Hi! my admin has no admin priviliges on win7 any more (he can still join clients to domains). I used that config (without the share-part) since 3.4 without that issue - the only "new" thing is smb2 --------------------------- [global] # NAME SETTINGS netbios name = PDC server string = RK PDC workgroup = RK # SECURITY SETTINGS os level = 255 preferred master = yes domain master = yes local master = yes domain logons = yes security = user interfaces = 192.168.1.100 announce version = 7 announce as = NT socket address = 192.168.1.100 remote browse sync = 192.168.2.6 admin users = @"Domain Admins",admin max protocol = SMB2 kernel oplocks = no oplocks = no level2 oplocks = no # AENDERUNGEN FUER EINSATZ SAMBA4WINS wins server = 192.168.1.101 bind interfaces only = yes client ntlmv2 auth = yes server schannel=true lanman auth = no # LDAP SETTINGS ldap admin dn="cn=Manager,o=rk" ldap ssl = no passdb backend = ldapsam:ldap://127.0.0.1/ ldap delete dn = no ldap user suffix = cn=rkt ldap group suffix = ou=groups ldap machine suffix = ou=clients ldap suffix = o=rk ldap passwd sync = yes # LOG SETTINGS log file = /var/log/samba/samba.log log level = 1 max log size = 512000 # LOGON Settings logon home = logon path = # DN SETTINGS wins support = no dns proxy = no # USEFUL SCRIPTS add machine script = /usr/sbin/smbldap-useradd -w "%m" add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" check password script = /var/configfiles/passwd.sh
I try to set the importance higher because this is a real problem in daily operations on the clients (software rollouts, backups ...)
Usual request: Debug level 10 log of smbd while doing a domain logon is needed. We need to know whether we have domain admins in the token sent to the client. If you happen to have that reproducable with a working configuration it would be even better, comparing the debug level 10 logs will probably reveal something.
Created attachment 6845 [details] rar of level 10 debug
If you log in locally on the dc as admin, what does "id" say?
The admin user is mapped to root id admin uid=0(root) gid=0(root) groups=0(root),1010(box),1011(daten),1012(rkt),1013(kfz),1014(nawacl),1015(edv),1016(jrk),1017(finanz),1018(officeallgemein),2512(Domain Admins),1020(gwesen),1021(gsd),1022(newsadmin),1023(newscontroller) Unix username: admin NT username: admin Account Flags: [UX ] User SID: S-1-5-21-1229272821-838170752-1644491937-500 Primary Group SID: S-1-5-21-1229272821-838170752-1644491937-513 Full Name: admin Home Directory: \\192.168.1.100\admin HomeDir Drive: P: Logon Script: Profile Path: \\profile.rk\Profiles\admin Domain: RK Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 0 Kickoff time: 0 Password last set: Mit, 08 Sep 2010 10:25:53 CEST Password can change: Mit, 08 Sep 2010 10:25:53 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF # admin, rkt, rk dn: uid=admin,cn=rkt,o=rk objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount objectClass: top objectClass: CourierMailAccount sambaKickoffTime: 0 sambaLogoffTime: 0 sambaLogonTime: 0 sambaPwdMustChange: 2147483647 sn: Account uidNumber: 0 cn: admin givenName: admin uid: admin homeDirectory: /home/admin gidNumber: 0 sambaDomainName: RK sambaHomeDrive: P: sambaHomePath: \\192.168.1.100\admin sambaPrimaryGroupSID: S-1-5-21-1229272821-838170752-1644491937-512 sambaSID: S-1-5-21-1229272821-838170752-1644491937-500 sambaPwdCanChange: 1157207234 loginShell: /bin/bash mail: manager@rk-lilienfeld.at mailbox: /home/admin sambaBadPasswordCount: 0 sambaBadPasswordTime: 0 sambaAcctFlags: [UX ] sambaProfilePath: \\profile.rk\Profiles\admin sambaPwdLastSet: 1283934353
Any news or hints on that issue? regards Martin
No, sorry. All very busy obviously at this moment.
Hi - its me again :) Has somebody the time to look at the issue please or is the stress level still very high? regards Martin
Hello all, I have had the same problem with 3.6.0 and have post-phoned my update to version 3.6.0 Having tested 3.6.3 the issue seems to work fine.
if you still see such an issue with 4.13, please file a new bug report with compact information how to reproduce the problem.