Hi,> OK, I take it that 3000009 points to CN=S-1-5-11 and it is just > CN=S-1-5-18 that is wrong by pointing at proxmox$ (which incidentally, > is one of your computers) > Try backing up idmap.ldb, then open idmap.ldb in ldbedit, find and > delete the stanza that holds CN=S-1-5-18, it will look like this: > > dn: CN=S-1-5-18 > cn: S-1-5-18 > objectClass: sidMap > objectSid: S-1-5-18 > type: ID_TYPE_BOTH > xidNumber: 3000002 # NOTE: your number will be different! > distinguishedName: CN=S-1-5-18 > > Just delete it and then close & save your editor, run 'net cache flush' > and then let Samba recreate the record.So, I did that, and output is still the same...? I re-checked idmap.ldb on dc4, and a new entry was generated for CN=S-1-5-18, but not with the expected xidNumber 3000300 (like on dc2/dc3) but 3000306. Then i searched idmap.ldb on dc4 for xidNumber 3000300, and it already exists for a record:> # record 295 > dn: CN=S-1-5-21-90123450-981238634-861235949-133256 > cn: S-1-5-21-90123450-981238634-861235949-133256 > objectClass: sidMap > objectSid: S-1-5-21-90123450-981238634-861235949-133256 > type: ID_TYPE_BOTH > xidNumber: 3000300 > distinguishedName: CN=S-1-5-21-90123450-981238634-861235949-133256My guess is that this is the proxmox test machine we saw in the getfacl output on ./sysvol. Should I simply delete that record as well..? (or am I being far too optimistic now?) MJ
On 20/06/16 21:17, mj wrote:> Hi, > >> OK, I take it that 3000009 points to CN=S-1-5-11 and it is just >> CN=S-1-5-18 that is wrong by pointing at proxmox$ (which incidentally, >> is one of your computers) >> Try backing up idmap.ldb, then open idmap.ldb in ldbedit, find and >> delete the stanza that holds CN=S-1-5-18, it will look like this: >> >> dn: CN=S-1-5-18 >> cn: S-1-5-18 >> objectClass: sidMap >> objectSid: S-1-5-18 >> type: ID_TYPE_BOTH >> xidNumber: 3000002 # NOTE: your number will be different! >> distinguishedName: CN=S-1-5-18 >> >> Just delete it and then close & save your editor, run 'net cache flush' >> and then let Samba recreate the record. > > So, I did that, and output is still the same...? > > I re-checked idmap.ldb on dc4, and a new entry was generated for > CN=S-1-5-18, but not with the expected xidNumber 3000300 (like on > dc2/dc3) but 3000306. > > Then i searched idmap.ldb on dc4 for xidNumber 3000300, and it already > exists for a record: > >> # record 295 >> dn: CN=S-1-5-21-90123450-981238634-861235949-133256 >> cn: S-1-5-21-90123450-981238634-861235949-133256 >> objectClass: sidMap >> objectSid: S-1-5-21-90123450-981238634-861235949-133256 >> type: ID_TYPE_BOTH >> xidNumber: 3000300 >> distinguishedName: CN=S-1-5-21-90123450-981238634-861235949-133256 > > My guess is that this is the proxmox test machine we saw in the > getfacl output on ./sysvol. > > Should I simply delete that record as well..? (or am I being far too > optimistic now?) > > MJ >You could, but what does getfacl now show for sysvol ? You could also try running sysvolreset on sysvol. Rowland
On 06/20/2016 10:32 PM, Rowland penny wrote:> > You could, but what does getfacl now show for sysvol ? > You could also try running sysvolreset on sysvol.same output, including proxmox.... and I alreday tried that, output still the same with proxmox... MJ