Bug 8430 - no more admin priviliges on win7
Summary: no more admin priviliges on win7
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.6.0
Hardware: x64 Linux
: P3 major
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
Depends on:
Reported: 2011-08-31 06:44 UTC by Martin Hochreiter (mail address dead)
Modified: 2020-12-19 17:27 UTC (History)
0 users

See Also:

rar of level 10 debug (151.61 KB, application/x-rar)
2011-09-01 06:56 UTC, Martin Hochreiter (mail address dead)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Hochreiter (mail address dead) 2011-08-31 06:44:14 UTC

my admin has no admin priviliges on win7 any more 
(he can still join clients to domains).

I used that config (without the share-part) since 3.4 without
that issue - the only "new" thing is smb2



   netbios name = PDC
   server string = RK PDC
   workgroup = RK

   os level = 255
   preferred master = yes
   domain master = yes
   local master = yes
   domain logons = yes
   security = user
   interfaces =
   announce version = 7
   announce as = NT
   socket address =
   remote browse sync =
   admin users = @"Domain Admins",admin
   max protocol = SMB2
   kernel oplocks = no
   oplocks = no
   level2 oplocks = no

   wins server =
   bind interfaces only = yes
   client ntlmv2 auth = yes
   server schannel=true
   lanman auth = no

   ldap admin dn="cn=Manager,o=rk"
   ldap ssl = no
   passdb backend = ldapsam:ldap://
   ldap delete dn = no
   ldap user suffix = cn=rkt
   ldap group suffix = ou=groups
   ldap machine suffix = ou=clients
   ldap suffix = o=rk
   ldap passwd sync = yes

   log file = /var/log/samba/samba.log
   log level = 1
   max log size = 512000

# LOGON Settings
   logon home =
   logon path =

   wins support = no
   dns proxy = no

add machine script = /usr/sbin/smbldap-useradd -w "%m"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
check password script = /var/configfiles/passwd.sh
Comment 1 Martin Hochreiter (mail address dead) 2011-09-01 06:32:26 UTC
I try to set the importance higher because this is a real problem in daily operations on the clients (software rollouts, backups ...)
Comment 2 Volker Lendecke 2011-09-01 06:35:43 UTC
Usual request: Debug level 10 log of smbd while doing a domain logon is needed. We need to know whether we have domain admins in the token sent to the client. If you happen to have that reproducable with a working configuration it would be even better, comparing the debug level 10 logs will probably reveal something.
Comment 3 Martin Hochreiter (mail address dead) 2011-09-01 06:56:28 UTC
Created attachment 6845 [details]
rar of level 10 debug
Comment 4 Volker Lendecke 2011-09-01 07:22:00 UTC
If you log in locally on the dc as admin, what does "id" say?
Comment 5 Martin Hochreiter (mail address dead) 2011-09-01 07:48:08 UTC
The admin user is mapped to root

 id admin
uid=0(root) gid=0(root) groups=0(root),1010(box),1011(daten),1012(rkt),1013(kfz),1014(nawacl),1015(edv),1016(jrk),1017(finanz),1018(officeallgemein),2512(Domain Admins),1020(gwesen),1021(gsd),1022(newsadmin),1023(newscontroller)

Unix username:        admin
NT username:          admin
Account Flags:        [UX         ]
User SID:             S-1-5-21-1229272821-838170752-1644491937-500
Primary Group SID:    S-1-5-21-1229272821-838170752-1644491937-513
Full Name:            admin
Home Directory:       \\\admin
HomeDir Drive:        P:
Logon Script:         
Profile Path:         \\profile.rk\Profiles\admin
Domain:               RK
Account desc:         
Munged dial:          
Logon time:           0
Logoff time:          0
Kickoff time:         0
Password last set:    Mit, 08 Sep 2010 10:25:53 CEST
Password can change:  Mit, 08 Sep 2010 10:25:53 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0

# admin, rkt, rk
dn: uid=admin,cn=rkt,o=rk
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: top
objectClass: CourierMailAccount
sambaKickoffTime: 0
sambaLogoffTime: 0
sambaLogonTime: 0
sambaPwdMustChange: 2147483647
sn: Account
uidNumber: 0
cn: admin
givenName: admin
uid: admin
homeDirectory: /home/admin
gidNumber: 0
sambaDomainName: RK
sambaHomeDrive: P:
sambaHomePath: \\\admin
sambaPrimaryGroupSID: S-1-5-21-1229272821-838170752-1644491937-512
sambaSID: S-1-5-21-1229272821-838170752-1644491937-500
sambaPwdCanChange: 1157207234
loginShell: /bin/bash
mail: manager@rk-lilienfeld.at
mailbox: /home/admin
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
sambaAcctFlags: [UX         ]
sambaProfilePath: \\profile.rk\Profiles\admin
sambaPwdLastSet: 1283934353
Comment 6 Martin Hochreiter (mail address dead) 2011-09-08 14:12:54 UTC
Any news or hints on that issue?


Comment 7 Volker Lendecke 2011-09-08 16:41:07 UTC
No, sorry. All very busy obviously at this moment.
Comment 8 Martin Hochreiter (mail address dead) 2011-10-13 07:21:47 UTC
Hi - its me again :)

Has somebody the time to look at the issue please or is the stress level still very high?

Comment 9 Torsten 2012-02-24 07:37:40 UTC
Hello all,

I have had the same problem with 3.6.0 and have post-phoned my update to version 3.6.0

Having tested 3.6.3 the issue seems to work fine.
Comment 10 Björn Jacke 2020-12-19 17:27:09 UTC
if you still see such an issue with 4.13, please file a new bug report with compact information how to reproduce the problem.