[Samba] Administrator can no longer connect to member server after removing uidnumber from administrator
Shane Robinson
srobinson at simpeq.ca
Fri Mar 6 12:17:35 MST 2015
Hello list!
Some of you may recall my recent semi-spamming of this wonderful list with
questions about acl problems on a member server. It turns out that I should
not have immediately assigned a UIDnumber to Administrator, nor a GIDNumber
to Domain Admins. :(
I have removed the NIS attributes for Administrator and Domain Admins in
ADUC, and have not been able to login to the member server as Administrator
since. I have done a net cache flush, and restarted this member server.
The sam.ldb and idmap.ldp appear to contain the mappings for the correct SID
(s-1-5-21-<STUFF>-500), but on the member server:
log.winbindd contains:
Could not convert sid S-1-5-21-<STUFF>-500: NT_STATUS_NONE_MAPPED
And log.winbindd-idmap contains:
Could not get unix ID for SID S-1-5-21-<STUFF>-500
While I have in log.wb-<DOMAIN>
NTLM CRAP authentication for user [<DOMAIN>]\[administrator]
returned NT_STATUS_OK (PAM: 0)
Log.smbd shows failures in winbind, NTLMSSP, and SPNEGO of:
NT_STATUS_NO_SUCH_USER.
>From a DC, or the member this works: (samba1 is a Domain Controller)
smbclient -L samba1.<DOMAIN>.<TLD> -Uadministrator
But this does not (fs3 is the Member Server):
smbclient -L fs3.<DOMAIN>.<TLD> -Uadministrator
This does work:
smbclient -L fs3.<DOMAIN>.<TLD> -U<normal user>
Any ideas?
Thanks everyone!
Shane Robinson
Chief Administrative Officer
SimpeQ Care Inc.
t. 604.988.3103 ext. 104
c. 604.506.3311
f. 604.988.3105
Please consider the environment before printing this email.
More information about the samba
mailing list