samba - Oct 2016 - 3.6.23-25.el6_7 and 4.2.10 and "Domain Admins" are/not Admins?

hi all

I have two different Samba versions as PDC and BDC and 
depending on which one is "domain master" users which are 
domain admins are not recognized as such.

Everything seems normal with 3.6.23-25.el6_7 as "domain 
master" but when I configure them so 4.2.10 is the master 
then I login to Win7 fine but Windows tells me that the user 
is not an Admin and I need to supply credential (wherever 
it's necessary of course).

Both Sambas are config-wise virtually identical, I only swap 
"domain master = yes" around.

User backends are for both Sambas multi-master LDAP so these 
too should (I believe are) are identical for both servers.

What could it be? Gee, some good hint could be a 
master-headache savior.

many! thanks.

L.

hi

It can be so help

[global]
 >---admin users                    = @nt_admins

if not then I need

1. root at pdc:~# testparm
2. root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b 
ou=groups,ou=arkhangelsk,dc=rugion,dc=ru

ldap suffix =  ou=arkhangelsk,dc=rugion,dc=ru

ldap group suffix = ou=groups

3. try

log level = 10

    max log size = 1000

and go through the authorization in windows pc
see the log of communication with the server PC.
usually here /var/log/samba/log.ip or /var/log/samba/log.name-pc

4. no harm will see errors in these files too

/var/log/samba/log.nmbd

/var/log/samba/log.smbd


On 20.10.2016 02:28, lejeczek via samba wrote:
> hi all
>
> I have two different Samba versions as PDC and BDC and depending on 
> which one is "domain master" users which are domain admins are
not
> recognized as such.
>
> Everything seems normal with 3.6.23-25.el6_7 as "domain master"
but
> when I configure them so 4.2.10 is the master then I login to Win7 
> fine but Windows tells me that the user is not an Admin and I need to 
> supply credential (wherever it's necessary of course).
>
> Both Sambas are config-wise virtually identical, I only swap "domain 
> master = yes" around.
>
> User backends are for both Sambas multi-master LDAP so these too 
> should (I believe are) are identical for both servers.
>
> What could it be? Gee, some good hint could be a master-headache savior.
>
> many! thanks.
>
> L.
>
>
-- 

Sincerely, Gavrilov Aleksey
System Administrator
Ltd. "Hearst Shkulev Digital Rugion"
tel .: 8 (351) 729-94-90, ext. 345
mob. +7 999 581 7934
gavrilov at info74.ru
Chelyabinsk, st. Lesoparkovaya , 6, office 308

thanks Aleksey

before I can try your suggestions I have to solve another 
problem which has just occur on that 4.2 Samba, now that 
server (it did crash caused some other hardware problem) fails:

$ smblcient -L //serverB -Uthis_dom\\this_user

SPNEGO login failed: Indicates the SID structure is not valid.
session setup failed: NT_STATUS_INVALID_SID

I do not recall there was on OS/samba update, only that 
crash(cold reboot) and now this problem (and it was ok, not 
SID problem ever since I set it up). I'm googling but would 
you, would anybody know what might be the problem?
The first server, PDC is ok, no above problem there.

$ smblcient -L //serverA -Uthis_dom\\this_user = result OK

On the failing server I backed up, remove and let samba 
recreate /var/lib/samba.
Again, for both servers userdb backend is the same 
multi-master ldap.

I have, always had these in smb.conf


   ldap group suffix = ou=Group
   ldap user suffix = ou=People
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Idmap
   ldap debug level = 4
   ldap debug threshold = 10

regards
L.


On 20/10/16 08:23, Gavrilov Aleksey via samba wrote:
> hi
>
> It can be so help
>
> [global]
> >---admin users                    = @nt_admins
>
> if not then I need
>
> 1. root at pdc:~# testparm
> 2. root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b 
> ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
>
> ldap suffix =  ou=arkhangelsk,dc=rugion,dc=ru
>
> ldap group suffix = ou=groups
>
> 3. try
>
> log level = 10
>
>    max log size = 1000
>
> and go through the authorization in windows pc
> see the log of communication with the server PC.
> usually here /var/log/samba/log.ip or 
> /var/log/samba/log.name-pc
>
> 4. no harm will see errors in these files too
>
> /var/log/samba/log.nmbd
>
> /var/log/samba/log.smbd
>
>
> On 20.10.2016 02:28, lejeczek via samba wrote:
>> hi all
>>
>> I have two different Samba versions as PDC and BDC and 
>> depending on which one is "domain master" users which are 
>> domain admins are not recognized as such.
>>
>> Everything seems normal with 3.6.23-25.el6_7 as "domain 
>> master" but when I configure them so 4.2.10 is the master 
>> then I login to Win7 fine but Windows tells me that the 
>> user is not an Admin and I need to supply credential 
>> (wherever it's necessary of course).
>>
>> Both Sambas are config-wise virtually identical, I only 
>> swap "domain master = yes" around.
>>
>> User backends are for both Sambas multi-master LDAP so 
>> these too should (I believe are) are identical for both 
>> servers.
>>
>> What could it be? Gee, some good hint could be a 
>> master-headache savior.
>>
>> many! thanks.
>>
>> L.
>>
>>
>