[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Wed Aug 6 13:48:58 MDT 2014

On 06/08/14 20:09, Ryan Ashley wrote:
> Alright, here are the results. I gave the domain admin UID 10001, and 
> it shows up. I gave the domain users group a GID, and it shows also.
> root at dc01:~# ldbsearch --url=/var/lib/samba/private/sam.ldb 
> sAMAccountName=reachfp
> # record 1
> dn: CN=reachfp,CN=Users,DC=truevine,DC=lan
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20140619182759.0Z
> uSNCreated: 3545
> objectGUID: 95f14a06-9370-40ef-8587-546afd171bb6
> userAccountControl: 512
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 130476760790000000
> primaryGroupID: 513
> objectSid: S-1-5-21-1282933182-1339137838-203774845-500
> adminCount: 1
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=truevine,DC=lan
> isCriticalSystemObject: TRUE
> memberOf: CN=Administrators,CN=Builtin,DC=truevine,DC=lan
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=truevine,DC=lan
> memberOf: CN=Enterprise Admins,CN=Users,DC=truevine,DC=lan
> memberOf: CN=Schema Admins,CN=Users,DC=truevine,DC=lan
> memberOf: CN=Domain Admins,CN=Users,DC=truevine,DC=lan
> userPrincipalName: reachfp at truevine.lan
> givenName: Reach
> sAMAccountName: reachfp
> cn: reachfp
> name: reachfp
> sn: Technology FP
> displayName: Reach Technology FP
> uid: 10001
> whenChanged: 20140806175855.0Z
> uSNChanged: 114720
> distinguishedName: CN=reachfp,CN=Users,DC=truevine,DC=lan
> # Referral
> ref: ldap://truevine.lan/CN=Configuration,DC=truevine,DC=lan
> # Referral
> ref: ldap://truevine.lan/DC=DomainDnsZones,DC=truevine,DC=lan
> # Referral
> ref: ldap://truevine.lan/DC=ForestDnsZones,DC=truevine,DC=lan
> # returned 4 records
> # 1 entries
> # 3 referrals
> root at dc01:~# ldbsearch --url=/var/lib/samba/private/sam.ldb cn=Domain\ 
> Users
> # record 1
> dn: CN=Domain Users,CN=Users,DC=truevine,DC=lan
> objectClass: top
> objectClass: group
> cn: Domain Users
> description: All domain users
> instanceType: 4
> whenCreated: 20140619182759.0Z
> uSNCreated: 3541
> name: Domain Users
> objectGUID: 84560291-87be-4664-8a4d-08f44a84accf
> objectSid: S-1-5-21-1282933182-1339137838-203774845-513
> sAMAccountName: Domain Users
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=truevine,DC=lan
> isCriticalSystemObject: TRUE
> memberOf: CN=Users,CN=Builtin,DC=truevine,DC=lan
> gidNumber: 10003
> whenChanged: 20140806180212.0Z
> uSNChanged: 114735
> distinguishedName: CN=Domain Users,CN=Users,DC=truevine,DC=lan
> # Referral
> ref: ldap://truevine.lan/CN=Configuration,DC=truevine,DC=lan
> # Referral
> ref: ldap://truevine.lan/DC=DomainDnsZones,DC=truevine,DC=lan
> # Referral
> ref: ldap://truevine.lan/DC=ForestDnsZones,DC=truevine,DC=lan
> # returned 4 records
> # 1 entries
> # 3 referrals
> Once I have the groups working, I'll be handing out a unique UID to 
> each user account, starting with the built-in ones.
> On 08/06/2014 02:33 PM, Rowland Penny wrote:
>> On 06/08/14 19:20, Ryan Ashley wrote:
>>> Alright, I already gave every group a gIDNumber using the "advanced 
>>> features" option via the "Attribute Editor". Each group has a unique 
>>> ID. There are 16 built-in groups (domain admins, domain users, etc) 
>>> and five I have. My last group ended with 10021. The first group was 
>>> 10001. I then stopped S4 on my print-server, deleted 
>>> "group_mapping.tdb", "winbind_cache.tdb", and "winbind_idmap.tdb", 
>>> rebooted the server, and (S4 starts automatically) changed group 
>>> ownership of a directory to "domain admins". When listing the 
>>> directory with "ls -lAn", it showed 70012, not 10001. So they all 
>>> have gIDNumber set now, but it isn't pulling through. What could 
>>> cause that?
>> OK, can you post the results of these two commands (run on the S4 
>> server):
>> ldbsearch --url=/usr/local/samba/private/sam.ldb 
>> sAMAccountName=<username>
>> ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users
>> Replace <username> with a valid domain user, you may also have to 
>> change the path to sam.ldb, you may also have to install ldb-tools, 
>> but as I think that as you compiled samba yourself, they will be 
>> installed in /usr/local/samba/bin
>> Rowland
>>> On 08/06/2014 01:58 PM, Rowland Penny wrote:
>>>> On 06/08/14 18:50, Ryan Ashley wrote:
>>>>> Sorry Rowland! I accidentally sent this to you the first go 
>>>>> around. My bad.
>>>>> I am actually surprised that a few others in the IT field know how 
>>>>> to toy with carbs and such. My hobby is antique tractors and road 
>>>>> vehicles. I love how easy it is to work on them. I wouldn't touch 
>>>>> my 2013 F-150 with a ten-foot pole though. Too many computers and 
>>>>> such. Also, the engine is covered in plastic guards, but I digress.
>>>>> What information have I not answered fully? If I did not 
>>>>> understand what was asked, I asked about it. Like when "ute" was 
>>>>> posted. I have posted my configs each time they are asked for. 
>>>>> Nothing has been edited. I asked about NIS and you gave me the 
>>>>> link at MS I read a while back. It says install the NIS stuff. S4 
>>>>> says NIS is installed. Now I am confused. I very obviously cannot 
>>>>> install NIS stuff from 2008 R2 into a Linux system with S4, and S4 
>>>>> says it is running NIS according to the test on the wiki page I 
>>>>> linked below. Do you understand my confusion now?
>>>>> To add to that, MS says that once the NIS stuff is on the server 
>>>>> (again, S4 says it is), I will see the UNIX tab on my ADUC tool. 
>>>>> This is why I have been very hesitant to use the advanced feature 
>>>>> and attempt to add ID's. If the tool isn't detecting NIS and I 
>>>>> force this stuff, will something break? If I can get a guarantee 
>>>>> that nothing will break if I force ID's via the advanced options, 
>>>>> I'll do it right now. My thought process is different however. It 
>>>>> goes something like "I need to get NIS working on the S4 server, 
>>>>> then the regular tab will show up, and I am golden. Since it is 
>>>>> not showing up, I probably shouldn't attempt to force ID's through 
>>>>> the advanced option". Am I wrong here?
>>>>> As for questions, I asked two or three times if I needed that line 
>>>>> in my member server configurations, and I was just now told that I 
>>>>> should only have it on DC's. This is fine, but we all miss or 
>>>>> forget to answer once in a while, so if I forgot something, kindly 
>>>>> remind me and I will be happy to answer it. Oh, and what about my 
>>>>> question for the line that sets a range of 500-40000?
>>>>> I'm not aggravated with anybody, but I need this fixed. I am a 
>>>>> VERY BUSY person and I may forget things. Do not take it 
>>>>> personally, please. I love the S4 project and it has worked fine 
>>>>> up until now. I believe my issue here is that I must assign an ID 
>>>>> to each group and each user for file shares to work correctly 
>>>>> under Linux. My other clients share files from Linux-based NAS 
>>>>> devices and that is PROBABLY the key difference. Now I know I can 
>>>>> add these ID numbers without the UNIX tab, but is it safe to do that
>>>>> On 08/06/2014 04:29 AM, Rowland Penny wrote:
>>>>>> On 06/08/14 05:24, Ryan Ashley wrote:
>>>>>>> Plenty of replies since this afternoon! I will try to answer 
>>>>>>> your questions in order, as well as ask questions.
>>>>>>> "All provisioning with RFC2307 does is add the ypServ30.ldif, it 
>>>>>>> does not do anything else, it is up to you to use it. "
>>>>>>> Alright, how? Remember, all my domains are golden except this. I 
>>>>>>> have never had to use ldif files or assign ID numbers because 
>>>>>>> they always just worked.
>>>>>> By adding whatever RFC2307 attributes that you will need, these 
>>>>>> are usually uidNumber, gidNumber, loginShell and 
>>>>>> unixHomeDirectory. How you add them is up to you, you can use 
>>>>>> samba-tool, ADUC or even write your own scripts around ldb-tools 
>>>>>> etc.
>>>>>> I think that in the past you must have been using the winbind rid 
>>>>>> backend, only problem with this is that (at the moment) you get 
>>>>>> different id numbers on the server from any client.
>>>>>>> "This is a known windows problem, search Google (other search 
>>>>>>> providers are available) for a solution."
>>>>>>> I have been searching, and I have tried loads of results, to no 
>>>>>>> avail. Some said install libnss-ldapd, which I still don't know 
>>>>>>> what it does, others said to do various config entries, also to 
>>>>>>> no avail, so I am back here. I have reverted my changes since 
>>>>>>> nothing worked.
>>>>>> You cannot have searched very hard, the search term 'no unix 
>>>>>> attributes tab' turns up about 1,910,000 results and the top one is:
>>>>>> http://support.microsoft.com/kb/921913
>>>>>>> "I'd guess you don't have a UNIX tab because the Samba AD schema 
>>>>>>> doesn't have it. I'm not sure why that would be, since I don't 
>>>>>>> use any of the UNIX AD extensions myself."
>>>>>> That was a very wrong statement, even if you do not provision 
>>>>>> with rfc2307, you still get the rfc2307 attributes and 
>>>>>> objectclasses in AD and it is not the reason you haven't got the tab
>>>>>>> I never have either, it always JUST WORKED. This is not 
>>>>>>> frustration with the help, it is frustration in that it just 
>>>>>>> refuses to work for no good reason. That's why I am attempting 
>>>>>>> to ditch Windows, because things just don't work and nobody 
>>>>>>> knows why. I actually feel that Rowland and Steve have been 
>>>>>>> great, and have made me SERIOUSLY question the highly incomplete 
>>>>>>> guides on the wiki. I mean nowhere does it mention the line that 
>>>>>>> creates the keytab for Kerberos in any guides. Nowhere does it 
>>>>>>> mention the ID's or anything else they have talked with me 
>>>>>>> about. I honestly believe the ID numbers will solve the issue, 
>>>>>>> but I cannot do that yet.
>>>>>>> "You do not need to provision with rfc2307 nor do you need a 
>>>>>>> UNIX tab to allocate uidNumbers. You already have what you need. 
>>>>>>> Please try it."
>>>>>>> Alright, how? Again, and this is what I keep repeating, I have 
>>>>>>> NEVER had to do this before. Up to this very point in time, S4 
>>>>>>> has been rock-solid. None of my other domains use the Kerberos 
>>>>>>> keytab. None of them use uID's or gID's. They all just work. 
>>>>>>> You're telling me I have the tools to do this, but it is like me 
>>>>>>> telling you to adjust your main jet to 1.5 turns out. Unless 
>>>>>>> you're into antiques like I am, you haven't a clue what I mean 
>>>>>>> or how to do it. I am not trying to be rude, I just literally do 
>>>>>>> not have a clue how to do this.
>>>>>> er, I actually do know what you are talking about when it comes 
>>>>>> to the main jet, this would be the initial setting on the 
>>>>>> carburettor and you would adjust the high speed running from 
>>>>>> there, what do you set the slow run jet to ?
>>>>>> Just how did you setup samba prior to having these problems, did 
>>>>>> you set it up as a PDC or a standalone or what ?
>>>>>> You also seem very reticent about answering questions, you never 
>>>>>> seem to quite answer them fully, sometimes not at all.
>>>>>>> "You have to activate advanced features in ADUC and edit the 
>>>>>>> attributes from the attribute editor tab."
>>>>>>> Yes, I did that and saw it in there, but chose not to edit that 
>>>>>>> way for one reason. According to many posts I read on search 
>>>>>>> results from Google, the UNIX tab shows up once the system 
>>>>>>> detects NIS. I believe NIS is off for some reason, but I did the 
>>>>>>> check at the link below and it returned one result, indicating 
>>>>>>> that NIS is supposedly enabled. It would be better to simply 
>>>>>>> show me a yes or no, but I guess that isn't an option.
>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b 
>>>>>>> CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan 
>>>>>>> Referenced from: 
>>>>>>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>>>>>>> Ricky:
>>>>>>> I have NOT pulled any packages from any repos. I cloned the 
>>>>>>> official repo, configured and built. It turns out that by 
>>>>>>> default it builds 4.2.0-pre<xyz> instead of 4-1-stable. In an 
>>>>>>> attempt to rule out a 4.2 bug, I uninstalled (make uninstall) 
>>>>>>> 4.2 and configured and built 4.1, then installed it. I 
>>>>>>> completely removed any leftover files and directories by hand, 
>>>>>>> with the exception of my configuration file. Here's the info you 
>>>>>>> requested.
>>>>>>> root at fs01:~# getent passwd | grep reachfp
>>>>>>> reachfp:*:70010:70002:reachfp:/home/TRUEVINE/reachfp:/bin/false
>>>>>>> root at fs01:~# getent passwd | grep cynthiaj
>>>>>>> cynthiaj:*:70016:70002:Cynthia 
>>>>>>> Jones:/home/TRUEVINE/cynthiaj:/bin/false
>>>>>>> root at fs01:~# getent passwd | grep daquanm
>>>>>>> daquanm:*:70002:70002:DaQuan 
>>>>>>> Major:/home/TRUEVINE/daquanm:/bin/false
>>>>>>> root at fs01:~# getent passwd | grep reach_support
>>>>>>> reach_support:*:70015:70002:Reach 
>>>>>>> Support:/home/TRUEVINE/reach_support:/bin/false
>>>>>> All of those numbers are coming from the 'builtin' range 
>>>>>> (70001-80000) and shouldn't be and wouldn't be if you gave your 
>>>>>> users and groups uidNumber's & gidNumber's
>>>>>> If you do not want to do this, change this line:
>>>>>> idmap config TRUEVINE:backend = ad
>>>>>> To this:
>>>>>> idmap config TRUEVINE:backend = rid
>>>>>> Remove these:
>>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>>> idmap_ldb:use rfc2307 = yes # this shouldn't be on the fileserver 
>>>>>> anyway, it's for the AD server
>>>>>> auth methods = winbind
>>>>>> Rowland
>>>>>>> =====================
>>>>>>> FS01 Configuration File:
>>>>>>> =====================
>>>>>>> [global]
>>>>>>>   netbios name = FS01
>>>>>>>   workgroup = TRUEVINE
>>>>>>>   security = ADS
>>>>>>>   realm = TRUEVINE.LAN
>>>>>>>   encrypt passwords = yes
>>>>>>>   dedicated keytab file = /etc/krb5.keytab
>>>>>>>   kerberos method = secrets and keytab
>>>>>>>   idmap config *:backend = tdb
>>>>>>>   idmap config *:range = 70001-80000
>>>>>>>   idmap config TRUEVINE:backend = ad
>>>>>>>   idmap config TRUEVINE:schema_mode = rfc2307
>>>>>>>   idmap config TRUEVINE:range = 500-40000
>>>>>>>   idmap_ldb:use rfc2307 = yes
>>>>>>>   winbind nss info = rfc2307
>>>>>>>   winbind trusted domains only = no
>>>>>>>   winbind use default domain = yes
>>>>>>>   winbind enum users = yes
>>>>>>>   winbind enum groups = yes
>>>>>>>   vfs objects = acl_xattr
>>>>>>>   map acl inherit = yes
>>>>>>>   store dos attributes = yes
>>>>>>>   auth methods = winbind
>>>>>>>   log level = 3
>>>>>>> [install$]
>>>>>>>   path = /home/shared/install
>>>>>>>   comment = "Software installation files"
>>>>>>>   read only = no
>>>>>>>   guest ok = no
>>>>>>> [staff$]
>>>>>>>   path = /home/shared/staff
>>>>>>>   comment = "Staff file share"
>>>>>>>   read only = no
>>>>>>>   guest ok = no
>>>>>>> [fbc$]
>>>>>>>   path = /home/shared/fbc
>>>>>>>   comment = "Family Bible College file share"
>>>>>>>   read only = no
>>>>>>>   guest ok = no
>>>>>>> One thing I am unclear on is whether or not I need 
>>>>>>> "idmap_ldb:use rfc2307 = yes" in member server configs or ONLY 
>>>>>>> AD DC configs. Also, what does "idmap config TRUEVINE:range = 
>>>>>>> 500-40000" specify? I was trying to set AD users to 70001-80000 
>>>>>>> for their ID's, but maybe I misunderstand things. Thanks for 
>>>>>>> your help and input. I'm not frustrated with you guys, just the 
>>>>>>> fact that ONE server is acting up and I am having to do all 
>>>>>>> kinds of things I have never had to do before just to share 
>>>>>>> files. It isn't a bad frustration however, I enjoy building 
>>>>>>> projects from source and using Linux in general. If this was 
>>>>>>> Windows I'd have found an alternative by now.
>>>>>>> On 8/5/2014 11:57 PM, Ricky Nance wrote:
>>>>>>>> So IF I read the 70+ previous mails correctly, it looks like 
>>>>>>>> you have
>>>>>>>> tried both packages and samba source, if this is the case you 
>>>>>>>> could
>>>>>>>> have some seriously screwed up library files, causing various 
>>>>>>>> issues
>>>>>>>> (such as binaries just crashing at certain points). With that 
>>>>>>>> said,
>>>>>>>> there is a fair chance that your libnss_winbind.so (or so.2) is
>>>>>>>> mismatched from your current winbind causing exactly this issue.
>>>>>>>> Is there any chance you can give us a current recap of your
>>>>>>>> issue/setup? Include current configs (if you need to mask 
>>>>>>>> something,
>>>>>>>> make that clear). Also please provide the output of getent 
>>>>>>>> passwd |
>>>>>>>> grep ADUSER (replace ADUSER with an actual user) and which setup
>>>>>>>> (package or source, and which package you are using) you currently
>>>>>>>> have (as well as what you have tried there too).
>>>>>>>> Thanks,
>>>>>>>> Ricky
>>>>>>>> On Tue, Aug 5, 2014 at 3:18 PM, Davor Vusir 
>>>>>>>> <davortvusir at gmail.com> wrote:
>>>>>>>>> 2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>>>>> Well, again, no issues until now. I never did the Kerberos 
>>>>>>>>>> keytab thing
>>>>>>>>>> before, and everything works. Never did the NIS thing before, 
>>>>>>>>>> and everything
>>>>>>>>>> works. Now I am learning these things should be done and I 
>>>>>>>>>> have been told
>>>>>>>>>> what to do and have done them as well as documented them in 
>>>>>>>>>> our technical
>>>>>>>>>> reference. However, I am now at the point where I cannot set 
>>>>>>>>>> ID's due to not
>>>>>>>>>> having the UNIX tab in ADUC. I did provision with 
>>>>>>>>>> "--use-rfc2307" and it is
>>>>>>>>>> in all of my S4 configuration files, but no luck yet. What do 
>>>>>>>>>> I need to
>>>>>>>>>> check to get that tab to appear? If assigning an ID fixes 
>>>>>>>>>> this, I will
>>>>>>>>>> HAPPILY do it on all of our domains as we go out for 
>>>>>>>>>> maintenance.
>>>>>>>>> You have to activate advanced features in ADUC and edit the 
>>>>>>>>> attributes
>>>>>>>>> from the attribute editor tab.
>>>>>>>>> It's a pity we couldn't help you sort this out. I think it's 
>>>>>>>>> quite
>>>>>>>>> strange that it doesn't work at this particular server as you 
>>>>>>>>> say that
>>>>>>>>> this is the standard way of yours to configure Samba. Why it 
>>>>>>>>> doesn't
>>>>>>>>> work, I really don't know. One thing that springs to mind is, 
>>>>>>>>> and I
>>>>>>>>> don't have knowledge enough to back it up, when using the TDB 
>>>>>>>>> backend
>>>>>>>>> you're not guaranteed consistent id mapping through the server 
>>>>>>>>> park. I
>>>>>>>>> have found nothing that states that winbind populates the
>>>>>>>>> tdb-databases in a certain order (a-z, ascending SID numbering or
>>>>>>>>> other mechanism). Which of course might give you different 
>>>>>>>>> uidnumbers
>>>>>>>>> (from the *:range) for different accounts. Please correct me 
>>>>>>>>> if I'm
>>>>>>>>> wrong. Is there a way to check this?
>>>>>>>>> But I do think that Rowland and Steve are right to 'push' for
>>>>>>>>> populating and using uid- and gidnumbers. uid- and gidnumbers 
>>>>>>>>> with an
>>>>>>>>> interpretator like winbind, sssd or other is a/the bridge between
>>>>>>>>> Linux and windows. And it's a low-cost activation and 
>>>>>>>>> maintenance. I
>>>>>>>>> think you should consider their advice and rethink your setup.
>>>>>>>>> Well, I'm out of ideas except that I have noticed that the 
>>>>>>>>> activation
>>>>>>>>> of vfs module acl_xattr in the global section of smb.conf does 
>>>>>>>>> not
>>>>>>>>> always/ever work on a mounted volume created from LVM. You 
>>>>>>>>> might need
>>>>>>>>> to/have to put it in the share section.
>>>>>>>>> If you find out what caused this, please let us know.
>>>>>>>>> Regards
>>>>>>>>> Davor
>>>>>>>>>> On 08/05/2014 02:16 PM, steve wrote:
>>>>>>>>>>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>>>>>>>>>> The way that sounds, the "file server" guide is incomplete, 
>>>>>>>>>>>> because
>>>>>>>>>>>> nowhere does it mention any of what you're telling me. I 
>>>>>>>>>>>> also have
>>>>>>>>>>>> little trouble finding good documentation on every Linux 
>>>>>>>>>>>> product I use.
>>>>>>>>>>>> S4 is the one big exception, but with the guides, it 
>>>>>>>>>>>> eliminates some of
>>>>>>>>>>>> that need. I do not buy the whole argument of using Windows 
>>>>>>>>>>>> for
>>>>>>>>>>>> documentation, because 90% of their documentation is 
>>>>>>>>>>>> rambling crud. When
>>>>>>>>>>>> you get an error and have an ID, the docs don't have the ID 
>>>>>>>>>>>> you want,
>>>>>>>>>>>> you are hosed.
>>>>>>>>>>> Unless you know what you're doing, the time it takes to get 
>>>>>>>>>>> up on
>>>>>>>>>>> user-land Linux compared with enterprise or microsoft
>>>>>>>>>>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>>>>>>>>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 
>>>>>>>>>>>> 6.2 with the
>>>>>>>>>>>> latest updates. The stable repos have an OLD version of S4, 
>>>>>>>>>>>> and I do not
>>>>>>>>>>>> mind building it myself anyway.
>>>>>>>>>>> Debian doesn't install samba unless you tell it?
>>>>>>>>>>>> Finally, you have told me I need this and that, but no 
>>>>>>>>>>>> direction is
>>>>>>>>>>>> noted.
>>>>>>>>>>> http://bit.ly/1s8LTZc
>>>>>>>>>> -- 
>>>>>>>>>> To unsubscribe from this list go to the following URL and 
>>>>>>>>>> read the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>> -- 
>>>>>>>>> To unsubscribe from this list go to the following URL and read 
>>>>>>>>> the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>> Too late, I already replied ;-)
>>>> Rowland
OK, I would suggest that you rename reachfp back to Administrator and 
the attribute for the users ID is uidNumber not uid, do not give 
Administrator a uidNumber, please remove the 'uid'. If you want a user 
named reachfp, create a new one.


More information about the samba mailing list