27.06.2016 18:45, mathias dufresne:> Perhaps you don't have yet duplicate objectSid as that's not supposed to be > possible. > Rather than scripting something to look for objectSid used twice I would > start with dbcheck and other tools to verify that your database is > consistent and identical on all servers.[root at pdc ~]# samba-tool dbcheck Checking 3346 objects Checked 3346 objects (0 errors) [root at bdc ~]# samba-tool dbcheck Checking 3346 objects Checked 3346 objects (0 errors) [root at dc46 ~]# samba-tool dbcheck Checking 3346 objects Checked 3346 objects (0 errors) [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://bdc -Uadministrator --filter=msDS-NcType,serverState,subrefs,whenChanged Password for [administrator]: * Comparing [DOMAIN] context... * Objects to be compared: 3207 * Result for [DOMAIN]: SUCCESS * Comparing [CONFIGURATION] context... * Objects to be compared: 1621 * Result for [CONFIGURATION]: SUCCESS * Comparing [SCHEMA] context... * Objects to be compared: 1550 * Result for [SCHEMA]: SUCCESS * Comparing [DNSDOMAIN] context... * Objects to be compared: 196 * Result for [DNSDOMAIN]: SUCCESS * Comparing [DNSFOREST] context... * Objects to be compared: 19 * Result for [DNSFOREST]: SUCCESS [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://dc46 -Uadministrator --filter=msDS-NcType,serverState,subrefs,whenChanged Password for [administrator]: * Comparing [DOMAIN] context... * Objects to be compared: 3207 * Result for [DOMAIN]: SUCCESS * Comparing [CONFIGURATION] context... * Objects to be compared: 1621 * Result for [CONFIGURATION]: SUCCESS * Comparing [SCHEMA] context... * Objects to be compared: 1550 * Result for [SCHEMA]: SUCCESS * Comparing [DNSDOMAIN] context... * Objects to be compared: 196 * Result for [DNSDOMAIN]: SUCCESS * Comparing [DNSFOREST] context... * Objects to be compared: 19 * Result for [DNSFOREST]: SUCCESS> > 2016-06-27 15:21 GMT+02:00 Zhuchenko Valery <zvn at belkam.com>: > >> Hi all! >> >> Today, after two years of production, I get this error: >> >> samba-tool user create test20160627 testpassword >> >> ERROR(ldb): Failed to add user 'test20160627': - >> ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in >> CN=test20160627,CN=Users,DC=ad... - ../lib/ldb/ldb_tdb/ldb_index.c:1148: >> unique index violation on objectSid in CN=test20160627,CN=Users,DC=ad... >> >> Help me please, how to find which objectSid is not unique? >> I have 3 DC's on centos 7, samba 4.1 (I know, old version). >> >> Valery
I'm understand, why I get error about unique index violation on objectSid: samba-tool fsmo show RidAllocationMasterRole owner: CN=NTDS Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,... Last created object have objectSid S-1-5-21-763247336-2482037999-3416227170-2001 (it is record for computer) Last symbols is 2001, and last assigned RID is 2001: [root at pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set" # record 3 dn: CN=RID Set,CN=PDC,OU=Domain Controllers,... rIDNextRID: 2001 rIDPreviousAllocationPool: 1600-2099 rIDUsedPool: 1 rIDAllocationPool: 2600-3099 https://support.microsoft.com/en-us/kb/305475 RidNextRid The RID that was assigned to the last security principal that was created on the local domain controller. RidPreviousAllocationPool The pool from which RIDs are currently taken RidAllocationPool Each domain controller has two pools: the one that they are currently acting on, and the pool that they will use next. It is the next pool I think, next RID is 2002? Try to search: [root at pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=AD\,... objectSid dn: CN=username\0ADEL:a230f645-268d-4ea9-8993-da3ae7032b4a,CN=Deleted Objects,DC=ad,... objectSid: S-1-5-21-763247336-2482037999-3416227170-2002 it is deleted, but exists. What I can do to solve my problem? May be change rIDNextRID to 2099 on RID Master? Valery 28.06.2016 10:00, Zhuchenko Valery:> 27.06.2016 18:45, mathias dufresne: >> Perhaps you don't have yet duplicate objectSid as that's not supposed to be >> possible. >> Rather than scripting something to look for objectSid used twice I would >> start with dbcheck and other tools to verify that your database is >> consistent and identical on all servers. > > [root at pdc ~]# samba-tool dbcheck > Checking 3346 objects > Checked 3346 objects (0 errors) > > [root at bdc ~]# samba-tool dbcheck > Checking 3346 objects > Checked 3346 objects (0 errors) > > [root at dc46 ~]# samba-tool dbcheck > Checking 3346 objects > Checked 3346 objects (0 errors) > > > [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://bdc -Uadministrator > --filter=msDS-NcType,serverState,subrefs,whenChanged > Password for [administrator]: > * Comparing [DOMAIN] context... > * Objects to be compared: 3207 > * Result for [DOMAIN]: SUCCESS > * Comparing [CONFIGURATION] context... > * Objects to be compared: 1621 > * Result for [CONFIGURATION]: SUCCESS > * Comparing [SCHEMA] context... > * Objects to be compared: 1550 > * Result for [SCHEMA]: SUCCESS > * Comparing [DNSDOMAIN] context... > * Objects to be compared: 196 > * Result for [DNSDOMAIN]: SUCCESS > * Comparing [DNSFOREST] context... > * Objects to be compared: 19 > * Result for [DNSFOREST]: SUCCESS > > [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://dc46 -Uadministrator > --filter=msDS-NcType,serverState,subrefs,whenChanged > Password for [administrator]: > * Comparing [DOMAIN] context... > * Objects to be compared: 3207 > * Result for [DOMAIN]: SUCCESS > * Comparing [CONFIGURATION] context... > * Objects to be compared: 1621 > * Result for [CONFIGURATION]: SUCCESS > * Comparing [SCHEMA] context... > * Objects to be compared: 1550 > * Result for [SCHEMA]: SUCCESS > * Comparing [DNSDOMAIN] context... > * Objects to be compared: 196 > * Result for [DNSDOMAIN]: SUCCESS > * Comparing [DNSFOREST] context... > * Objects to be compared: 19 > * Result for [DNSFOREST]: SUCCESS > >> >> 2016-06-27 15:21 GMT+02:00 Zhuchenko Valery <zvn at belkam.com>: >> >>> Hi all! >>> >>> Today, after two years of production, I get this error: >>> >>> samba-tool user create test20160627 testpassword >>> >>> ERROR(ldb): Failed to add user 'test20160627': - >>> ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in >>> CN=test20160627,CN=Users,DC=ad... - ../lib/ldb/ldb_tdb/ldb_index.c:1148: >>> unique index violation on objectSid in CN=test20160627,CN=Users,DC=ad... >>> >>> Help me please, how to find which objectSid is not unique? >>> I have 3 DC's on centos 7, samba 4.1 (I know, old version). >>> >>> Valery >
On 28/06/16 12:05, Zhuchenko Valery wrote:> I'm understand, why I get error about unique index violation on objectSid: > > samba-tool fsmo show > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,... > > Last created object have objectSid > S-1-5-21-763247336-2482037999-3416227170-2001 (it is record for computer) > Last symbols is 2001, and last assigned RID is 2001: > > [root at pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set" > # record 3 > dn: CN=RID Set,CN=PDC,OU=Domain Controllers,... > rIDNextRID: 2001 > rIDPreviousAllocationPool: 1600-2099 > rIDUsedPool: 1 > rIDAllocationPool: 2600-3099 > > https://support.microsoft.com/en-us/kb/305475 > RidNextRid The RID that was assigned to the last security principal that > was created on the local domain controller. > RidPreviousAllocationPool The pool from which RIDs are currently taken > RidAllocationPool Each domain controller has two pools: the one that > they are currently acting on, and the pool that they will use next. It > is the next pool > > I think, next RID is 2002? > Try to search: > [root at pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=AD\,... > objectSid > dn: CN=username\0ADEL:a230f645-268d-4ea9-8993-da3ae7032b4a,CN=Deleted > Objects,DC=ad,... > objectSid: S-1-5-21-763247336-2482037999-3416227170-2002 > it is deleted, but exists. > > What I can do to solve my problem? May be change rIDNextRID to 2099 on > RID Master? > > Valery > > 28.06.2016 10:00, Zhuchenko Valery: >> 27.06.2016 18:45, mathias dufresne: >>> Perhaps you don't have yet duplicate objectSid as that's not supposed to be >>> possible. >>> Rather than scripting something to look for objectSid used twice I would >>> start with dbcheck and other tools to verify that your database is >>> consistent and identical on all servers. >> [root at pdc ~]# samba-tool dbcheck >> Checking 3346 objects >> Checked 3346 objects (0 errors) >> >> [root at bdc ~]# samba-tool dbcheck >> Checking 3346 objects >> Checked 3346 objects (0 errors) >> >> [root at dc46 ~]# samba-tool dbcheck >> Checking 3346 objects >> Checked 3346 objects (0 errors) >> >> >> [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://bdc -Uadministrator >> --filter=msDS-NcType,serverState,subrefs,whenChanged >> Password for [administrator]: >> * Comparing [DOMAIN] context... >> * Objects to be compared: 3207 >> * Result for [DOMAIN]: SUCCESS >> * Comparing [CONFIGURATION] context... >> * Objects to be compared: 1621 >> * Result for [CONFIGURATION]: SUCCESS >> * Comparing [SCHEMA] context... >> * Objects to be compared: 1550 >> * Result for [SCHEMA]: SUCCESS >> * Comparing [DNSDOMAIN] context... >> * Objects to be compared: 196 >> * Result for [DNSDOMAIN]: SUCCESS >> * Comparing [DNSFOREST] context... >> * Objects to be compared: 19 >> * Result for [DNSFOREST]: SUCCESS >> >> [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://dc46 -Uadministrator >> --filter=msDS-NcType,serverState,subrefs,whenChanged >> Password for [administrator]: >> * Comparing [DOMAIN] context... >> * Objects to be compared: 3207 >> * Result for [DOMAIN]: SUCCESS >> * Comparing [CONFIGURATION] context... >> * Objects to be compared: 1621 >> * Result for [CONFIGURATION]: SUCCESS >> * Comparing [SCHEMA] context... >> * Objects to be compared: 1550 >> * Result for [SCHEMA]: SUCCESS >> * Comparing [DNSDOMAIN] context... >> * Objects to be compared: 196 >> * Result for [DNSDOMAIN]: SUCCESS >> * Comparing [DNSFOREST] context... >> * Objects to be compared: 19 >> * Result for [DNSFOREST]: SUCCESS >> >>> 2016-06-27 15:21 GMT+02:00 Zhuchenko Valery <zvn at belkam.com>: >>> >>>> Hi all! >>>> >>>> Today, after two years of production, I get this error: >>>> >>>> samba-tool user create test20160627 testpassword >>>> >>>> ERROR(ldb): Failed to add user 'test20160627': - >>>> ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in >>>> CN=test20160627,CN=Users,DC=ad... - ../lib/ldb/ldb_tdb/ldb_index.c:1148: >>>> unique index violation on objectSid in CN=test20160627,CN=Users,DC=ad... >>>> >>>> Help me please, how to find which objectSid is not unique? >>>> I have 3 DC's on centos 7, samba 4.1 (I know, old version). >>>> >>>> Valery >The problem is 'RidNextRid' doesn't contain (as you would expect) the next RID, it contains the last RID used. See here: https://support.microsoft.com/en-us/kb/305475 Where you will find this: * RidNextRid DN Path: CN=Rid Set,Cn=computername,ou=domain controllers,DC=domain,DC=COM The RID that was assigned to the last security principal that was created on the local domain controller. RidNextRid is a non-replicated value in Active Directory. o Sample Value: 159345 (RID assigned to the last created security principal from the RidPreviousAllocationPool) Rowland
Hi Valery, First thank you for this detailed information about your searches. I find them very interesting. Here I'm thinking of two workarounds. The first one would be to list deleted objects RIDs, to verify RID=2002 is really the last one used, being sure there is no deleted object with RID=2003 and so on. Then once you get the last RID used, you could change RidNextRid to match this maximum value of used RID. The second would be a lazy action: change tombstoneLifetime which is by default 180 days to only 1 day. Doing that tomorrow all deleted objects will be deleted and if you are lucky - I can't guaranty that will work - you will able to reuse these RIDs. Hoping this helps... M. 2016-06-28 13:05 GMT+02:00 Zhuchenko Valery <zvn at belkam.com>:> I'm understand, why I get error about unique index violation on objectSid: > > samba-tool fsmo show > RidAllocationMasterRole owner: CN=NTDS > > Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,... > > Last created object have objectSid > S-1-5-21-763247336-2482037999-3416227170-2001 (it is record for computer) > Last symbols is 2001, and last assigned RID is 2001: > > [root at pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set" > # record 3 > dn: CN=RID Set,CN=PDC,OU=Domain Controllers,... > rIDNextRID: 2001 > rIDPreviousAllocationPool: 1600-2099 > rIDUsedPool: 1 > rIDAllocationPool: 2600-3099 > > https://support.microsoft.com/en-us/kb/305475 > RidNextRid The RID that was assigned to the last security principal that > was created on the local domain controller. > RidPreviousAllocationPool The pool from which RIDs are currently taken > RidAllocationPool Each domain controller has two pools: the one that > they are currently acting on, and the pool that they will use next. It > is the next pool > > I think, next RID is 2002? > Try to search: > [root at pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=AD\,... > objectSid > dn: CN=username\0ADEL:a230f645-268d-4ea9-8993-da3ae7032b4a,CN=Deleted > Objects,DC=ad,... > objectSid: S-1-5-21-763247336-2482037999-3416227170-2002 > it is deleted, but exists. > > What I can do to solve my problem? May be change rIDNextRID to 2099 on > RID Master? > > Valery > > 28.06.2016 10:00, Zhuchenko Valery: > > 27.06.2016 18:45, mathias dufresne: > >> Perhaps you don't have yet duplicate objectSid as that's not supposed > to be > >> possible. > >> Rather than scripting something to look for objectSid used twice I would > >> start with dbcheck and other tools to verify that your database is > >> consistent and identical on all servers. > > > > [root at pdc ~]# samba-tool dbcheck > > Checking 3346 objects > > Checked 3346 objects (0 errors) > > > > [root at bdc ~]# samba-tool dbcheck > > Checking 3346 objects > > Checked 3346 objects (0 errors) > > > > [root at dc46 ~]# samba-tool dbcheck > > Checking 3346 objects > > Checked 3346 objects (0 errors) > > > > > > [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://bdc -Uadministrator > > --filter=msDS-NcType,serverState,subrefs,whenChanged > > Password for [administrator]: > > * Comparing [DOMAIN] context... > > * Objects to be compared: 3207 > > * Result for [DOMAIN]: SUCCESS > > * Comparing [CONFIGURATION] context... > > * Objects to be compared: 1621 > > * Result for [CONFIGURATION]: SUCCESS > > * Comparing [SCHEMA] context... > > * Objects to be compared: 1550 > > * Result for [SCHEMA]: SUCCESS > > * Comparing [DNSDOMAIN] context... > > * Objects to be compared: 196 > > * Result for [DNSDOMAIN]: SUCCESS > > * Comparing [DNSFOREST] context... > > * Objects to be compared: 19 > > * Result for [DNSFOREST]: SUCCESS > > > > [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://dc46 -Uadministrator > > --filter=msDS-NcType,serverState,subrefs,whenChanged > > Password for [administrator]: > > * Comparing [DOMAIN] context... > > * Objects to be compared: 3207 > > * Result for [DOMAIN]: SUCCESS > > * Comparing [CONFIGURATION] context... > > * Objects to be compared: 1621 > > * Result for [CONFIGURATION]: SUCCESS > > * Comparing [SCHEMA] context... > > * Objects to be compared: 1550 > > * Result for [SCHEMA]: SUCCESS > > * Comparing [DNSDOMAIN] context... > > * Objects to be compared: 196 > > * Result for [DNSDOMAIN]: SUCCESS > > * Comparing [DNSFOREST] context... > > * Objects to be compared: 19 > > * Result for [DNSFOREST]: SUCCESS > > > >> > >> 2016-06-27 15:21 GMT+02:00 Zhuchenko Valery <zvn at belkam.com>: > >> > >>> Hi all! > >>> > >>> Today, after two years of production, I get this error: > >>> > >>> samba-tool user create test20160627 testpassword > >>> > >>> ERROR(ldb): Failed to add user 'test20160627': - > >>> ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in > >>> CN=test20160627,CN=Users,DC=ad... - > ../lib/ldb/ldb_tdb/ldb_index.c:1148: > >>> unique index violation on objectSid in > CN=test20160627,CN=Users,DC=ad... > >>> > >>> Help me please, how to find which objectSid is not unique? > >>> I have 3 DC's on centos 7, samba 4.1 (I know, old version). > >>> > >>> Valery > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
2016-06-28 14:22 GMT+02:00 valera <valera at zvn.p98.belkam.com>:> 28.06.2016 15:50, mathias dufresne: > > Here I'm thinking of two workarounds. The first one would be to list > > deleted objects RIDs, to verify RID=2002 is really the last one used, > > being sure there is no deleted object with RID=2003 and so on. Then once > > you get the last RID used, you could change RidNextRid to match this > > maximum value of used RID. > It is safe to change RidNextRid? I correctly understand that RidNextRid > should be changed on the DC, where rIDPreviousAllocationPool contains > RID of last created object? >No idea if it is safe. I just meant that's I would try : ) About where to change it, not much more idea. I would change it on the DC you tried to add user because this is the DC which refused to use the RID pool it was given because RidNextRid contains a value too low compared to already given RID. I did searched on my FSMO owner for " CN=RID Set" and I receive one answer per DC. Each with different rIDAllocationPool of course. I believe I read something here about something not replicated (no time to re-read the whole thread carefully enough, sorry), if you change rIDNextRID by hand just check on others DC your change is replicated, to keep a DB consistent. I expect it is replicated, that would be a simple way for FSMO RID master to know it has to give more RIDs pools.> > > The second would be a lazy action: change tombstoneLifetime which is by > > default 180 days to only 1 day. Doing that tomorrow all deleted objects > > will be deleted and if you are lucky - I can't guaranty that will work - > > you will able to reuse these RIDs. > No, to only 1 day is it impossible: > https://technet.microsoft.com/en-us/library/dd392260(v=ws.10).aspx If > the value is less than 3 days, the tombstone lifetime is 3 days. >1 day is accepted by Samba DB. I did tried : ) I'm not sure if my objects were deleted just 24 hours after the change or earlier or later. Anyway 1 or 3 days could be an acceptable delay to auto-solve an unsolvable issue. At least for me it seems acceptable ;) The point of that change is you are diving into unknown when playing with RID pool data seems a bit of a dive.> > > > > Hoping this helps... > And I... > > Valery >
I love diving : ) 2016-06-28 16:44 GMT+02:00 mathias dufresne <infractory at gmail.com>:> > > 2016-06-28 14:22 GMT+02:00 valera <valera at zvn.p98.belkam.com>: > >> 28.06.2016 15:50, mathias dufresne: >> > Here I'm thinking of two workarounds. The first one would be to list >> > deleted objects RIDs, to verify RID=2002 is really the last one used, >> > being sure there is no deleted object with RID=2003 and so on. Then once >> > you get the last RID used, you could change RidNextRid to match this >> > maximum value of used RID. >> It is safe to change RidNextRid? I correctly understand that RidNextRid >> should be changed on the DC, where rIDPreviousAllocationPool contains >> RID of last created object? >> > > No idea if it is safe. I just meant that's I would try : ) > > About where to change it, not much more idea. I would change it on the DC > you tried to add user because this is the DC which refused to use the RID > pool it was given because RidNextRid contains a value too low compared to > already given RID. > I did searched on my FSMO owner for " CN=RID Set" and I receive one answer > per DC. Each with different rIDAllocationPool of course. > > I believe I read something here about something not replicated (no time to > re-read the whole thread carefully enough, sorry), if you change rIDNextRID > by hand just check on others DC your change is replicated, to keep a DB > consistent. I expect it is replicated, that would be a simple way for FSMO > RID master to know it has to give more RIDs pools. > > >> >> > The second would be a lazy action: change tombstoneLifetime which is by >> > default 180 days to only 1 day. Doing that tomorrow all deleted objects >> > will be deleted and if you are lucky - I can't guaranty that will work - >> > you will able to reuse these RIDs. >> No, to only 1 day is it impossible: >> https://technet.microsoft.com/en-us/library/dd392260(v=ws.10).aspx If >> the value is less than 3 days, the tombstone lifetime is 3 days. >> > > 1 day is accepted by Samba DB. I did tried : ) > I'm not sure if my objects were deleted just 24 hours after the change or > earlier or later. Anyway 1 or 3 days could be an acceptable delay to > auto-solve an unsolvable issue. At least for me it seems acceptable ;) > > The point of that change is you are diving into unknown when playing with > RID pool data seems a bit of a dive. > > >> >> > >> > Hoping this helps... >> And I... >> >> Valery >> > >
> > I love diving : ) >Ok mathias, Can you explain this. This i dont get.... Why is this output so different, and i dont mean the difference with NTDOMAIN\.. See the groups differences... between a ADDC and a member server.. Samba 4.4.3 ADDC id someusername uid=10002(NTDOMAIN\someusername) gid=10000(NTDOMAIN\domain users) groups=10000(NTDOMAIN\domain users),3000053(NTDOMAIN\sng-certificaat-gpo),10005(NTDOMAIN\remote-webmail), 3000058(NTDOMAIN\usb-lees-toegang),10003(NTDOMAIN\server-aftermath),10008(NTDOMAIN\servers-www),3000154(NTDOMAIN\remote-xenservers), 3000118(NTDOMAIN\cddvd-schrijf-toegang),3000030(NTDOMAIN\remote-toegang-pcs),3000117(NTDOMAIN\cddvd-lees-toegang),3000059(NTDOMAIN\usb-schrijf-toegang), 3000148(NTDOMAIN\gitslinux-gebruikers),3000043(NTDOMAIN\afd-itdep),3000173(NTDOMAIN\dnsadmins),3000038(NTDOMAIN\vest-rotterdam),3000039(NTDOMAIN\allen), 3000065(NTDOMAIN\vertrouwde-websites),3000040(NTDOMAIN\boven),3000004(NTDOMAIN\group policy creator owners),3000005(NTDOMAIN\denied rodc password replication group), 10004(NTDOMAIN\servers-ssh),3000174(NTDOMAIN\lokaleprinter-xerox11hp),3000176(NTDOMAIN\alle-schijftoegang),3000005(NTDOMAIN\denied rodc password replication group), 3000173(NTDOMAIN\dnsadmins),3000009(BUILTIN\users) Samba 4.4.3 Member server. id someusername uid=10002(someusername) gid=10000(domain users) groups=10000(domain users),27(sudo),116(lpadmin),10005(remote-webmail),10003(server-aftermath), 10008(servers-www),10004(servers-ssh),10009(alle-schijftoegang),2001(BUILTIN\users) Now if i add this user on the member server in the sudo group... you see : 27(sudo) same on the ADDC, nothing .. but the use IS added to the local group sudo. I checked the /etc/group Very strange imo.. Greetz, Louis