[Samba] Solution to a Problem - Adding domain users as local Admins fails

Jeff Gardiner gardiner at imaging.robarts.ca
Wed Nov 19 15:32:35 GMT 2003 

I thought I'd post an observation about a problem I solved so that others 
might benefit.  I must admit I was struggling with the issue for a couple of 
days, and solved it, though I'm not sure exactly what solved it but I'll 
share the observations nonetheless, for the benefit of others.

PROBLEM BEHAVIOUR

I was unable to view domain users as the local admin, even if I authenticated 
as a domain admin.  Why would I do this?  I wanted add a domain user as a 
local admin.  If I entered my domain admin logon name and password it was 
always rejected.  An additional side benefit of this problem was that my 
local machine could not view domain users, whether I logged into a domain 
account or as a local administrator.

i.e 
WINZOMBIE\root
<password>

or
root
<password>

Would result in an error, reject the password or logon name.  Therefore I 
could not see the domain users.


SOLUTION??
As I said above, I wasn't exactly looking for a solution to this problem when 
I solved it, rather I was looking at other issues.  I am not 100% sure which 
part of my actions fixed the problem but this is what I did:

FIRST
I noticed two things:  First, my smbpasswd and my unix password file had 
somehow had their permissions changed.  /etc/passwd was 444 and 
/etc/samba/smbpasswd was 400.

I changed /etc/password back to 644 and /etc/samba/passwd to 600.

SECOND
Second, I noticed some spurious machine entries in both /etc/password and 
/etc/samba/smbpasswd that corresponded to machinenames not in use - and there 
were entries in /etc/samba/smbpasswd that were not in /etc/passwd.  Those 
entries cause errors to appear in your log files that look like this:

machine.log build_sam_account: smbpasswd database is corrupt!  username 
nounixdude$ with uid 40098 is not in unix passwd database!

When we purchase machines, we largely deal with a single vendor.  The "try" to 
do us a favour when they sell us machines by presenting them configured as 
close to our preferred configuration as possible.  This includes naming the 
machines in a regular way.  Sometime when we join machines to the domain, our 
junior admins fail to change the name of the machine to its proper name prior 
to joining the domain.  This means that every now and again I find entries in 
the /etc/samba/smbpasswd that co-respond to machine names we no longer 
sustain.

Now I'm not sure if changing the permissions caused the fix, but the other 
action I took was to prune the /etc/samba/smbpasswd file so that all spurious 
entries were gone.  I also ridded /etc/samba/smbpasswd of the entries not 
contained in /etc/unix.

If my observations help those struggling with the same problem, than so be it.

Cheers
Jeff


-- 
Jeff Gardiner [ gardiner at nospam.imaging.robarts.ca ]
System Administrator - Imaging Research Laboratories
Robarts Research Institute - London ON, Canada
519.663.5777 x34089

       ~~~~~~~
   Second Law of Blissful Ignorance --
-- Inside every small problem is a large problem struggling to get out.
~~~~~~

More information about the samba mailing list