[Samba] Windows member servers have lost their minds...

Rubin Bennett rbennett at thatitguy.com
Tue Jun 12 15:29:32 GMT 2007

----- Original Message -----
From: Gerald (Jerry) Carter <jerry at samba.org>
Sent: Tue, 6/12/2007 8:22am
To: Rubin Bennett <rbennett at thatitguy.com>
Cc: samba at lists.samba.org
Subject: Re: [Samba] Windows member servers have lost their minds...

Hash: SHA1


>> I'm having a serious problem after a Samba upgrade from 3.0.20 to
>> 3.0.23c.

>You read the release notes regarding the SID changes in
>3.0.23 right ?  The next step is to look at a level 10
>debug log frmo smbd when you are receiving the ACCESS_DENIED

Hi, Jerry-
Thanks for your reply!
I did read the release notes, and the RID/ SID mappings were one of the first things I looked at, along with the output from net groupmap list.
What I'm seeing is that the domain authentication is working just fine, but that I don't have administrative rights on the member servers when I log in as DOMAIN\root.
If I go to the Event log, I can read everything but hte Security log, which errors out with:
Unable to complete the operation on "Security".
A required privilege is not held by the client
If I try to set services to run as the domain adminsitrator, they won't start.  I've unjoined and rejoined the machines to the domain several times, I've removed the machine accounts from the Linux and Samba databases, I've double and triple checked profiles and net groupmap listings etc. etc. etc.  and get no joy.

For a brief moment last night, things appeared to be almost working correctly on one of the servers (i.e. I could shut the server down etc. when logged in as the domain administrator and could get into the Security event log), but this morning, after no changes were made, things weren't happy again.  The SQL server was not running and the file shares were unaccessible from the network.
There are no errors on the Samba box and log level = 10.
On the Windows server, the only error that I can find is a 3210, "Failed to authenticate with \\PDC, a Windows NT or 2000 domain controller for domain DOMAIN.
*head bloody from banging on wall*...

More information about the samba mailing list