lejeczek
2016-Oct-19 21:28 UTC
[Samba] 3.6.23-25.el6_7 and 4.2.10 and "Domain Admins" are/not Admins?
hi all I have two different Samba versions as PDC and BDC and depending on which one is "domain master" users which are domain admins are not recognized as such. Everything seems normal with 3.6.23-25.el6_7 as "domain master" but when I configure them so 4.2.10 is the master then I login to Win7 fine but Windows tells me that the user is not an Admin and I need to supply credential (wherever it's necessary of course). Both Sambas are config-wise virtually identical, I only swap "domain master = yes" around. User backends are for both Sambas multi-master LDAP so these too should (I believe are) are identical for both servers. What could it be? Gee, some good hint could be a master-headache savior. many! thanks. L.
Gavrilov Aleksey
2016-Oct-20 07:23 UTC
[Samba] 3.6.23-25.el6_7 and 4.2.10 and "Domain Admins" are/not Admins?
hi It can be so help [global] >---admin users = @nt_admins if not then I need 1. root at pdc:~# testparm 2. root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b ou=groups,ou=arkhangelsk,dc=rugion,dc=ru ldap suffix = ou=arkhangelsk,dc=rugion,dc=ru ldap group suffix = ou=groups 3. try log level = 10 max log size = 1000 and go through the authorization in windows pc see the log of communication with the server PC. usually here /var/log/samba/log.ip or /var/log/samba/log.name-pc 4. no harm will see errors in these files too /var/log/samba/log.nmbd /var/log/samba/log.smbd On 20.10.2016 02:28, lejeczek via samba wrote:> hi all > > I have two different Samba versions as PDC and BDC and depending on > which one is "domain master" users which are domain admins are not > recognized as such. > > Everything seems normal with 3.6.23-25.el6_7 as "domain master" but > when I configure them so 4.2.10 is the master then I login to Win7 > fine but Windows tells me that the user is not an Admin and I need to > supply credential (wherever it's necessary of course). > > Both Sambas are config-wise virtually identical, I only swap "domain > master = yes" around. > > User backends are for both Sambas multi-master LDAP so these too > should (I believe are) are identical for both servers. > > What could it be? Gee, some good hint could be a master-headache savior. > > many! thanks. > > L. > >-- Sincerely, Gavrilov Aleksey System Administrator Ltd. "Hearst Shkulev Digital Rugion" tel .: 8 (351) 729-94-90, ext. 345 mob. +7 999 581 7934 gavrilov at info74.ru Chelyabinsk, st. Lesoparkovaya , 6, office 308
lejeczek
2016-Oct-24 11:53 UTC
[Samba] 3.6.23-25.el6_7 and 4.2.10 and "Domain Admins" are/not Admins?
thanks Aleksey before I can try your suggestions I have to solve another problem which has just occur on that 4.2 Samba, now that server (it did crash caused some other hardware problem) fails: $ smblcient -L //serverB -Uthis_dom\\this_user SPNEGO login failed: Indicates the SID structure is not valid. session setup failed: NT_STATUS_INVALID_SID I do not recall there was on OS/samba update, only that crash(cold reboot) and now this problem (and it was ok, not SID problem ever since I set it up). I'm googling but would you, would anybody know what might be the problem? The first server, PDC is ok, no above problem there. $ smblcient -L //serverA -Uthis_dom\\this_user = result OK On the failing server I backed up, remove and let samba recreate /var/lib/samba. Again, for both servers userdb backend is the same multi-master ldap. I have, always had these in smb.conf ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap debug level = 4 ldap debug threshold = 10 regards L. On 20/10/16 08:23, Gavrilov Aleksey via samba wrote:> hi > > It can be so help > > [global] > >---admin users = @nt_admins > > if not then I need > > 1. root at pdc:~# testparm > 2. root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b > ou=groups,ou=arkhangelsk,dc=rugion,dc=ru > > ldap suffix = ou=arkhangelsk,dc=rugion,dc=ru > > ldap group suffix = ou=groups > > 3. try > > log level = 10 > > max log size = 1000 > > and go through the authorization in windows pc > see the log of communication with the server PC. > usually here /var/log/samba/log.ip or > /var/log/samba/log.name-pc > > 4. no harm will see errors in these files too > > /var/log/samba/log.nmbd > > /var/log/samba/log.smbd > > > On 20.10.2016 02:28, lejeczek via samba wrote: >> hi all >> >> I have two different Samba versions as PDC and BDC and >> depending on which one is "domain master" users which are >> domain admins are not recognized as such. >> >> Everything seems normal with 3.6.23-25.el6_7 as "domain >> master" but when I configure them so 4.2.10 is the master >> then I login to Win7 fine but Windows tells me that the >> user is not an Admin and I need to supply credential >> (wherever it's necessary of course). >> >> Both Sambas are config-wise virtually identical, I only >> swap "domain master = yes" around. >> >> User backends are for both Sambas multi-master LDAP so >> these too should (I believe are) are identical for both >> servers. >> >> What could it be? Gee, some good hint could be a >> master-headache savior. >> >> many! thanks. >> >> L. >> >> >
Reasonably Related Threads
- 3.6.23-25.el6_7 and 4.2.10 and "Domain Admins" are/not Admins?
- Replacement pdc samba3 to samba4 nt classic
- Replacement pdc samba3 to samba4 nt classic
- error when samba-tool domain classicupgrade
- samba-3.6.23-30.el6_7.x86_64 - The trust relationship between this workstation and the primary domain failed