similar to: winbind finds all domain users except Administrator

I tried mapping to root but I still get an ACCESS_DENIED when I try to mount a share from the domain member. I'd be very surprised if the samba admin account is the one and only account that is intentionally denied from accessing shares on a member. I'm pretty sure this is a bug. I tried this again with two clean installs (4.7.1) on Linux, one in a VM. Compare this on the DC: #

Okay, right. Is there anything that the Samba admininistrator account can do that the users in the group domain admins can't (other than direct configurations on the samba server)? Also on a kind of unrelated note: I have several Unix servers that used NIS up until now to get the users. I would prefer if they could get the username like right now, without the MYDOM\ prefix. Is it possible to

On Tue, 14 Nov 2017 21:36:49 +0100 Fabian Fritz <fabianfuture at web.de> wrote: > I tried mapping to root but I still get an ACCESS_DENIED when I try to > mount a share from the domain member. > > I'd be very surprised if the samba admin account is the one and only > account that is intentionally denied from accessing shares on a > member. > > I'm pretty

Hello list, I'm stuck since 2 days and I have no clue how to troubleshoot and solve that problem. Any help really really appreciated. Scenario: ========= I am using Samba 4.1.12/sernet on DC1 (172.19.100.1) and DC2 (172.19.100.2) with default [netlogon] and [sysvol] share only. I installed an additional samba4 server with fileserving role which is called MEMBERSRV1 (172.19.100.3), which is

Hello, I'm currently stuck with a QNAP NAS appliance (don't buy this !) I have a Sernet Samba 4.5 as an AD controller and my QNAP have a Samba 4.0.25 (latest update) All i want is to join the QNAP to the AD, the QNAP will act as the file server. The join in the official way is okay but the uid / gid mapping is f*cked. I tried almost everything, change the idmap,

Back on February 28, 2018, I started a thread "User permissions of profile/home directory lost" describing a problem occurring with my wife's user account. Since that time the random problem has persisted so I turned on some debugging. I have been able to determine that somehow her account idmap is broken. Here is the entry for my wife's SID as found in the idmap.ldb file

Hello, No it's a AD classicupgraded from a Samba 3 PDC Here's a user example from my DC uid=1116(MYDOM\begr00) gid=513(MYDOM\domain users) groupes=513(MYDOM\domain us ers),1151(MYDOM\evaluation),1214(MYDOM\procedures),12021(MYDOM\s13cadre),12041 (MYDOM\s13-grh),1264(MYDOM\zsbw),1001(MYDOM\s13),3000005(BUILTIN\users) my first user start at uid 1001 (1000 was the

hi again. after some tests, (on my operational domain and on a new testdomain) i detected this behavior: on samba 4.11.6 sometimes the new DNS-records finisches on a wrong dns zone. the problem occurs, if more then 5 records are created with the same name in more then one domain zone for example: testa1.jupiter.mydom.org testa2.jupiter.mydom.org testa3.jupiter.mydom.org

On Mon, 13 Nov 2017 23:15:15 +0100 Fabian Fritz <fabianfuture at web.de> wrote: > I see. I know, the range is a bit odd, but I previously used NIS to > get the Unix users from another machine. Now I'm updating to AD and > don't use NIS anymore.Since I want to keep all the file ownerships (I > use this solaris member as a file server), I had to map the domain > users

Hai Christian, > Can someone reproduce this? No, tried, but sorry, works fine for me on my 4.11.6 server. And what is you try it like this. samba-tool dns add dc1.zone1.domain.de 0.168.192.in-addr.arpa 157 PTR zone1.domain.de -U Administrator samba-tool dns add dc1.zone1.domain.de 1.168.192.in-addr.arpa 157 PTR zone2.domain.de -U Administrator I tested on my production where i have 6

On Tue, 7 Aug 2018 14:59:56 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Tue, 7 Aug 2018 14:55:24 +0200 > Henry Jensen via samba <samba at lists.samba.org> wrote: > > > On Tue, 7 Aug 2018 12:51:33 +0100 > > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > > > > > > Failed to modify SPNs on

On Tue, 7 Aug 2018 12:51:33 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote: > > > > Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: acl: > > > > spn validation failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000] > > > > account[db1$] hostname[(null)] nbname[mydom] ntds[(null)] > > > > forest[mydom.lan] domain[mydom.lan]

Dear Rowland, our windows admin assured me that they have set uidNumber and gidNumber in the range. I have requested screenshots for confirmation. Now we are one step further: "getent passwd | grep mdecker" now lists the AD account. mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false With "getent passwd mdecker" however, it shows

On Tue, 7 Aug 2018 16:26:36 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Tue, 7 Aug 2018 17:13:02 +0200 > Henry Jensen via samba <samba at lists.samba.org> wrote: > > > On Tue, 7 Aug 2018 14:59:56 +0100 > > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > > > On Tue, 7 Aug 2018 14:55:24 +0200 >

Hello there I've got two samba servers srv1 and srv2 smb.conf for srv1: netbios aliases srv1-alias smb.conf for srv2: netbios aliases srv2-alias DNS is configured all right and resolves the names. Each name has got its own IP address. Both servers are AD members, run as expected and can be connected to via their netbios and netbios alias names. If, for example, srv1 fails I want to add

Hello, I've got some log entries like these on our DCs: Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: acl: spn validation failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000] account[db1$] hostname[(null)] nbname[mydom] ntds[(null)] forest[mydom.lan] domain[mydom.lan] At first I thought it was about missing SPN entries, but adding these did not resolve the problem: # samba-tool

Hi Rowland, On Tue, 7 Aug 2018 09:46:24 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote: > > Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: acl: > > spn validation failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000] > > account[db1$] hostname[(null)] nbname[mydom] ntds[(null)] > > forest[mydom.lan] domain[mydom.lan] > > > > At

Thanks Rowland and Louis, after changing from ad to rid, i get all users listed with "getent passwd", not just the ones with uidNumber - which is good. But "getent passwd MYDOM\\mdecker" still does not resolve. In addition, no groups are listed with "getent group". Looking at winbindd debug, it seems that after trying getgrsid on the very first group "Exchange

Hi list, I am experimenting with two member servers (both samba4). I am using following configuration: membersrv:/etc/samba/smb.conf: ========================== [...] username map = /etc/samba/smbmap [...] membersrv:/etc/samba/smbmap: ========================= !root = MYDOM\johndoe MYDOM\foo MYDOM\bar MYDOM\Administrator Administrator So the domain users from my AD called "John Doe",

Hello, Lots of messages in smbd log file on a Samba file server, which is member of a Samba AD : [2018/07/24 10:30:00.822403, 0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)