[Samba] can't log in as domain admin

Gary Dale garydale at torfree.net
Sat Oct 24 17:13:01 UTC 2015 

On 24/10/15 04:41 AM, Rowland Penny wrote:
> On 24/10/15 01:26, Gary Dale wrote:
>> I'm running Debian/Jessie (stable) on an AMD64 machine, with Samba 
>> Version 4.1.17-Debian. This is the domain controller, DNS server, 
>> Time server and File server for the local network.
>>
>> The problem I'm having is that Windows machines sometimes can't open 
>> files for editing. Other files in the same directory don't have that 
>> problem.
>>
>> When I look at the Unix permissions, the files causing problems have 
>> a windows user number as the owner while the ones that don't cause 
>> problems are owned by nobody. In both cases the Unix permissions are 
>> everyone has read-write-execute access to the files. Changing the 
>> Unix permission had no impact.
>>
>> Where I hit the snag however was trying to change the ACLs so that 
>> Domain Users should have read/write/execute permissions. I can't log 
>> in with the domain administrator account on any of the Windows 
>> machines. I get an error message saying user name or password is 
>> incorrect.
>>
>> I've used smb-tool on the DC to change the password so I know it is 
>> correct. And Domain Admins are in the local Administrators group on 
>> the Windows machines.
>>
>> Any tips on tracking down the problem?
>>
>
> If you are getting files that belong to numbers instead of names, this 
> usually means that Unix doesn't know who the users are, do your 
> windows users have a uidNumber? Also does 'Domain Users' have a 
> gidNumber?
>
> To test your Administrator password, you could try to obtain a 
> kerberos ticket on the Samba4 DC:
>
> kinit Administrator
>
> You should get asked for the password and then the command should 
> return without error to the prompt i.e. there should be no output.
>
> Are the windows machines joined to the domain? and are you trying to 
> log into the windows machines as DOMAIN\Administrator? local 
> Administrator != domain Administrator.
>
> Rowland
>
kinit returns Configuration file does not specify default realm when 
parsing name Administrator

And I hoped I was being clear that I was trying to log in as a Domain 
Admin, not a local one. All the machines are joined to domain and the 
users are logging with domain accounts.

More information about the samba mailing list