[Samba] Why would "net rpc rights grant" fail ?
Rowland Penny
rowlandpenny at googlemail.com
Thu Apr 17 08:36:22 MDT 2014
On 17/04/14 14:50, Koenraad Lelong wrote:
> op 17-04-14 12:07, Rowland Penny schreef:
>> OK, I take it that you have not altered the Administrators group
>> yourself, all you have done is run 'samba-tool domain classicupgrade',
>> is this correct ?
> Yes, that's correct.
>
>>
>> If this is correct, then somehow the group 'nobody' on the old server
>> with the gid of '65533' has got mapped to your Administrators group.
>>
> Shouldn't I (try to) correct the source of the error then ? Since it's
> a virtual test-environment, I can go back and try again with new data.
> How to correct it is of course an other matter.
Well, yes you do need to fix the problem at source, but if you remove
the attributes that I suggested and it then starts to work as it should,
then you have found your problem and it should point to what you need to
do to fix it in the source.
>
>> I would suggest that you remove the following from your Administrators
>> group:
>>
>> objectClass: posixGroup
>> gidNumber: 65533
>> msSFU30NisDomain: ace_domain
>>
>> You can do this with ldbedit:
>>
>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>
>> Search for
>> 'CN=Administrators,CN=Builtin,DC=ad01,DC=ace-electronics,DC=be' and then
>> just delete them.
>>
>> then run 'samba-tool ntacl sysvolreset'
>>
>> Hopefully, this should reset the ownership of sysvol to what it
>> should be.
>>
>> Rowland
>
> In another post you said I lack a bunch of groups. So that has to be
> fixed also. This also suggests that my classicupgrade did not go like
> it should.
>
If I remember correctly idmap.ldb only contained 4 records, I think that
all your problems could have the same source, somewhere in your original
samba database there is a user called 'root' or 'administrator' with the
uid of '0' and the gid '65533'
> As an experiment I'm going to try to modify that guid.
>
On your original samba server you should have a utility 'tdbdump', this
does exactly what it says on the tin, use this to dump the contents of
your samba tdb files, either to screen or redirected into a file,
examine this and see if you can find the problem.
Rowland
> Koenraad
>
More information about the samba
mailing list