba versions require Python3), but You are right, here in DB can be problem - first Samba AD DC was created by migrating Samba3 NT4 domain to Samba4 AD cca week ago (using 'samba-tool domain classicupgrade ...', according to Samba Wiki): On Tue, 26 Mar 2019 10:14:02 +1300 Tim Beale <timbeale at catalyst.net.nz> wrote:> Hi, > > That failure is a little odd. It's replicated all the DB objects, but is > failing trying to commit the transaction. It looks like the error is > happening trying to get the objectClass for the Administrator user. The > weird thing is it should have already successfully passed this check > once when it first received the object. > > You could try the following: > > 1. If you run 'samba-tool dbcheck' on the DC you're trying to join, does > it report any problems?[root at dc1 samba]# samba-tool dbcheck Checking 701 objects NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:2df6a1a3-2a54-4385-ae71-5d95b1348310,CN=Deleted Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:d77e5f7f-cf78-40da-a895-466ea39cf88a,CN=Deleted Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:cdc01d0b-5e0f-4503-ac61-5ef9356095de,CN=Deleted Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Not fixing old string component Not fixing nTSecurityDescriptor on CN=Administrator,CN=Users,DC=zamecek,DC=home NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:c17ec05e-f0af-4ef7-83c4-bf1c5e336b13,CN=Deleted Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Not fixing old string component ERROR(<type 'exceptions.TypeError'>): uncaught exception - 'ldb.Dn' object is not iterable File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py", line 157, in run controls=controls, attrs=attrs) File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 222, in check_database error_count += self.check_object(object.dn, attrs=attrs) File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 2245, in check_object for val in obj[attrname]: [root at dc1 samba]# samba-tool dbcheck --fix Checking 701 objects NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:2df6a1a3-2a54-4385-ae71-5d95b1348310,CN=Deleted Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Change DN to <GUID=3e5b10ad-ad6b-435d-9ca1-51b4ec7e4ee0>;<SID=S-1-5-21-9998-9997-9996-118736>;CN=DC2-LYNX\0ADEL:3e5b10ad-ad6b-435d-9ca1-51b4ec7e4ee0,CN=Deleted Objects,DC=zamecek,DC=home? [y/N/all/none] y Fixed old DN string on attribute lastKnownParent NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:d77e5f7f-cf78-40da-a895-466ea39cf88a,CN=Deleted Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Change DN to <GUID=67c06c38-e2c9-4c7e-b243-0a99f17f15d2>;<SID=S-1-5-21-9998-9997-9996-118731>;CN=DC2-LYNX\0ADEL:67c06c38-e2c9-4c7e-b243-0a99f17f15d2,CN=Deleted Objects,DC=zamecek,DC=home? [y/N/all/none] y Fixed old DN string on attribute lastKnownParent NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:cdc01d0b-5e0f-4503-ac61-5ef9356095de,CN=Deleted Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Change DN to <GUID=149c75f7-7fe5-4171-b4c9-7b904a6499f2>;<SID=S-1-5-21-9998-9997-9996-118734>;CN=DC2-LYNX\0ADEL:149c75f7-7fe5-4171-b4c9-7b904a6499f2,CN=Deleted Objects,DC=zamecek,DC=home? [y/N/all/none] y Fixed old DN string on attribute lastKnownParent Fix nTSecurityDescriptor on CN=Administrator,CN=Users,DC=zamecek,DC=home? [y/N/all/none] y Failed to fix attribute nTSecurityDescriptor : (1, 'operations error at ../source4/dsdb/samdb/ldb_modules/descriptor.c:819') NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:c17ec05e-f0af-4ef7-83c4-bf1c5e336b13,CN=Deleted Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Change DN to <GUID=90c946a1-0cdc-42fc-a666-71df394d0ea2>;<SID=S-1-5-21-9998-9997-9996-118735>;CN=DC2-LYNX\0ADEL:90c946a1-0cdc-42fc-a666-71df394d0ea2,CN=Deleted Objects,DC=zamecek,DC=home? [y/N/all/none] y Fixed old DN string on attribute lastKnownParent ERROR(<type 'exceptions.TypeError'>): uncaught exception - 'ldb.Dn' object is not iterable File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py", line 157, in run controls=controls, attrs=attrs) File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 222, in check_database error_count += self.check_object(object.dn, attrs=attrs) File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 2245, in check_object for val in obj[attrname]: and second run show only problem with nTSecurityDescriptor : [root at dc1 samba]# samba-tool dbcheck Checking 701 objects Not fixing nTSecurityDescriptor on CN=Administrator,CN=Users,DC=zamecek,DC=home ERROR(<type 'exceptions.TypeError'>): uncaught exception - 'ldb.Dn' object is not iterable File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py", line 157, in run controls=controls, attrs=attrs) File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 222, in check_database error_count += self.check_object(object.dn, attrs=attrs) File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 2245, in check_object for val in obj[attrname]: (similarly ends 'samba-tool dbcheck --cross-ncs')> 2. Try dumping the object it's failing on, just to see if there's > anything odd with the objectClass attributes. E.g. > ldbsearch -H ldap://$SERVER -b > 'CN=Administrator,CN=Users,DC=zamecek,DC=home'[root at dc1 samba]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC=ZAMECEK,DC=HOME.ldb '(CN=Administrator)' # record 1 dn: CN=Administrator,CN=Users,DC=zamecek,DC=home objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: posixAccount cn: Administrator description: Built-in account for administering the computer/domain instanceType: 4 whenCreated: 20190227200715.0Z uSNCreated: 3626 nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAAAOJwAADScAAAw nAAAAAgAAAQUAAAAAAAUVAAAADicAAA0nAAAMJwAAAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8 J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ AAAAAABRUAAAAOJwAADScAAAwnAAAAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh CtIRtCIAoMlo+TkBBQAAAAAABRUAAAAOJwAADScAAAwnAAApAgAABQA4ABAAAAABAAAAAEIWTMAg0 BGnaACqAG4FKQEFAAAAAAAFFQAAAA4nAAANJwAADCcAACkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ AgAMBPwtTPAQUAAAAAAAUVAAAADicAAA0nAAAMJwAAKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA AAAUVAAAADicAAA0nAAAMJwAAKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA BRUAAAAOJwAADScAAAwnAAAFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5 g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD /AQ8AAQUAAAAAAAUVAAAADicAAA0nAAAMJwAABwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA=name: Administrator objectGUID:: oADwF9LfoUapbT5rVUONkg=userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAADicAAA0nAAAMJwAA9AEAAA=adminCount: 1 accountExpires: 9223372036854775807 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: <GUID=238cd868-9d8d-43e2-9855-f70001c12772>;CN=Person,CN=Schem a,CN=Configuration,DC=zamecek,DC=home isCriticalSystemObject: TRUE unicodePwd:: DAAAABQU67uf0vSlOUuHTO2tXMoBAAAAAQAAAAAAAADsad+EY3+rJCG0Qgvh/+Tny shRHrIeCHs8ce1WDwjAtu0gvEwsupplementalCredentials:: DAAAAC9u7UdTAwrU7/KwHu2tXMoBAAAAAQAAAAAAAABQYmR8KCx3 cvXG/18LG9t1uowaHwRKkPbySXbg/5Fsx216DTo6PQqgmUIfm9E59tmCisu/GZ9y7H5LM8r2BlCB0 aXvDCS9IUf8invF4R/F6NXbfyjIxwB+7NJw8aYfqNahYh4NiOxLzfMGBMIQ3cWjZn2aEq1vlE1XSr 2U04k/ZD1tmLWthEvNC9rfKK6ErLh4Ojm5sVBeY49YJIQ6ajoo6t2qTTPl6Qsx5XZj+5jnqXpvh2A AeJo76JPb2YBlKqnW7hEK93PY6sHAeRkHwIIyAFa++0awHltLliO4pXkTVepKzcmv1nXrnpC75Wkx SDoHR5MO9k+WDTz9owvVDc3ogDwtMEF3TgwyaPRNdiH95TCGa+1xGM/iI1yo08XeZglRFCGn3WBLx jAtNJoo9UDYroQuyh+1z/nTBNoMX7bLG5vug9WiJpbA8VMc0Clj/7xMUuz3pmBShfmfzGkRtAtjOZ cBVJnbIfA/qnJ8Kv/XKzNK8D43T1a+a0ZSQUmqvE1WWuG9MnsK/MouDSTCFZU51/1CrMRkqaY74sn H8iZvn0P8rDQttpyRcpfKwvOUlmnyODIMgzfgMScZI2thdlnR4Wp3ssGzB+lI5g+jW+aJYuNLFn/4 97JRQ3P/twLqnPEL3eee8Voa1zofGVBxJ+tHoNQSU/qpZrh8crQUtCQaGu0mQpzwXTMGyTpR/wRUo WZZo8tyFFKhEh+/jWNtvMw2O+Og+8Lm8pNgHPUjHVjJ7O5OSvL6Aq4w+ICDnpXi8loOp+9SHlM5PC swlCUf955D/z7looXZ476SNAFIJ+nbpv3Npd3Se0qPzbNr5Z37XcIqg5gN0S0mPI/HIYtw2WQkC7A nhh+839aOyDGaVy2dDNavMNErwV4D4VoWePCLfxzRgmJWrHlfC2+RaYPWNOsc3hQnsaXzNR7mpIJ+ 60CYftkM9rxe5QMl5N1XOWK9rSszOzZeIXgIZzq7ehQ/sYhcyDAC+aJKMOFpe0F9f6OApJ6qWFscI 3sV/w7ihgKK/54+Xf2V8ccNVGGKDgBY37w+jpLXbVlw9tSPcRXnituQyW3gU5CRXBzhVFupsLvGPT 2U8xzkfhFalrKIo4fjJYqB9iKm0UWNQn8OKOCdRccoBNmnbGEwdBJ9MwgL177pvMVo+9QFdsKgRCy Q4rxtd/NbApds3uOr2zrPQchXQTxLveeXyP1u0Kuq+STqCyb3KoXPq70/HDPVmoAzJN3K9F3u+vql on9GBP+busd9dZCB30F8/1ENQ2+TbhmDQW2gRz6xji8OuuwQBwKTJNJ9b8RzaordwAyknSfSq1BFg Kp6RT0XzcgTS2QEOG4n8WjwfKt+JEv62hlU78bRhQjMhXeuGOUuLNa1lLQRAu6rC6+rj6jGwEq1+m dDT8tGK5xuasWkwFJrAWEdqF5HJpIFqR5XQUNXiSzoOShFEjHhy1pEZeOVTOOxdPbIVkEGdNlsxWD h48m7rcw8VwCiNLRmBs34dsH9P0d6KVgO3mg3c5p8Vckoy0ejUxVa1yOt+7OcFPGP0c2cjXM6jUCK VagZFcbMqW0JqytUi/PwzSFIibH+K9Gxkeu8OsagtWPitZGa10z894Niazr8w+efv6ZfegAdEwMJ7 zJ+A15zUYQEkGRMTAX8ASur6Fop5Pnez4H3ChHpZaXpefEErEv04sQoCGA0Od3Z3OqYLpXjh0a2/N y9qrIBDXbdx2zqRy2mUltPoSqk9RKEvKPsWHK4LHD0QqpNXpXX3Ioz/lVUjVMdnvjh6xeg3UueXa7 klIeOltZI+jLAsiczE+ncDyRH7fnRefjwPVy1pGEBJ6DQ6ojSWqBuudrngNQwA049K9n1h+lSjqYd dV8wSdif42XcvzXAhOrzxVrO94TwQjTTAVS97FG7oY+M4R62V/fuATsOXw9zcuQYRLqSoLD93/JGq 0YQHIIku8NQsAMHdLuqCGhd382y5GM8frdWaStRKOi64VtDHmeIuuWZBO6MeiMCPrjlNdreZN9nL3 TSJDWJUsNZJtIPLU0W9IQegm6Ux4MpnBiuH/+XZ5wcTurf30DItcv27Gfz+nrIB7DHh6GbIUATfTy B6jNGZIcqEgm720p4raoZwZrLUb7juRB+RRINLzGfWDHO0RaZad9CSZ8P1lR2DiuBM/Sj87PMQllW 6HMCa8IzC+z+KboOCcSRxU8k67BKNApqKw=pwdLastSet: 131960948110000000 memberOf: <GUID=399b9635-766b-440e-a809-0da8167cb99e>;<SID=S-1-5-21-9998-9997- 9996-512>;CN=Domain Admins,OU=System_Groups,DC=zamecek,DC=home memberOf: <GUID=d5fb0b44-67ab-4315-aa52-d4349c055f71>;<SID=S-1-5-21-9998-9997- 9996-518>;CN=Schema Admins,OU=System_Groups,DC=zamecek,DC=home memberOf: <GUID=7d21a3e5-30ac-46b0-92f4-d08be381dcf9>;<SID=S-1-5-21-9998-9997- 9996-519>;CN=Enterprise Admins,OU=System_Groups,DC=zamecek,DC=home memberOf: <GUID=4525698e-ee4b-44aa-af2a-6c0c96fa0983>;<SID=S-1-5-21-9998-9997- 9996-520>;CN=Group Policy Creator Owners,OU=System_Groups,DC=zamecek,DC=home memberOf: <GUID=378c3027-8902-4d85-a053-9207a2583ee7>;<SID=S-1-5-32-544>;CN=Ad ministrators,CN=Builtin,DC=zamecek,DC=home gidNumber: 1103 uidNumber: 0 loginShell: /bin/bash unixHomeDirectory: /root lastLogonTimestamp: 131976602069696270 replPropertyMetaData:: AQAAAAAAAAAeAAAAAAAAAAAAAAABAAAA836HEgMAAACXgSzMRECdTKJ 4COKShXaDKg4AAAAAAAAqDgAAAAAAAAMAAAABAAAA836HEgMAAACXgSzMRECdTKJ4COKShXaDKg4A AAAAAAAqDgAAAAAAAA0AAAABAAAA836HEgMAAACXgSzMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAA AAAAAEAAgABAAAA836HEgMAAACXgSzMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAAAAAAAIAAgABAA AA836HEgMAAACXgSzMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAAAAAABkBAgABAAAA836HEgMAAAC XgSzMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAAAAAAAEACQABAAAA836HEgMAAACXgSzMRECdTKJ4 COKShXaDKg4AAAAAAAAqDgAAAAAAAAgACQABAAAA836HEgMAAACXgSzMRECdTKJ4COKShXaDKg4AA AAAAAAqDgAAAAAAABAACQABAAAA836HEgMAAACXgSzMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAAA AAABkACQABAAAA836HEgMAAACXgSzMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAAAAAADcACQAGAAA AW22MEgMAAACXgSzMRECdTKJ4COKShXaDACYAAAAAAAAAJgAAAAAAAEAACQABAAAA836HEgMAAACX gSzMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAAAAAAFoACQAGAAAAW22MEgMAAACXgSzMRECdTKJ4C OKShXaDACYAAAAAAAAAJgAAAAAAAF4ACQAGAAAAW22MEgMAAACXgSzMRECdTKJ4COKShXaDACYAAA AAAAAAJgAAAAAAAGAACQAGAAAAW22MEgMAAACXgSzMRECdTKJ4COKShXaDACYAAAAAAAAAJgAAAAA AAGIACQABAAAA836HEgMAAACXgSzMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAAAAAAH0ACQAGAAAA W22MEgMAAACXgSzMRECdTKJ4COKShXaDACYAAAAAAAAAJgAAAAAAAJIACQABAAAA836HEgMAAACXg SzMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAAAAAAJYACQABAAAA836HEgMAAACXgSzMRECdTKJ4CO KShXaDKg4AAAAAAAAqDgAAAAAAAJ8ACQABAAAA836HEgMAAACXgSzMRECdTKJ4COKShXaDKg4AAAA AAAAqDgAAAAAAAKAACQAGAAAAW22MEgMAAACXgSzMRECdTKJ4COKShXaDACYAAAAAAAAAJgAAAAAA AN0ACQABAAAA836HEgMAAACXgSzMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAAAAAAC4BCQABAAAA8 36HEgMAAACXgSzMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAAAAAAA4DCQABAAAA836HEgMAAACXgS zMRECdTKJ4COKShXaDKg4AAAAAAAAqDgAAAAAAAGQDCQABAAAA836HEgMAAACXgSzMRECdTKJ4COK ShXaDKg4AAAAAAAAqDgAAAAAAAKAGCQADAAAALlCkEgMAAACXgSzMRECdTKJ4COKShXaDsCYAAAAA AACwJgAAAAAAAAAAJQABAAAARDebEgMAAACXgSzMRECdTKJ4COKShXaDjCYAAAAAAACMJgAAAAAAA AEAJQABAAAAPjebEgMAAACXgSzMRECdTKJ4COKShXaDiyYAAAAAAACLJgAAAAAAAAMAJQABAAAAOz ebEgMAAACXgSzMRECdTKJ4COKShXaDiiYAAAAAAACKJgAAAAAAAAQAJQABAAAARTebEgMAAACXgSz MRECdTKJ4COKShXaDjSYAAAAAAACNJgAAAAAAAA=whenChanged: 20190321164326.0Z uSNChanged: 9904 lastLogon: 131979773829025460 logonCount: 609 distinguishedName: CN=Administrator,CN=Users,DC=zamecek,DC=home # returned 1 records # 1 entries # 0 referrals Thus it seems as there is any problem with Administrator nTSecurityDescriptor - but what and how correct it?> 3. Try running the command again with an increased --debuglevel. I'm not > sure it'll reveal anything more, but might be worth a shot. > > Thanks, > Tim > [...]
Rowland Penny
2019-Mar-26 09:29 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
On Tue, 26 Mar 2019 05:18:20 +0100 Franta Hanzlík <franta at hanzlici.cz> wrote:> Hi Tim and Rowland, thanks for Your support! > I was thinking about e.g. Python 2.7.15 compatibility (as newer Samba > versions require Python3), but You are right, here in DB can be > problem > - first Samba AD DC was created by migrating Samba3 NT4 domain to > Samba4 AD cca week ago (using 'samba-tool domain classicupgrade ...', > according to Samba Wiki): > > [root at dc1 samba]# samba-tool dbcheck > Checking 701 objects > NOTE: old (due to rename or delete) DN string component for > lastKnownParent in object CN=RID > Set\0ADEL:2df6a1a3-2a54-4385-ae71-5d95b1348310,CN=Deleted > Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain > Controllers,DC=zamecek,DC=home Not fixing old string componentYou can ignore lines like that, the '\0ADEL' means it is a deleted object and will eventually go away.> > 2. Try dumping the object it's failing on, just to see if there's > > anything odd with the objectClass attributes. E.g. > > ldbsearch -H ldap://$SERVER -b > > 'CN=Administrator,CN=Users,DC=zamecek,DC=home' > > [root at dc1 samba]# ldbsearch > -H /var/lib/samba/private/sam.ldb.d/DC=ZAMECEK,DC=HOME.ldb > '(CN=Administrator)'Do not touch the files found under 'sam.ldb.d', use the 'sam'ldb' file instead, or use the 'ldbsearch' as shown, not that it would work for what you require, it should have been something like this: ldbsearch -H ldap://dc4 -UAdministrator -b 'CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com' -s base nTSecurityDescriptor Which (after you enter Administrator's password)) should produce something like this: # record 1 dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com nTSecurityDescriptor: O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC; ;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1 1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1 -aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA ;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768 -00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1 -aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;; RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0 0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf 967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58 d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32 -561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIIOID; RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28; RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-0 0aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-14 37-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf ;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-902 0-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-7 9a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID ;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28 ;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285- 00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1 437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f93 9;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85 4e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6 d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CII D;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e 2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID; RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba -0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff 4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;R PWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f8 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0- 11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)> unicodePwd::I would change Administrators password, you have given it to the world ;-) Rowland
Franta Hanzlík
2019-Mar-27 02:50 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
HOn Tue, 26 Mar 2019 09:29:41 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 26 Mar 2019 05:18:20 +0100 > Franta Hanzlík <franta at hanzlici.cz> wrote: > > > Hi Tim and Rowland, thanks for Your support! > > I was thinking about e.g. Python 2.7.15 compatibility (as newer Samba > > versions require Python3), but You are right, here in DB can be > > problem > > - first Samba AD DC was created by migrating Samba3 NT4 domain to > > Samba4 AD cca week ago (using 'samba-tool domain classicupgrade ...', > > according to Samba Wiki): > > > > [root at dc1 samba]# samba-tool dbcheck > > Checking 701 objects > > NOTE: old (due to rename or delete) DN string component for > > lastKnownParent in object CN=RID > > Set\0ADEL:2df6a1a3-2a54-4385-ae71-5d95b1348310,CN=Deleted > > Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain > > Controllers,DC=zamecek,DC=home Not fixing old string component > > You can ignore lines like that, the '\0ADEL' means it is a deleted > object and will eventually go away. > > > > > 2. Try dumping the object it's failing on, just to see if there's > > > anything odd with the objectClass attributes. E.g. > > > ldbsearch -H ldap://$SERVER -b > > > 'CN=Administrator,CN=Users,DC=zamecek,DC=home' > > > > [root at dc1 samba]# ldbsearch > > -H /var/lib/samba/private/sam.ldb.d/DC=ZAMECEK,DC=HOME.ldb > > '(CN=Administrator)' > > Do not touch the files found under 'sam.ldb.d', use the 'sam'ldb' file > instead, or use the 'ldbsearch' as shown, not that it would work for > what you require, it should have been something like this: > > ldbsearch -H ldap://dc4 -UAdministrator -b > 'CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com' -s base > nTSecurityDescriptor > > Which (after you enter Administrator's password)) should produce > something like this: > > # record 1 > dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com > nTSecurityDescriptor: O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP > CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC; > ;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1 > 1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O > A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1 > -aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA > ;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768 > -00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A > U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1 > -aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;; > RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0 > 0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf > 967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58 > d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32 > -561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIIOID; > RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28; > RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-0 > 0aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-14 > 37-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf > ;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-902 > 0-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-7 > 9a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID > ;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28 > ;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285- > 00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1 > 437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f93 > 9;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85 > 4e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6 > d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CII > D;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e > 2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID; > RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba > -0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff > 4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;R > PWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f8 > 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0- > 11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)I'm stil confused, there is something I still miss, some joining piece - 'ldbsearch', as You recommended use it, fail with error '-U: unknown option': [root at dc1 samba]# ldbsearch -H ldap://dc1 -U Administrator -b 'CN=Administrator,CN=Users,DC=zamecek,DC=home' -s base nTSecurityDescriptor Invalid option -U: unknown option Usage: ldbsearch <options> <expression> <attrs...> Usage: [OPTION...] -H, --url=URL database URL -b, --basedn=DN base DN ... Should I use ldapsearch instead? All I'm able to get is (pointing to 'sam.ldb'): [root at dc1 samba]# LDB_MODULES_PATH="/usr/lib64/samba/ldb/" ldbsearch -H /var/lib/samba/private/sam.ldb '(CN=Administrator)' nTSecurityDescriptor GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered # record 1 dn: CN=Administrator,CN=Users,DC=zamecek,DC=home nTSecurityDescriptor: O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC; ;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1 1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1 -aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA ;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768 -00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1 -aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;; RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0 0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf 967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58 d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32 -561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIIOID; RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28; RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-0 0aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-14 37-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf ;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-902 0-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-7 9a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID ;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28 ;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285- 00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1 437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f93 9;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85 4e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6 d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CII D;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e 2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID; RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba -0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff 4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;R PWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f8 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0- 11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) # Referral ref: ldap://zamecek.home/CN=Configuration,DC=zamecek,DC=home # Referral ref: ldap://zamecek.home/DC=DomainDnsZones,DC=zamecek,DC=home # Referral ref: ldap://zamecek.home/DC=ForestDnsZones,DC=zamecek,DC=home # returned 4 records # 1 entries # 3 referrals or: [root at dc1 samba]# LDB_MODULES_PATH="/usr/lib64/samba/ldb/" ldbsearch -H /var/lib/samba/private/sam.ldb '(CN=Administrator)' GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered # record 1 dn: CN=Administrator,CN=Users,DC=zamecek,DC=home objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: posixAccount cn: Administrator description: Built-in account for administering the computer/domain instanceType: 4 whenCreated: 20190227200715.0Z uSNCreated: 3626 name: Administrator objectGUID: 17f000a0-dfd2-46a1-a96d-3e6b55438d92 userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-9998-9997-9996-500 adminCount: 1 accountExpires: 9223372036854775807 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zamecek,DC=home isCriticalSystemObject: TRUE pwdLastSet: 131960948110000000 memberOf: CN=Domain Admins,OU=System_Groups,DC=zamecek,DC=home memberOf: CN=Schema Admins,OU=System_Groups,DC=zamecek,DC=home memberOf: CN=Enterprise Admins,OU=System_Groups,DC=zamecek,DC=home memberOf: CN=Group Policy Creator Owners,OU=System_Groups,DC=zamecek,DC=home memberOf: CN=Administrators,CN=Builtin,DC=zamecek,DC=home gidNumber: 1103 uidNumber: 0 loginShell: /bin/bash unixHomeDirectory: /root lastLogonTimestamp: 131976602069696270 whenChanged: 20190321164326.0Z uSNChanged: 9904 lastLogon: 131981261571043650 logonCount: 621 distinguishedName: CN=Administrator,CN=Users,DC=zamecek,DC=home # Referral ref: ldap://zamecek.home/CN=Configuration,DC=zamecek,DC=home # Referral ref: ldap://zamecek.home/DC=DomainDnsZones,DC=zamecek,DC=home # Referral ref: ldap://zamecek.home/DC=ForestDnsZones,DC=zamecek,DC=home # returned 4 records # 1 entries # 3 referrals It is usable?> > unicodePwd:: > > I would change Administrators password, you have given it to the > world ;-)Thanks, You are right, but it is one-time password and this network is not world-accessible. It seems as other problems I have maybe bigger ;) Franta