[Samba] Root user shows up as "administrator"

Rowland penny rpenny at samba.org
Tue Feb 16 15:54:16 UTC 2021

On 16/02/2021 15:23, Matthias Kühne | Ellerhold AG wrote:
> Hello,
> I thought I needed "security = USER" in order to SSH into my DC with my
> AD-user credentials.
> I've removed the uidNumber from "Administrator" and the gidNumber from
> "Domain Admins".
> SSH works, but the problem still exists:
> desktop $ ssh matthias.kuehne at DC-2
> matthias.kuehne at DC-2's password:
> DOMAIN\matthias.kuehne at DC-2:~ $ sudo -i
> [sudo] password for DOMAIN\matthias.kuehne:

try running 'net cache flush' ,it should look like this:

rowland at devstation:~$ ssh rowland at dc4
SAMDOM\rowland at dc4:~$ sudo -i
[sudo] password for SAMDOM\rowland:
root at dc4:~#

> DOMAIN\administrator at DC-2:~ # whoami
> DOMAIN\administrator

root at dc4:~# whoami

> DOMAIN\administrator at DC-2:~ # id
> uid=0(DOMAIN\administrator) gid=0(root) groups=0(root)

root at dc4:~# id
uid=0(root) gid=0(root) groups=0(root)

> Should be "root" I guess? I'd could accept this state if it weren't for
> saltstack frantically wanting to chown a lot files back to "root". The
> chown works (exits 0) but the check after fails because the files / dirs
> are still owned by "DOMAIN\administrator".
> Plus there is now another crontab for "DOMAIN\administrator" thats
> different from the root crontab.

Once you do get 'root', delete Administrators crontab

> Seems like I'm missing the "username map" but afaik this only works on
> domain members and not on DCs?

Yes, you only use the username map on a Unix domain member, the mapping 
on  a DC is done in idmap.ldb (or at least it is stored there)

> Funny enough... this only happens on the DC-2, not on the Primary DC
> (DC-1) nor on the DC-3...

net cache flush 😁


> Ive demoted the DC on DC-2, deleted all *.ldb and *.tdb files in
> /var/lib/samba/ and rejoined it into the domain - still the same 
> behavior!
> Next Ive demoted the DC-2 again, purged all samba packages incl. apt
> autoremove --purge. I deleted all DC-2 objects in LDAP (the user and the
> computer). After that I reinstalled from scratch.
> The error still happens although it took some time until it presented
> itself.
> Thanks for your help!
> Any other lines in my smb.conf I should purge? I've tried to minimize
> them while also trying to keep every functionality I want...

More information about the samba mailing list