[Samba] Restoring domain Administrator

Larry McElderry larry at ptcoupling.com
Wed May 4 17:05:43 GMT 2005 

OK I did this before seeing the little note in the docs that said don't do this.

Using samba 3.0.14a with ldap auth.  Terpstra textbook setup from chapter 9 By Example.

nsswitch passwd and group = files ldap

I deleted the root user from the ldap directory and tried to re-add using
smbldap-useradd -u 0 root -P

It complained that uid already existed.  Must've gotten that from passwd file, so I tried
smbldap-useradd root -P

Then used GQ to change the uid number to 0 and group id to 512.

Problem is when samba tries to auth root, it seaches ldap for a gid 0 rather than 512.  Gid 0 is not in ldap.  Why is it looking for
gid 0?

LOG EXTRACT:
May  4 12:02:07 suzy slapd[1410]: conn=12423 op=4 SRCH base="ou=Groups,dc=ptcoup
ling,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=root
)(gidNumber=0)))"

What does it take to restore domain admin?

here is the output from smbclient -L larry -Uroot:

INFO: Current debug levels:
  all: True/5
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
  quota: False/0
  acls: False/0
doing parameter syslog = 0
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter smb ports = 139 445
doing parameter name resolve order = wins bcast hosts
doing parameter time server = Yes
doing parameter printcap cache time = 750
doing parameter printcap name = cups
doing parameter show add printer wizard = No
doing parameter add user script = /etc/samba/smbldap/smbldap-useradd -m '%u'
doing parameter add group script = /etc/samba/smbldap/smbldap-groupadd -p '%g'
doing parameter add user to group script = /etc/samba/smbldap/smbldap-groupmod -m '%u' '%g'
doing parameter delete user from group script = /etc/samba/smbldap/smbldap-groupmod -x '%u' '%g'
doing parameter add machine script = /etc/samba/smbldap/smbldap-useradd -w '%u'
doing parameter logon script = /etc/samba/netlogon.bat
doing parameter logon path =
doing parameter logon home =
doing parameter wins support = Yes
doing parameter wins server = 172.21.1.30
doing parameter map acl inherit = yes
doing parameter ldap admin dn = cn=Manager,dc=ptcoupling,dc=com
doing parameter ldap delete dn = Yes
doing parameter ldap group suffix = ou=Groups
doing parameter ldap idmap suffix = ou=Idmap
doing parameter ldap machine suffix = ou=People
doing parameter ldap passwd sync = Yes
doing parameter ldap suffix = dc=ptcoupling,dc=com
doing parameter ldapsam:trusted = yes
doing parameter ldap ssl = no
doing parameter ldap user suffix = ou=People
doing parameter idmap backend = ldap:ldap://localhost
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter admin users = @"Domain Admins", larry
doing parameter force unknown acl user = no
doing parameter ea support = Yes
doing parameter cups options = raw
doing parameter lpq command = /usr/bin/lpq -P'%p'
doing parameter lprm command = /usr/bin/lprm -P'%p' %j
doing parameter lppause command = lp -i '%p-%j' -H hold
doing parameter lpresume command = lp -i '%p-%j' -H resume
doing parameter queuepause command = /usr/bin/disable '%p'
doing parameter queueresume command = /usr/bin/enable '%p'
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
added interface ip=172.21.1.30 bcast=172.21.255.255 nmask=255.255.0.0
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
Netbios name list:-
my_netbios_names[0]="ACCT.SERVE"
Client started (version 3.0.14a-SerNet-SuSE).
Opening cache file at /var/lib/samba/gencache.tdb
name larry#20 found.
Connecting to 172.21.2.2 at port 445
socket option SO_KEEPALIVE = 0
socket option SO_REUSEADDR = 0
socket option SO_BROADCAST = 0
socket option TCP_NODELAY = 1
socket option IPTOS_LOWDELAY = 0
socket option IPTOS_THROUGHPUT = 0
socket option SO_SNDBUF = 16384
socket option SO_RCVBUF = 87380
socket option SO_SNDLOWAT = 1
socket option SO_RCVLOWAT = 1
socket option SO_SNDTIMEO = 0
socket option SO_RCVTIMEO = 0
 session request ok
size=85
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=55297
smb_tid=0
smb_pid=16317
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    8 (0x8)
smb_vwv[ 1]= 2563 (0xA03)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=   17 (0x11)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]=    0 (0x0)
smb_vwv[ 8]=    0 (0x0)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=  227 (0xE3)
smb_vwv[11]=45184 (0xB080)
smb_vwv[12]=60713 (0xED29)
smb_vwv[13]=51670 (0xC9D6)
smb_vwv[14]=50512 (0xC550)
smb_vwv[15]=11265 (0x2C01)
smb_vwv[16]=    1 (0x1)
smb_bcc=16
size=85
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=55297
smb_tid=0
smb_pid=16317
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    8 (0x8)
smb_vwv[ 1]= 2563 (0xA03)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=   17 (0x11)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]=    0 (0x0)
smb_vwv[ 8]=    0 (0x0)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=  227 (0xE3)
smb_vwv[11]=45184 (0xB080)
smb_vwv[12]=60713 (0xED29)
smb_vwv[13]=51670 (0xC9D6)
smb_vwv[14]=50512 (0xC550)
smb_vwv[15]=11265 (0x2C01)
smb_vwv[16]=    1 (0x1)
smb_bcc=16
Serverzone is 18000
Doing spnego session setup (blob length=16)
server didn't supply a full spnego negprot
size=240
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=16317
smb_uid=2048
smb_mid=2
smt_wct=4
smb_vwv[ 0]=  255 (0xFF)
smb_vwv[ 1]=  240 (0xF0)
smb_vwv[ 2]=    0 (0x0)
smb_vwv[ 3]=  123 (0x7B)
smb_bcc=197
size=240
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=16317
smb_uid=2048
smb_mid=2
smt_wct=4
smb_vwv[ 0]=  255 (0xFF)
smb_vwv[ 1]=  240 (0xF0)
smb_vwv[ 2]=    0 (0x0)
smb_vwv[ 3]=  123 (0x7B)
smb_bcc=197
Got challenge flags:
Got NTLMSSP neg_flags=0x60890215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_CHAL_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP challenge set by NTLM2
challenge is:
[000] 76 DF F3 B6 AE 24 69 26                           v....$i&
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
size=35
smb_com=0x73
smb_rcls=1
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=16317
smb_uid=2048
smb_mid=3
smt_wct=0
smb_bcc=0
size=35
smb_com=0x73
smb_rcls=1
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=16317
smb_uid=2048
smb_mid=3
smt_wct=0
smb_bcc=0
SPNEGO login failed: Undetermined error
session setup failed: NT_STATUS_UNSUCCESSFUL

More information about the samba mailing list