[Samba] samba_upgradedns returned an error "Unable to find uid/gid for Domain Admins "
rpenny at samba.org
Tue Feb 2 13:58:59 UTC 2016
On 02/02/16 13:38, Markus Dellermann wrote:
> Hi again,
> Am Dienstag, 2. Februar 2016, 12:09:59 CET schrieb Rowland penny:
>> On 02/02/16 11:26, Markus Dellermann wrote:
>>> Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland penny:
>>>> On 01/02/16 22:24, Markus Dellermann wrote:
>> Ok, there are two schools of thought here, you can give Administrator a
>> uidNumber attribute, but this, as far as Unix is concerned, turns
>> 'Administrator' into just another user, with no more privileges than any
>> other Unix user.
>> What I use on a domain member and recommend, is the use of the user
>> mapping in smb.conf, with this 'Administrator' becomes 'root' and as
>> such, has all the privileges of 'root'.
> Yes, so it is here alright on my members..
>> However, you are trying to do something on a DC and you shouldn't use
>> the name mapping, as this should be done for you in idmap.ldb. I suggest
>> you remove any users that appear in /etc/passwd, such as administrator,
>> that are also in AD, I would also remove the uidNumber attribute from
>> 'Administrator' in AD.
>> This should then reset 'Administrator' to '0'
> I have insert 0 there now and it gave "its already assigned...
No, I said *remove* the uidNumber attribute from Administrator in AD. If
I run (on a DC) 'ldbedit -e nano -H /usr/local/samba/private/sam.ldb'
and then search for Administrator, I get this:
description: Built-in account for administering the computer/domain
memberOf: CN=Group Policy Creator
memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
If I then run 'ldbedit -e nano -H /usr/local/samba/private/idmap.ldb'
and search for the SID-RID I obtained above, I get this:
The above is what maps 'Administrator' to 'root' on a DC.
> I see now, there is the user "root" in ad with uid 0
> I changed this, but maybe i should delete root from ad ?
No, put root back to being uid 0
> (I think, i should have changed this before classicupgrade)
>> If I run 'getent passwd administrator' on a DC, I get:
> No, nothing, hm....
> master:~ # getent passwd administrator
> master:~ # getent passwd Administrator
This is probably because you are messing with Administrator.
More information about the samba