samba - Mar 2015 - Administrator can no longer connect to member server after removing uidnumber from administrator

Hello list!

Some of you may recall my recent semi-spamming of this wonderful list with
questions about acl problems on a member server. It turns out that I should
not have immediately assigned a UIDnumber to Administrator, nor a GIDNumber
to Domain Admins. :(

I have removed the NIS attributes for Administrator and Domain Admins in
ADUC, and have not been able to login to the member server as Administrator
since. I have done a net cache flush, and restarted this member server.

The sam.ldb and idmap.ldp appear to contain the mappings for the correct SID
(s-1-5-21-<STUFF>-500), but on the member server:

log.winbindd contains:
	Could not convert sid S-1-5-21-<STUFF>-500: NT_STATUS_NONE_MAPPED

And log.winbindd-idmap contains:
	Could not get unix ID for SID S-1-5-21-<STUFF>-500

While I have in log.wb-<DOMAIN>
	NTLM CRAP authentication for user [<DOMAIN>]\[administrator]
returned NT_STATUS_OK (PAM: 0)

Log.smbd shows failures in winbind, NTLMSSP, and SPNEGO of:
NT_STATUS_NO_SUCH_USER.

>From a DC, or the member this works: (samba1 is a Domain Controller)
smbclient -L samba1.<DOMAIN>.<TLD> -Uadministrator

But this does not (fs3 is the Member Server):
smbclient -L fs3.<DOMAIN>.<TLD> -Uadministrator

This does work:
smbclient -L fs3.<DOMAIN>.<TLD> -U<normal user>


Any ideas?

Thanks everyone!


Shane Robinson
Chief Administrative Officer
SimpeQ Care Inc.
t. 604.988.3103 ext. 104
c. 604.506.3311
f. 604.988.3105
Please consider the environment before printing this email.