[Samba] Rights issue on GPO

mj lists at merit.unu.edu
Mon Jun 20 20:17:57 UTC 2016


> OK, I take it that 3000009 points to CN=S-1-5-11 and it is just
> CN=S-1-5-18 that is wrong by pointing at proxmox$ (which incidentally,
> is one of your computers)
> Try backing up idmap.ldb, then open idmap.ldb in ldbedit, find and
> delete the stanza that holds CN=S-1-5-18, it will look like this:
> dn: CN=S-1-5-18
> cn: S-1-5-18
> objectClass: sidMap
> objectSid: S-1-5-18
> type: ID_TYPE_BOTH
> xidNumber: 3000002   # NOTE: your number will be different!
> distinguishedName: CN=S-1-5-18
> Just delete it and then close & save your editor, run 'net cache flush'
> and then let Samba recreate the record.

So, I did that, and output is still the same...?

I re-checked idmap.ldb on dc4, and a new entry was generated for 
CN=S-1-5-18, but not with the expected xidNumber 3000300 (like on 
dc2/dc3) but 3000306.

Then i searched idmap.ldb on dc4 for xidNumber 3000300, and it already 
exists for a record:

> # record 295
> dn: CN=S-1-5-21-90123450-981238634-861235949-133256
> cn: S-1-5-21-90123450-981238634-861235949-133256
> objectClass: sidMap
> objectSid: S-1-5-21-90123450-981238634-861235949-133256
> type: ID_TYPE_BOTH
> xidNumber: 3000300
> distinguishedName: CN=S-1-5-21-90123450-981238634-861235949-133256

My guess is that this is the proxmox test machine we saw in the getfacl 
output on ./sysvol.

Should I simply delete that record as well..? (or am I being far too 
optimistic now?)


More information about the samba mailing list