[Samba] W7 client cannot adjust file permissions via ADUC

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 30 11:58:07 MST 2015

On 30/01/15 18:28, Bob of Donelson Trophy wrote:
> After restoring the member server and re-running the improved
> "4-setup-samba4-MEMBER-wheezy.sh" script I am still having the same
> issue. W7 client still not allowed to access the member server.
> Administrator still has a uidNumber:
>   getent passwd Administrator
> administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash
> I have added a couple is test admin users (must have done it wrong.)
> Joined them to the 'Domain Admins' group and they cannot access the
> member server either.
>   wbinfo -u output is:
> adminrob
> administrator
> dns-dtdc02
> dns-dtdc01
> adminnew
> krbtgt
> guest
>   wbinfo -g output is:
> allowed rodc password replication group
> enterprise read-only domain controllers
> denied rodc password replication group
> read-only domain controllers
> group policy creator owners
> ras and ias servers
> domain controllers
> enterprise admins
> domain computers
> cert publishers
> dnsupdateproxy
> domain admins
> domain guests
> schema admins
> domain users
> dnsadmins
> How do I remove the uidNumber from the domainAdministrator and
> re-associate domainAdminstrator to root '0'?

OK, lets check if Administrator has a 'uidNumber', run this on your 
first DC:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb -b "DC=example,DC=com" 
-s sub '(&(objectclass=user)(cn=Administrator))'

this should display all the information about the Administrator user, if 
there is a 'uidNumber' attribute, delete the entire line,same goes for a 
'gidNumber' attribute, save and close nano.

You should not have any rfc2307 attributes related to Administrator now, 
so go to your member server, login as a normal user and run this:

sudo net cache flush


getent passwd administrator


More information about the samba mailing list