On 26/09/14 11:48, Joakim Tjernlund wrote:

...

...

Don't quite follow here. I do have a local root user in passwd/shadow

with

...

...

a local pw as required by any UNIX I know. I also have a AD root account.

Lets get this straight, you have a user called 'root' in /etc/passwd and another user called 'root' in AD, is this correct ???

Yes

Then you need to delete the AD user 'root', unlike the earlier NT4-style samba domain, samba4 AD domains cannot have a user with the same name as a local Unix user. If you want a domain admin user, create one, allow it to use sudo and then use this user to administrate your domain. If something was to go wrong, you will still have the local 'root' account that you can use locally (or by a correctly setup ssh server) to fix the problem. If you think that your users will alter your root passwords, then you need to limit just what your users are capable of. If you do not know how to do this, or cannot find out how to do this, I would suggest that you need find another job.

PS. Why is it so hard to keep me on CC? Some list setting which makes this easy to forget?

Nothing to do with any list setting, you should get the replies if you are a list member, I normally just reply to list, but in this case I 'CC'd' you

Rowland

...

Rowland