Nicolas Boissé
2024-May-16 14:00 UTC
[Samba] administrator account unknown on a DC member
Hello On a DC member, I can see all AD users with "getent passwd" command, except the Administrator account. The administrator account has a UIDnumber (3002). my smb.conf : ... idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config DOM:backend = ad idmap config DOM:schema_mode = rfc2307 idmap config DOM:range = 10000-999999 idmap config DOM:unix_nss_info = yes ... Any idea of what's wrong with it ?
On Thu, 16 May 2024 16:00:43 +0200 Nicolas Boiss? via samba <samba at lists.samba.org> wrote:> Hello > > On a DC member, I can see all AD users with "getent passwd" command, > except the Administrator account. > > The administrator account has a UIDnumber (3002). > > my smb.conf : > > ... > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config DOM:backend = ad > idmap config DOM:schema_mode = rfc2307 > idmap config DOM:range = 10000-999999 > idmap config DOM:unix_nss_info = yes > ... > > Any idea of what's wrong with it ? >You are using the 'ad' idmap backend and have given Administrator a UidNumber attribute containing the number '3002'. This normally makes Administrator a normal user, not an administrative user, but, in your case, '3002' is in the default '*' range and beneath the 'DOM' range start '10000', so it will be ignored. To put it another way, if you could get it wrong, you got it wrong in the right way ;-) I suggest you remove the uidNumber (and any other RFC2307 attributes) you added to Administrator, you do not use Administrator on Linux, you use root. Rowland