Bug 8430 - no more admin priviliges on win7
Summary: no more admin priviliges on win7
Status: NEW
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.6.0
Hardware: x64 Linux
: P3 major
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
Depends on:
Reported: 2011-08-31 06:44 UTC by Martin Hochreiter
Modified: 2012-02-24 07:37 UTC (History)
0 users

See Also:

rar of level 10 debug (151.61 KB, application/x-rar)
2011-09-01 06:56 UTC, Martin Hochreiter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Hochreiter 2011-08-31 06:44:14 UTC

my admin has no admin priviliges on win7 any more 
(he can still join clients to domains).

I used that config (without the share-part) since 3.4 without
that issue - the only "new" thing is smb2



   netbios name = PDC
   server string = RK PDC
   workgroup = RK

   os level = 255
   preferred master = yes
   domain master = yes
   local master = yes
   domain logons = yes
   security = user
   interfaces =
   announce version = 7
   announce as = NT
   socket address =
   remote browse sync =
   admin users = @"Domain Admins",admin
   max protocol = SMB2
   kernel oplocks = no
   oplocks = no
   level2 oplocks = no

   wins server =
   bind interfaces only = yes
   client ntlmv2 auth = yes
   server schannel=true
   lanman auth = no

   ldap admin dn="cn=Manager,o=rk"
   ldap ssl = no
   passdb backend = ldapsam:ldap://
   ldap delete dn = no
   ldap user suffix = cn=rkt
   ldap group suffix = ou=groups
   ldap machine suffix = ou=clients
   ldap suffix = o=rk
   ldap passwd sync = yes

   log file = /var/log/samba/samba.log
   log level = 1
   max log size = 512000

# LOGON Settings
   logon home =
   logon path =

   wins support = no
   dns proxy = no

add machine script = /usr/sbin/smbldap-useradd -w "%m"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
check password script = /var/configfiles/passwd.sh
Comment 1 Martin Hochreiter 2011-09-01 06:32:26 UTC
I try to set the importance higher because this is a real problem in daily operations on the clients (software rollouts, backups ...)
Comment 2 Volker Lendecke 2011-09-01 06:35:43 UTC
Usual request: Debug level 10 log of smbd while doing a domain logon is needed. We need to know whether we have domain admins in the token sent to the client. If you happen to have that reproducable with a working configuration it would be even better, comparing the debug level 10 logs will probably reveal something.
Comment 3 Martin Hochreiter 2011-09-01 06:56:28 UTC
Created attachment 6845 [details]
rar of level 10 debug
Comment 4 Volker Lendecke 2011-09-01 07:22:00 UTC
If you log in locally on the dc as admin, what does "id" say?
Comment 5 Martin Hochreiter 2011-09-01 07:48:08 UTC
The admin user is mapped to root

 id admin
uid=0(root) gid=0(root) groups=0(root),1010(box),1011(daten),1012(rkt),1013(kfz),1014(nawacl),1015(edv),1016(jrk),1017(finanz),1018(officeallgemein),2512(Domain Admins),1020(gwesen),1021(gsd),1022(newsadmin),1023(newscontroller)

Unix username:        admin
NT username:          admin
Account Flags:        [UX         ]
User SID:             S-1-5-21-1229272821-838170752-1644491937-500
Primary Group SID:    S-1-5-21-1229272821-838170752-1644491937-513
Full Name:            admin
Home Directory:       \\\admin
HomeDir Drive:        P:
Logon Script:         
Profile Path:         \\profile.rk\Profiles\admin
Domain:               RK
Account desc:         
Munged dial:          
Logon time:           0
Logoff time:          0
Kickoff time:         0
Password last set:    Mit, 08 Sep 2010 10:25:53 CEST
Password can change:  Mit, 08 Sep 2010 10:25:53 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0

# admin, rkt, rk
dn: uid=admin,cn=rkt,o=rk
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: top
objectClass: CourierMailAccount
sambaKickoffTime: 0
sambaLogoffTime: 0
sambaLogonTime: 0
sambaPwdMustChange: 2147483647
sn: Account
uidNumber: 0
cn: admin
givenName: admin
uid: admin
homeDirectory: /home/admin
gidNumber: 0
sambaDomainName: RK
sambaHomeDrive: P:
sambaHomePath: \\\admin
sambaPrimaryGroupSID: S-1-5-21-1229272821-838170752-1644491937-512
sambaSID: S-1-5-21-1229272821-838170752-1644491937-500
sambaPwdCanChange: 1157207234
loginShell: /bin/bash
mail: manager@rk-lilienfeld.at
mailbox: /home/admin
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
sambaAcctFlags: [UX         ]
sambaProfilePath: \\profile.rk\Profiles\admin
sambaPwdLastSet: 1283934353
Comment 6 Martin Hochreiter 2011-09-08 14:12:54 UTC
Any news or hints on that issue?


Comment 7 Volker Lendecke 2011-09-08 16:41:07 UTC
No, sorry. All very busy obviously at this moment.
Comment 8 Martin Hochreiter 2011-10-13 07:21:47 UTC
Hi - its me again :)

Has somebody the time to look at the issue please or is the stress level still very high?

Comment 9 Torsten 2012-02-24 07:37:40 UTC
Hello all,

I have had the same problem with 3.6.0 and have post-phoned my update to version 3.6.0

Having tested 3.6.3 the issue seems to work fine.