Lost Domain Admin Privileges in Samba Post: 302495564

Sponsored Content

Special Forums Windows & DOS: Issues & Discussions Lost Domain Admin Privileges in Samba Post 302495564 by stringman on Friday 11th of February 2011 01:35:05 PM

02-11-2011

Registered User

Lost Domain Admin Privileges in Samba

Hello,

I have apparently lost all domain admin privledges in Samba. I have had several problems ever since I installed the 1/31 Solaris patch cluster. I had to roll out one Samba update (146363-01), which denied all logons network access. However, this particular problem seems to have begun about 2 days after the rollback.

I am running Samba 3.0.37 on Solaris 10 5/08.

There are 2 domain admins on our system and we have both lost privledges. I have tried remapping w/out success:

Code:

 
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins

I am listed as a member of ntadmins in /etc/group. I am also listed in the "root" group, of which ntadmins is also included. Currently I set the groupmap to "root", but that hasn't helped.

When I type pdbedit -Lv stringer I get a User SID of:
S-1-5-21-3716986799-1692006562-677724103-2020

and a Primary Group SID of:
S-1-5-21-3716986799-1692006562-677724103-513

I believe one of my SIDs should end in 512 to be a true admin recognized by Unix? All regular users have Primary Group SIDs ending in 513. Whenever I remap using groupmap, I get a new User SID (4 digit). If I could get my SID to be S-1-5-21-3716986799-1692006562-677724103-512, I think it would be fixed.

I'm at a loss here. My local admin account has expired and I cannot reset it until my domain privledges are reinstituted. Any help would be greatly appreciated. Thanks in advance.

Ken

---------- Post updated 02-11-11 at 12:35 PM ---------- Previous update was 02-10-11 at 01:59 PM ----------

Problem solved. The groupmap command would never work, so I went looking through the .tdb DBs in /var/samba/locks using tdbdump. There was a group_mapping.tdb file (and .ldb) that contained the new and incorrect mappings. There was also a file called group_mapping.tdb.updated dated August 2010, which contained the correct SIDs (S-1-5-21-3716986799-1692006562-677724103-512 and S-1-5-21-3716986799-1692006562-677724103-513). I then moved the group_mapping.tdb and .ldb files to .old and renambed the .updated file to group_mapping.tdb. After rebooting Samba and logging off and back on to XP, everything seems to be working.

There was a small hiccup when I tried to change permissions on a RAID folder, and there will probably be more problems. But at least now I have admin rights as Domain Admins on the workstations.

stringman

View Public Profile for stringman

Find all posts by stringman

9 More Discussions You Might Find Interesting

1. Filesystems, Disks and Memory

Lost Data Lost Admin

First time so excuse my ignorance please. I may not be accurately describing the issue. I have inherited a small lab mostly SUN V120s. We lost power and are trying to recover. Nope no backups... The primary issue I have is 1 box is an Oracle Server. It has 2 36Gb harddrives. I am able to...

2. UNIX for Advanced & Expert Users

Samba does not connect to domain

I have a samba server and a raid SAN which is actually running samba. Neither one lets me access anything on the samba unix side. I really do not know where to look anymore. there are no errors. When I try to connect to the samba server I get prompted with login and password repeatedly. Frank

3. HP-UX

Lost both Unix Admin's ....need help

Hi all, I know nothing about unix. Both of our unix guys left for greener pastures. I have been given the task of tring to get 10,000 accounts on a hp ux system into active directory. The accounts don't need to be moved, but they need to be in active directory for a couple of applications. Even if...

4. HP-UX

Need HPUX admin commands lost

Hi All Please somebody send me list of admin commands used for HPUX. Thanks Sunanda

5. Shell Programming and Scripting

Admin privileges check

I've been tasked to check whether the user of a script has administrative privileges (as they are needed to run certain parts of the script), and if not notify the user to run the script with admin privileges. Since the script is to be widely distributed, controlling the file rights will not be...

6. Homework & Coursework Questions

cannot join xp or vista to samba domain (PDC)

Use and complete the template provided. The entire template must be completed. If you don't, your post may be deleted! 1. The problem statement, all variables and given/known data: I have a barebones XP Pro SP2 with no firewall. CentOS 5.xx running a Samba 3.xx Domain (PDC) The XP machine...

7. UNIX for Dummies Questions & Answers

Samba change domain controller

Hello people i have a samba and they changed domain controller from a windows 2003 to a windows 2008, there is a problem with the version of samba maybe incompatibilities i dont know what show me this domain_client_validate: unable to validate password for user xxxx in domain xxxx to Domain...

8. Debian

Testing a SAMBA Domain Controller

Hello,,, We have an existing(working) MS PDC in our office. I have already installed SAMBA with LDAP Authentication on a TEST machine (on same LAN). But, am unable to join a WinXP machine to this domain. in smb.conf i have: WORKGROUP = mydomain and tried to join the XP machine to...

9. UNIX for Dummies Questions & Answers

Command run with admin privileges

Hi all, I want to run a single command (gdm-restart) which has admin privileges as normal user. I have done these below steps so for. 1. cp -p /usr/sbin/gdm-restart /usr/bin 2. chmod o+w /usr/bin 3. chown user /usr/bin. But still not success. So kindly please let me know whether there is...

LEARN ABOUT OSX

tdbbackup

TDBBACKUP(8)															      TDBBACKUP(8)

NAME

       tdbbackup - tool for backing up and for validating the integrity of samba .tdb files

SYNOPSIS

       tdbbackup [-ssuffix] [-v] [-h]

DESCRIPTION

       This tool is part of the samba(1) suite.

       tdbbackup is a tool that may be used to backup samba .tdb files. This tool may also be used to verify the integrity of the .tdb files prior
       to samba startup or during normal operation. If it finds file damage and it finds a prior backup the backup file will be restored.

OPTIONS

       -h
	  Get help information.

       -s suffix
	  The -s option allows the adminisistrator to specify a file backup extension. This way it is possible to keep a  history  of  tdb  backup
	  files by using a new suffix for each backup.

       -v
	  The -v will check the database for damages (currupt data) which if detected causes the backup to be restored.

COMMANDS

       GENERAL INFORMATION

       The  tdbbackup  utility	can safely be run at any time. It was designed so that it can be used at any time to validate the integrity of tdb
       files, even during Samba operation. Typical usage for the command will be:

       tdbbackup [-s suffix] *.tdb

       Before restarting samba the following command may be run to validate .tdb files:

       tdbbackup -v [-s suffix] *.tdb

       Samba .tdb files are stored in various locations, be sure to run backup all .tdb file on the system. Important files includes:

       o

	  secrets.tdb - usual location is in the /usr/local/samba/private directory, or on some systems in /etc/samba.

       o

	  passdb.tdb - usual location is in the /usr/local/samba/private directory, or on some systems in /etc/samba.

       o

	  *.tdb located in the /usr/local/samba/var directory or on some systems in the /var/cache or /var/lib/samba directories.

VERSION

       This man page is correct for version 3.0 of the Samba suite.

AUTHOR

       The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the  Samba	Team  as  an  Open
       Source project similar to the way the Linux kernel is developed.

       The tdbbackup man page was written by John H Terpstra.

																      TDBBACKUP(8)