[Samba] ADS - Not recognizing Domain Admin group membership (from 1 workstation only)

Chris Cooper psiuyo at gmail.com
Sat Dec 1 01:00:59 GMT 2007 

I've been running a couple Centos5 and RHEL4/5 servers with samba for a
while now and everything has been working great with our Windows 2003 AD.

All of a sudden though I'm experience something really weird on one of the
RHEL5 boxes.  Whenever I try to connect as a Domain Admin from one
particular Vista client, I get access denied and repeated prompts for a
username/password - this has always worked in the past, and still does using
any domain admin account from any other computer (XP or Vista).

Looking at the log I see this when connecting as a Domain Admin from a good
client:
connect to service Reports initially as user XXXXX+yyyyyy (uid=0,
gid=16777220)
and when connecting as a the same Domain Admin from the bad vista client:
connect to service Reports initially as user XXXXX+yyyyyy (uid=16777222,
gid=16777220)

The other share, with a force user=localuser option set produces the
following:
connect to service htdocs initially as user XXXXX+yyyyyy (uid=501,
gid=16777220)
and when connecting as a the same Domain Admin from the bad vista client:
connect to service htdocs initially as user XXXXX+yyyyyy (uid=16777222,
gid=16777220)

So it appears that any connections coming from this one workstation are not
recognised as Domain Admin members.

This particular workstation can connect to any of our other samba servers
(same version 3.0.26a-SerNet-RedHat or older 3.0.21b-2) with
the exact same share setup and smb.conf, and any Domain Admin logging in
from any other workstation can connect just fine to this server -
there is just something strange between this one server and one workstation.
 It started happening about 2 weeks ago, at which point I
attempted to update samba from 3.0.21b-2 the 3.0.26a, I've rejoined the
domain on both server and workstation as well.

Any help on this would be greatly appreciated.  Thanks!


Here is the relevant smb.conf that works on all other servers for this
client and for all other clients on this server:

server string = Testing Server
workgroup  = TESTING
security = ADS
realm = TESTING.LOCAL
encrypt passwords = yes
winbind separator = +
winbind enum users=yes
winbind enum groups=yes
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = yes
admin users = @"TESTING+Domain Admins"

[htdocs]
   comment = htdocs
   path = /mnt/dbdocs/htdocs
   writeable = yes
   browseable = yes
   valid users = @"TESTING+Domain Admins"
   force user = localuser # This is UID=501
[reports]
   comment = Reports
   path = /mnt/dbdocs/reports
   writeable = yes
   browseable = yes
   valid users = @"TESTING+Domain Admins"

More information about the samba mailing list