[Samba] 3.6.23-25.el6_7 and 4.2.10 and "Domain Admins" are/not Admins?

lejeczek peljasz at yahoo.co.uk
Mon Oct 24 11:53:45 UTC 2016

thanks Aleksey

before I can try your suggestions I have to solve another 
problem which has just occur on that 4.2 Samba, now that 
server (it did crash caused some other hardware problem) fails:

$ smblcient -L //serverB -Uthis_dom\\this_user

SPNEGO login failed: Indicates the SID structure is not valid.
session setup failed: NT_STATUS_INVALID_SID

I do not recall there was on OS/samba update, only that 
crash(cold reboot) and now this problem (and it was ok, not 
SID problem ever since I set it up). I'm googling but would 
you, would anybody know what might be the problem?
The first server, PDC is ok, no above problem there.

$ smblcient -L //serverA -Uthis_dom\\this_user = result OK

On the failing server I backed up, remove and let samba 
recreate /var/lib/samba.
Again, for both servers userdb backend is the same 
multi-master ldap.

I have, always had these in smb.conf

   ldap group suffix = ou=Group
   ldap user suffix = ou=People
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Idmap
   ldap debug level = 4
   ldap debug threshold = 10


On 20/10/16 08:23, Gavrilov Aleksey via samba wrote:
> hi
> It can be so help
> [global]
> >---admin users                    = @nt_admins
> if not then I need
> 1. root at pdc:~# testparm
> 2. root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b 
> ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> ldap suffix =  ou=arkhangelsk,dc=rugion,dc=ru
> ldap group suffix = ou=groups
> 3. try
> log level = 10
>    max log size = 1000
> and go through the authorization in windows pc
> see the log of communication with the server PC.
> usually here /var/log/samba/log.ip or 
> /var/log/samba/log.name-pc
> 4. no harm will see errors in these files too
> /var/log/samba/log.nmbd
> /var/log/samba/log.smbd
> On 20.10.2016 02:28, lejeczek via samba wrote:
>> hi all
>> I have two different Samba versions as PDC and BDC and 
>> depending on which one is "domain master" users which are 
>> domain admins are not recognized as such.
>> Everything seems normal with 3.6.23-25.el6_7 as "domain 
>> master" but when I configure them so 4.2.10 is the master 
>> then I login to Win7 fine but Windows tells me that the 
>> user is not an Admin and I need to supply credential 
>> (wherever it's necessary of course).
>> Both Sambas are config-wise virtually identical, I only 
>> swap "domain master = yes" around.
>> User backends are for both Sambas multi-master LDAP so 
>> these too should (I believe are) are identical for both 
>> servers.
>> What could it be? Gee, some good hint could be a 
>> master-headache savior.
>> many! thanks.
>> L.

More information about the samba mailing list