[Samba] samba_upgradedns returned an error "Unable to find uid/gid for Domain Admins "

Rowland penny rpenny at samba.org
Tue Feb 2 13:58:59 UTC 2016

On 02/02/16 13:38, Markus Dellermann wrote:
> Hi again,
> Am Dienstag, 2. Februar 2016, 12:09:59 CET schrieb Rowland penny:
>> On 02/02/16 11:26, Markus Dellermann wrote:
>>> Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland penny:
>>>> On 01/02/16 22:24, Markus Dellermann wrote:
> [....]
>> Ok, there are two schools of thought here, you can give Administrator a
>> uidNumber attribute, but this, as far as Unix is concerned, turns
>> 'Administrator' into just another user, with no more privileges than any
>> other Unix user.
>> What I use on a domain member and recommend, is the use of the user
>> mapping in smb.conf, with this 'Administrator' becomes 'root' and as
>> such, has all the privileges of 'root'.
> Yes, so it is here alright on my members..
>> However, you are trying to do something on a DC and you shouldn't use
>> the name mapping, as this should be done for you in idmap.ldb. I suggest
>> you remove any users that appear in /etc/passwd, such as administrator,
>> that are also in AD, I would also remove the uidNumber attribute from
>> 'Administrator' in AD.
> OK
>> This should then reset 'Administrator' to '0'
> I have insert 0 there now and it gave "its already assigned...

No, I said *remove* the uidNumber attribute from Administrator in AD. If 
I run (on a DC) 'ldbedit -e nano -H /usr/local/samba/private/sam.ldb' 
and then search for Administrator, I get this:

dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20151106115615.0Z
uSNCreated: 3545
name: Administrator
objectGUID: fc9d301b-d893-4cc7-8167-8d977c531afb
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130912845750000000
primaryGroupID: 513
objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
adminCount: 1
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com
memberOf: CN=Group Policy Creator 
memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
userAccountControl: 66048
accountExpires: 0
whenChanged: 20151111112600.0Z
uSNChanged: 5899
distinguishedName: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com

If I then run 'ldbedit -e nano -H /usr/local/samba/private/idmap.ldb' 
and search for the SID-RID I obtained above, I get this:

dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
xidNumber: 0
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500

The above is what maps 'Administrator' to 'root' on a DC.

> I see now, there is the user "root" in ad with uid 0
> I changed this, but maybe i should delete root from ad ?

No, put root back to being uid 0

> (I think, i should have changed this before classicupgrade)

Again NO.

>> If I run 'getent passwd administrator' on a DC, I get:
>> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
> No, nothing, hm....
> master:~ # getent passwd administrator
> master:~ # getent passwd Administrator

This is probably because you are messing with Administrator.


More information about the samba mailing list