[Samba] can't log in as domain admin

[Rowland Penny]

On 24/10/15 01:26, Gary Dale wrote:
> I'm running Debian/Jessie (stable) on an AMD64 machine, with Samba 
> Version 4.1.17-Debian. This is the domain controller, DNS server, Time 
> server and File server for the local network.
>
> The problem I'm having is that Windows machines sometimes can't open 
> files for editing. Other files in the same directory don't have that 
> problem.
>
> When I look at the Unix permissions, the files causing problems have a 
> windows user number as the owner while the ones that don't cause 
> problems are owned by nobody. In both cases the Unix permissions are 
> everyone has read-write-execute access to the files. Changing the Unix 
> permission had no impact.
>
> Where I hit the snag however was trying to change the ACLs so that 
> Domain Users should have read/write/execute permissions. I can't log 
> in with the domain administrator account on any of the Windows 
> machines. I get an error message saying user name or password is 
> incorrect.
>
> I've used smb-tool on the DC to change the password so I know it is 
> correct. And Domain Admins are in the local Administrators group on 
> the Windows machines.
>
> Any tips on tracking down the problem?
>

If you are getting files that belong to numbers instead of names, this 
usually means that Unix doesn't know who the users are, do your windows 
users have a uidNumber? Also does 'Domain Users' have a gidNumber?

To test your Administrator password, you could try to obtain a kerberos 
ticket on the Samba4 DC:

kinit Administrator

You should get asked for the password and then the command should return 
without error to the prompt i.e. there should be no output.

Are the windows machines joined to the domain? and are you trying to log 
into the windows machines as DOMAIN\Administrator? local Administrator 
!= domain Administrator.

Rowland