[Samba] Solution to a Problem - Adding domain users as local Admins
fails
Jeff Gardiner
gardiner at imaging.robarts.ca
Wed Nov 19 15:32:35 GMT 2003
I thought I'd post an observation about a problem I solved so that others
might benefit. I must admit I was struggling with the issue for a couple of
days, and solved it, though I'm not sure exactly what solved it but I'll
share the observations nonetheless, for the benefit of others.
PROBLEM BEHAVIOUR
I was unable to view domain users as the local admin, even if I authenticated
as a domain admin. Why would I do this? I wanted add a domain user as a
local admin. If I entered my domain admin logon name and password it was
always rejected. An additional side benefit of this problem was that my
local machine could not view domain users, whether I logged into a domain
account or as a local administrator.
i.e
WINZOMBIE\root
<password>
or
root
<password>
Would result in an error, reject the password or logon name. Therefore I
could not see the domain users.
SOLUTION??
As I said above, I wasn't exactly looking for a solution to this problem when
I solved it, rather I was looking at other issues. I am not 100% sure which
part of my actions fixed the problem but this is what I did:
FIRST
I noticed two things: First, my smbpasswd and my unix password file had
somehow had their permissions changed. /etc/passwd was 444 and
/etc/samba/smbpasswd was 400.
I changed /etc/password back to 644 and /etc/samba/passwd to 600.
SECOND
Second, I noticed some spurious machine entries in both /etc/password and
/etc/samba/smbpasswd that corresponded to machinenames not in use - and there
were entries in /etc/samba/smbpasswd that were not in /etc/passwd. Those
entries cause errors to appear in your log files that look like this:
machine.log build_sam_account: smbpasswd database is corrupt! username
nounixdude$ with uid 40098 is not in unix passwd database!
When we purchase machines, we largely deal with a single vendor. The "try" to
do us a favour when they sell us machines by presenting them configured as
close to our preferred configuration as possible. This includes naming the
machines in a regular way. Sometime when we join machines to the domain, our
junior admins fail to change the name of the machine to its proper name prior
to joining the domain. This means that every now and again I find entries in
the /etc/samba/smbpasswd that co-respond to machine names we no longer
sustain.
Now I'm not sure if changing the permissions caused the fix, but the other
action I took was to prune the /etc/samba/smbpasswd file so that all spurious
entries were gone. I also ridded /etc/samba/smbpasswd of the entries not
contained in /etc/unix.
If my observations help those struggling with the same problem, than so be it.
Cheers
Jeff
--
Jeff Gardiner [ gardiner at nospam.imaging.robarts.ca ]
System Administrator - Imaging Research Laboratories
Robarts Research Institute - London ON, Canada
519.663.5777 x34089
~~~~~~~
Second Law of Blissful Ignorance --
-- Inside every small problem is a large problem struggling to get out.
~~~~~~
More information about the samba
mailing list