[Samba] Rights issue on GPO
mj
lists at merit.unu.edu
Mon Jun 20 20:17:57 UTC 2016
Hi,
> OK, I take it that 3000009 points to CN=S-1-5-11 and it is just
> CN=S-1-5-18 that is wrong by pointing at proxmox$ (which incidentally,
> is one of your computers)
> Try backing up idmap.ldb, then open idmap.ldb in ldbedit, find and
> delete the stanza that holds CN=S-1-5-18, it will look like this:
>
> dn: CN=S-1-5-18
> cn: S-1-5-18
> objectClass: sidMap
> objectSid: S-1-5-18
> type: ID_TYPE_BOTH
> xidNumber: 3000002 # NOTE: your number will be different!
> distinguishedName: CN=S-1-5-18
>
> Just delete it and then close & save your editor, run 'net cache flush'
> and then let Samba recreate the record.
So, I did that, and output is still the same...?
I re-checked idmap.ldb on dc4, and a new entry was generated for
CN=S-1-5-18, but not with the expected xidNumber 3000300 (like on
dc2/dc3) but 3000306.
Then i searched idmap.ldb on dc4 for xidNumber 3000300, and it already
exists for a record:
> # record 295
> dn: CN=S-1-5-21-90123450-981238634-861235949-133256
> cn: S-1-5-21-90123450-981238634-861235949-133256
> objectClass: sidMap
> objectSid: S-1-5-21-90123450-981238634-861235949-133256
> type: ID_TYPE_BOTH
> xidNumber: 3000300
> distinguishedName: CN=S-1-5-21-90123450-981238634-861235949-133256
My guess is that this is the proxmox test machine we saw in the getfacl
output on ./sysvol.
Should I simply delete that record as well..? (or am I being far too
optimistic now?)
MJ
More information about the samba
mailing list