[Samba] centos 6.5 sernet-samba 4.1.6 member server winbind idmap fail

Lorenzo Faleschini lorenzo.faleschini at nordestsystems.com
Fri Apr 11 01:48:40 MDT 2014 

ok, I was just wondering wrong :) my domain is clearly screwed.

I didn't noticed this weird behaviour of Administrator until I started 
to play with a linux member.

on samba logs I see no errors (except CUPS but I don't bother)
I have a zimbra box that uses the dc for autoprovisioning accounts and 
auth.. perfectly working
an owncloud server whit LDAP accounts from DC.. no problems
some windows machines with a couple of GPO and shares... running

...really can't say at what point in time this got broken.

I have to face a complete reprovision an rejoin all the clients (I hope 
zimbra and owncloud will give no problems as I suppose they'll stick to 
their config files as the're not joined with net join but just using 
LDAP accounts to get auth and info)

maybe better start from clean VMs
- install sernet's packages
- provision same domain
- set domain users with a GID
- import users (and set UID and GID directly from samba-tool create)
- join fileserver as member
- test administrator behaviour and all the other functions

if it's all ok, then I shut down old dc, change ip on the new one 
(adapting also DNS entries and fileserver's net config) and I should be 
good to go
(rejoining all the windows boxes)

am I right with this hard-path?


Lorenzo Faleschini
IT Manager @ Nord Est Systems srl
----------------------------------------
m: +39 335 6055225 | skype: falegalizeit

Il 11/04/2014 09:08, L.P.H. van Belle ha scritto:
> Hai,
>
>>> I think I'll copy all the membership of Administrator's groups to
>>> another user (OtherAdmin) then I'll deactivate the Administrator
>>> account. Looks like a workaround but if it works I will not complain.
>>>
>> You should not have to do this and I cannot recommend doing it.
> Dont do this. !
>
> because of kerberos updates and dns updates..
>
> look :  cat /var/lib/samba/private/named.conf.update
>
> /* this file is auto-generated - do not edit */
> update-policy {
>          grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
> ====>>  grant Administrator at INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;	<<< =======
>          grant RTD-DC1$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
>          grant RTD-DC2$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
> };
>
> what do you think will happen if you disable administrator..  ;-)
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: donderdag 10 april 2014 22:07
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] centos 6.5 sernet-samba 4.1.6 member
>> server winbind idmap fail
>>
>> On 10/04/14 20:51, Lorenzo Faleschini wrote:
>>> Il 10/04/2014 20:24, Rowland Penny ha scritto:
>>>> Try removing the uidNumber from the Administrator, my Administrator
>>>> does not have a uidNumber and everything just seems to
>> work. Mapping
>>>> Administrator to root in a file read by smb.conf is a much
>> better idea.
>>>> Rowland
>>> Tried this, but no results.
>>> The Administrator user seem to have no privileges.
>>> When I use the Computer Management console as Administrator
>> to manage
>>> shares on fileserver or dc I cannot  even open the
>> "sessions" or "open
>>> files" tab, nor I can set the "Security" tab for a share.
>> My Administrator CAN do all of the above.
>>
>>> When I use the Computer Management console as OtherAdmin (manually
>>> created user added to Domain Admins) I can do everything as expected
>>> and shares work properly.
>>>
>>> I tried also to disable Administrator and reenable in ADUC
>> but no way.
>>> I don't know if there's any problem in having Administrator user not
>>> working 100%..
>> If Administrator is not working correctly, then you will have problems,
>>
>>> I think I'll copy all the membership of Administrator's groups to
>>> another user (OtherAdmin) then I'll deactivate the Administrator
>>> account. Looks like a workaround but if it works I will not complain.
>>>
>> You should not have to do this and I cannot recommend doing it.
>>
>>> do you think I should file a bug? maybe try to reproduce it from a
>>> fresh install?
>> If it is a bug then I think that you are probably the only one
>> suffering
> >from it ;-) I think that your last idea is probably the best, move the
>> relevant dirs etc (sysvol, private etc) out of the way and
>> re-provision,
>> add a gidNumber to Domain Users, add a user and add a uidNumber to the
>> new user and then go from there.
>>
>> Rowland
>>
>>>
>>>
>>> Lorenzo Faleschini
>>> IT Manager @ Nord Est Systems srl
>>> ----------------------------------------
>>> m: +39 335 6055225 | skype: falegalizeit
>>>
>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

More information about the samba mailing list