[Samba] samba_upgradedns returned an error "Unable to find uid/gid for Domain Admins "
Rowland penny
rpenny at samba.org
Tue Feb 2 12:09:59 UTC 2016
On 02/02/16 11:26, Markus Dellermann wrote:
> Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland penny:
>> On 01/02/16 22:24, Markus Dellermann wrote:
>>> Hi at all,
>>>
>>> i´am using samba 4.3.4 as "ad", "migrated by classicupgrade" some time ago
>>> from an nt4-domain.
>>>
>>> By trying
>>> samba_upgradedns --dns-backend=BIND9_DLZ
>>>
>>> i get the following error:
>>>
>>> Traceback (most recent call last):
>>> File "/usr/sbin/samba_upgradedns", line 262, in <module>
>>>
>>> paths, lp.configfile, lp)
>>>
>>> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>>> line
>>>
>>> 298, in find_provision_key_parameters
>>>
>>> raise ProvisioningError("Unable to find uid/gid for Domain Admins rid
>>> (%s-
>>>
>>> %s" % (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR))
>>> samba.provision.ProvisioningError: ProvisioningError: Unable to find
>>> uid/gid for Domain Admins rid
>>> (S-1-5-21-855155194-824588496-1214258294-500
>>>
>>> "Domain Admins" seems to be in "ad"
>> Domain Admins may be in AD but that is not what is being searched for,
>> it is actually searching for Administrator, have you do anything to
>> Administrator in AD or idmap.ldb ?
>>
>> Rowland
> Hi Rowland,
> ah, ok -thank your for your answer.
>
> There is a local user named "administrator" in /etc/passwd
> administrator:x:1039:100::/home/administrator:/bin/bash
> There was a username-mapping in /etc/samba/smbusers
> #!root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator
> administrator
> I have changed this two month ago, because that shoudn`t be needed.(?)
> Domain-Administrators UID in "aduc" is "10000" -is this korrekt?
>
> In my nt4-domain the domain-administrator was mapped to root and the rid "500"
> was assigned to root
> Maybe this is missing now?
> Do i have to assign this again?
>
> Thank you
>
> Markus
>
Ok, there are two schools of thought here, you can give Administrator a
uidNumber attribute, but this, as far as Unix is concerned, turns
'Administrator' into just another user, with no more privileges than any
other Unix user.
What I use on a domain member and recommend, is the use of the user
mapping in smb.conf, with this 'Administrator' becomes 'root' and as
such, has all the privileges of 'root'.
However, you are trying to do something on a DC and you shouldn't use
the name mapping, as this should be done for you in idmap.ldb. I suggest
you remove any users that appear in /etc/passwd, such as administrator,
that are also in AD, I would also remove the uidNumber attribute from
'Administrator' in AD.
This should then reset 'Administrator' to '0'
If I run 'getent passwd administrator' on a DC, I get:
SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
but if run the same command on a domain member, I get nothing.
Rowland
More information about the samba
mailing list