[Samba] centos 6.5 sernet-samba 4.1.6 member server winbind idmap fail

L.P.H. van Belle belle at bazuin.nl
Fri Apr 11 01:08:07 MDT 2014


Hai, 

>> I think I'll copy all the membership of Administrator's groups to 
>> another user (OtherAdmin) then I'll deactivate the Administrator 
>> account. Looks like a workaround but if it works I will not complain.
>>
>You should not have to do this and I cannot recommend doing it.

Dont do this. ! 

because of kerberos updates and dns updates..  

look :  cat /var/lib/samba/private/named.conf.update  

/* this file is auto-generated - do not edit */
update-policy {
        grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
====>>  grant Administrator at INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;	<<< =======   
        grant RTD-DC1$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
        grant RTD-DC2$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
};

what do you think will happen if you disable administrator..  ;-) 

Louis




>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 10 april 2014 22:07
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] centos 6.5 sernet-samba 4.1.6 member 
>server winbind idmap fail
>
>On 10/04/14 20:51, Lorenzo Faleschini wrote:
>> Il 10/04/2014 20:24, Rowland Penny ha scritto:
>>>
>>> Try removing the uidNumber from the Administrator, my Administrator 
>>> does not have a uidNumber and everything just seems to 
>work. Mapping 
>>> Administrator to root in a file read by smb.conf is a much 
>better idea.
>>>
>>> Rowland
>>
>> Tried this, but no results.
>> The Administrator user seem to have no privileges.
>> When I use the Computer Management console as Administrator 
>to manage 
>> shares on fileserver or dc I cannot  even open the 
>"sessions" or "open 
>> files" tab, nor I can set the "Security" tab for a share.
>
>My Administrator CAN do all of the above.
>
>> When I use the Computer Management console as OtherAdmin (manually 
>> created user added to Domain Admins) I can do everything as expected 
>> and shares work properly.
>>
>> I tried also to disable Administrator and reenable in ADUC 
>but no way.
>>
>> I don't know if there's any problem in having Administrator user not 
>> working 100%..
>
>If Administrator is not working correctly, then you will have problems,
>
>> I think I'll copy all the membership of Administrator's groups to 
>> another user (OtherAdmin) then I'll deactivate the Administrator 
>> account. Looks like a workaround but if it works I will not complain.
>>
>You should not have to do this and I cannot recommend doing it.
>
>> do you think I should file a bug? maybe try to reproduce it from a 
>> fresh install?
>
>If it is a bug then I think that you are probably the only one 
>suffering 
>from it ;-) I think that your last idea is probably the best, move the 
>relevant dirs etc (sysvol, private etc) out of the way and 
>re-provision, 
>add a gidNumber to Domain Users, add a user and add a uidNumber to the 
>new user and then go from there.
>
>Rowland
>
>>
>>
>>
>> Lorenzo Faleschini
>> IT Manager @ Nord Est Systems srl
>> ----------------------------------------
>> m: +39 335 6055225 | skype: falegalizeit
>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list