[Samba] samba-tool group removemembers, not working

Mark Foley mfoley at ohprs.org
Thu May 30 04:43:14 UTC 2019


> Hi Mark, can I ask just what you are trying to achieve ?

Well, it's rather simple. I want to remove a domain member from the domain. Normally, I do that
with ADUC, no problem. But for some reason I was having trouble with ADUC (since resovled,
magically), so I thought I'd try the same thing using samba-tool. That's it really.

You wrote further:

> I hope you can see that trying to remove a computer from Domain Computers will not work because
> the 'backlinks' do not exist. 

Fine, I can live with that. But then how do you actually remove a member computer from the
domain? Is ADUC the only way to do it?

As to Louis' ldap request, yes, 'kinit Administrator' did the trick on that one. The output he
requested is posted below:

GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for Administrator at HPRS.LOCAL will expire in 35991 secs
gensec_update_send: gssapi_krb5[0x55f94bc71330]: subreq: 0x55f94bc74270
gensec_update_send: spnego[0x55f94bc71ea0]: subreq: 0x55f94bc72be0
gensec_update_done: gssapi_krb5[0x55f94bc71330]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x55f94bc74270/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]
 state[struct gensec_gssapi_update_state (0x55f94bc74400)] timer[(nil)]
finish[../source4/auth/gensec/gensec_gssapi.c:1064]
gensec_update_done: spnego[0x55f94bc71ea0]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x55f94bc72be0/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct
gensec_spnego_update_state (0x55f94bc72d70)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
gensec_update_send: gssapi_krb5[0x55f94bc71330]: subreq: 0x55f94bc789f0
gensec_update_send: spnego[0x55f94bc71ea0]: subreq: 0x55f94bc782b0
gensec_update_done: gssapi_krb5[0x55f94bc71330]: NT_STATUS_OK
tevent_req[0x55f94bc789f0/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]
 state[struct gensec_gssapi_update_state (0x55f94bc78b80)] timer[(nil)]
finish[../source4/auth/gensec/gensec_gssapi.c:1071]
gensec_update_done: spnego[0x55f94bc71ea0]: NT_STATUS_OK
tevent_req[0x55f94bc782b0/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct
gensec_spnego_update_state (0x55f94bc78440)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
dn: CN=MARKA,CN=Computers,DC=hprs,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: MARKA
instanceType: 4
whenCreated: 20190528190119.0Z
uSNCreated: 32525
name: MARKA
objectGUID: e3c5785e-91fc-4ac3-9988-10c007aaf458
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
pwdLastSet: 132035436798100230
primaryGroupID: 515
objectSid: S-1-5-21-1052267278-1962196458-4119365663-1194
accountExpires: 9223372036854775807
sAMAccountName: MARKA$
sAMAccountType: 805306369
dNSHostName: MARKA.hprs.local
servicePrincipalName: HOST/MARKA.hprs.local
servicePrincipalName: RestrictedKrbHost/MARKA.hprs.local
servicePrincipalName: HOST/MARKA
servicePrincipalName: RestrictedKrbHost/MARKA
servicePrincipalName: TERMSRV/marka.hprs.local
servicePrincipalName: TERMSRV/MARKA
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=hprs,DC=local
isCriticalSystemObject: FALSE
lastLogonTimestamp: 132035436804393040
operatingSystem: Windows 7 Professional
operatingSystemServicePack: Service Pack 1
operatingSystemVersion: 6.1 (7601)
msDS-SupportedEncryptionTypes: 28
whenChanged: 20190528210924.0Z
uSNChanged: 32534
lastLogon: 132036636151975610
logonCount: 15
distinguishedName: CN=MARKA,CN=Computers,DC=hprs,DC=local

On Tue, 28 May 2019 21:05:40 Rowland penny <rpenny at samba.org> wrote:
>
> On 28/05/2019 20:31, Mark Foley via samba wrote:
> > Denis if all you say is true, "misleading" is wildly understated.  You say I can test with
> > different groups other than "Domain Computer".  I'm not sure where I would even begin since,
> > well, this *is* a Domain Computer.  I've included my list of groups (samba-tool group list)
> > below.  Do you have a suggestion where a domain member computer might really be? I've done a
> > listmembers of each of these groups and the only one in which I find MARKA is "Domain
> > Computers".
> >
> Hi Mark, can I ask just what you are trying to achieve ?
>
> When you join a computer to the domain a computer object is created in 
> cn=Computers,dc=whatever,dc=yourdomain,dc=is
>
> If you examine an object for a computer you will find that there is this:
>
> primaryGroupID: 515
>
> The '515' is the RID for 'Domain Computers'.
>
> What you will not find is the attribute 'memberof' pointing to 'Domain 
> Computers.
>
> If you remember that a computer is a special user and that normal users 
> are members of  'Domain Users' and you cannot remove a user from 'Domain 
> Users'.
>
> When you remove a user from a normal group, what you actually do is to 
> delete the users 'member' attribute from the groups object, this 
> automatically removes the 'memberof' attribute from the users object, 
> these type of links are referred to as 'backlinks'. I hope you can see 
> that trying to remove a computer from Domain Computers will not work 
> because the 'backlinks' do not exist.
>
> Rowland
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



More information about the samba mailing list