Markus Dellermann
2016-Feb-02 13:38 UTC
[Samba] samba_upgradedns returned an error "Unable to find uid/gid for Domain Admins "
Hi again, Am Dienstag, 2. Februar 2016, 12:09:59 CET schrieb Rowland penny:> On 02/02/16 11:26, Markus Dellermann wrote: > > Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland penny: > >> On 01/02/16 22:24, Markus Dellermann wrote:[....]> Ok, there are two schools of thought here, you can give Administrator a > uidNumber attribute, but this, as far as Unix is concerned, turns > 'Administrator' into just another user, with no more privileges than any > other Unix user. > > What I use on a domain member and recommend, is the use of the user > mapping in smb.conf, with this 'Administrator' becomes 'root' and as > such, has all the privileges of 'root'. >Yes, so it is here alright on my members..> However, you are trying to do something on a DC and you shouldn't use > the name mapping, as this should be done for you in idmap.ldb. I suggest > you remove any users that appear in /etc/passwd, such as administrator, > that are also in AD, I would also remove the uidNumber attribute from > 'Administrator' in AD.OK> > This should then reset 'Administrator' to '0' >I have insert 0 there now and it gave "its already assigned... I see now, there is the user "root" in ad with uid 0 I changed this, but maybe i should delete root from ad ? (I think, i should have changed this before classicupgrade)> If I run 'getent passwd administrator' on a DC, I get: > > SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash >No, nothing, hm.... master:~ # getent passwd administrator master:~ # getent passwd Administrator master:~ # pdbedit -Lv administrator Unix username: Administrator NT username: Account Flags: [U ] User SID: S-1-5-21-855155194-824588496-1214258294-500 Primary Group SID: S-1-5-21-855155194-824588496-1214258294-513 Full Name: Home Directory: \\samba\home\administrator HomeDir Drive: H: Logon Script: Profile Path: \\samba\profiles\administrator\.msprofile Domain: Account desc: Built-in account for administering the computer/domain Workstations: Munged dial: Logon time: Di, 02 Feb 2016 11:38:16 CET Logoff time: 0 Kickoff time: Do, 14 Sep 30828 04:48:05 CEST Password last set: Mi, 30 Sep 2015 19:23:24 CEST Password can change: Mi, 30 Sep 2015 19:23:24 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF master:~ # wbinfo -i administrator 4MA3MA\administrator:*:10000:10004::/home/4MA3MA/administrator:/bin/false "samba_upgradedns --dns-backend=BIND9_DLZ" still doesnt work> but if run the same command on a domain member, I get nothing. >Yes!> RowlandMarkus
Rowland penny
2016-Feb-02 13:58 UTC
[Samba] samba_upgradedns returned an error "Unable to find uid/gid for Domain Admins "
On 02/02/16 13:38, Markus Dellermann wrote:> Hi again, > > Am Dienstag, 2. Februar 2016, 12:09:59 CET schrieb Rowland penny: >> On 02/02/16 11:26, Markus Dellermann wrote: >>> Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland penny: >>>> On 01/02/16 22:24, Markus Dellermann wrote: > [....] >> Ok, there are two schools of thought here, you can give Administrator a >> uidNumber attribute, but this, as far as Unix is concerned, turns >> 'Administrator' into just another user, with no more privileges than any >> other Unix user. >> >> What I use on a domain member and recommend, is the use of the user >> mapping in smb.conf, with this 'Administrator' becomes 'root' and as >> such, has all the privileges of 'root'. >> > Yes, so it is here alright on my members.. > >> However, you are trying to do something on a DC and you shouldn't use >> the name mapping, as this should be done for you in idmap.ldb. I suggest >> you remove any users that appear in /etc/passwd, such as administrator, >> that are also in AD, I would also remove the uidNumber attribute from >> 'Administrator' in AD. > OK >> This should then reset 'Administrator' to '0' >> > I have insert 0 there now and it gave "its already assigned...No, I said *remove* the uidNumber attribute from Administrator in AD. If I run (on a DC) 'ldbedit -e nano -H /usr/local/samba/private/sam.ldb' and then search for Administrator, I get this: dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain instanceType: 4 whenCreated: 20151106115615.0Z uSNCreated: 3545 name: Administrator objectGUID: fc9d301b-d893-4cc7-8167-8d977c531afb badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130912845750000000 primaryGroupID: 513 objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 adminCount: 1 logonCount: 0 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c om isCriticalSystemObject: TRUE memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com memberOf: CN=Group Policy Creator Owners,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com userAccountControl: 66048 accountExpires: 0 whenChanged: 20151111112600.0Z uSNChanged: 5899 distinguishedName: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com If I then run 'ldbedit -e nano -H /usr/local/samba/private/idmap.ldb' and search for the SID-RID I obtained above, I get this: dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 objectClass: sidMap objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 type: ID_TYPE_UID xidNumber: 0 distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 The above is what maps 'Administrator' to 'root' on a DC.> I see now, there is the user "root" in ad with uid 0 > I changed this, but maybe i should delete root from ad ?No, put root back to being uid 0> (I think, i should have changed this before classicupgrade)Again NO.>> If I run 'getent passwd administrator' on a DC, I get: >> >> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash >> > No, nothing, hm.... > master:~ # getent passwd administrator > master:~ # getent passwd AdministratorThis is probably because you are messing with Administrator. Rowland
Markus Dellermann
2016-Feb-02 15:52 UTC
[Samba] samba_upgradedns returned an error "Unable to find uid/gid for Domain Admins " -solved
Hi! Am Dienstag, 2. Februar 2016, 13:58:59 CET schrieb Rowland penny:> On 02/02/16 13:38, Markus Dellermann wrote: > > Hi again, > > > > Am Dienstag, 2. Februar 2016, 12:09:59 CET schrieb Rowland penny: > >> On 02/02/16 11:26, Markus Dellermann wrote: > >>> Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland penny: > >>>> On 01/02/16 22:24, Markus Dellermann wrote: > > [....] > >[...]> > I have insert 0 there now and it gave "its already assigned... > > No, I said *remove* the uidNumber attribute from Administrator in AD. IfYes you have!> I run (on a DC) 'ldbedit -e nano -H /usr/local/samba/private/sam.ldb' > and then search for Administrator, I get this: > > dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Administrator > description: Built-in account for administering the computer/domain > instanceType: 4 > whenCreated: 20151106115615.0Z > uSNCreated: 3545 > name: Administrator > objectGUID: fc9d301b-d893-4cc7-8167-8d977c531afb > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > pwdLastSet: 130912845750000000 > primaryGroupID: 513 > objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > adminCount: 1 > logonCount: 0 > sAMAccountName: Administrator > sAMAccountType: 805306368 > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c > om > isCriticalSystemObject: TRUE > memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com > memberOf: CN=Group Policy Creator > Owners,CN=Users,DC=samdom,DC=example,DC=com > memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com > memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com > memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com > userAccountControl: 66048 > accountExpires: 0 > whenChanged: 20151111112600.0Z > uSNChanged: 5899 > distinguishedName: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com >OK!> If I then run 'ldbedit -e nano -H /usr/local/samba/private/idmap.ldb' > and search for the SID-RID I obtained above, I get this: > > dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > objectClass: sidMap > objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > type: ID_TYPE_UID > xidNumber: 0 > distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > > The above is what maps 'Administrator' to 'root' on a DC. >Argh! ldbedit -e nano -H /var/lib/samba/private/idmap.ldb no matching records - cannot edit Something seems to go wrong here. To be short - i replaced to idmap.ldb from my backup now and it works!> > I see now, there is the user "root" in ad with uid 0 > > I changed this, but maybe i should delete root from ad ? > > No, put root back to being uid 0OK> > (I think, i should have changed this before classicupgrade) > > Again NO. > > >> If I run 'getent passwd administrator' on a DC, I get: > >> > >> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash > > > > No, nothing, hm.... > > master:~ # getent passwd administrator > > master:~ # getent passwd Administrator >This doesn`t show anything yet...> This is probably because you are messing with Administrator. > > RowlandThank you very much! Markus
Possibly Parallel Threads
- samba_upgradedns returned an error "Unable to find uid/gid for Domain Admins "
- samba_upgradedns returned an error "Unable to find uid/gid for Domain Admins "
- samba_upgradedns returned an error "Unable to find uid/gid for Domain Admins "
- winbind causing huge timeouts/delays since 4.8
- idmap & migration to rfc2307