BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

classic Classic list List threaded Threaded
31 messages Options
12
Reply | Threaded
Open this post in threaded view
|

BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
Hello everyone.
I'm trying to fix sysvol rights, because i see errors in output of
/usr/bin/samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line
270, in run
    lp)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1723, in checksysvolacl
    direct_db_access)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1674, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))

That's nothing new, this was disused here many times.

Today, I decided to try script
(https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh)
by mr. van Belle and I ended with this error:
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

Confirmed:
wbinfo --sid-to-uid=S-1-5-32-544
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

So I have problem with builtin group Administrators, other groups look
good:
wbinfo --sid-to-uid=S-1-5-32-549
15543
wbinfo --sid-to-uid=S-1-5-11
15549

DB seems to be ok:
samba-tool dbcheck --cross-ncs --fix
Checking 5227 objects
Checked 5227 objects (0 errors)

Is there any way to fix my domain?

I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
Here is my DS's smb.conf:
# Global parameters
[global]
 workgroup = COMPANY
 realm = samdom.company.cz
 netbios name = DC01
 server role = active directory domain controller
 idmap_ldb:use rfc2307 = yes
 dns forwarder = 192.168.1.34
 allow dns updates = nonsecure
 log level = 1
 load printers = no
 printing = bsd
 printcap name = /dev/null
 disable spoolss = yes

[netlogon]
 path = /var/lib/samba/sysvol/samdom.company.cz/scripts
 read only = No
 acl_xattr:ignore system acls = yes

[sysvol]
 path = /var/lib/samba/sysvol
 read only = No
 acl_xattr:ignore system acls = yes




Yours sincerely
 
Jiří Černý
System administrator
 
+420 775 860 300
[hidden email]
[hidden email]
 
SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic
 
www.svmetal.cz


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
On Mon, 04 Sep 2017 13:53:23 +0200
Jiří Černý via samba <[hidden email]> wrote:

> Hello everyone.
> I'm trying to fix sysvol rights, because i see errors in output of
> /usr/bin/samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
>     lp)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
> 1723, in checksysvolacl
>     direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
> 1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
> 1621, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' %
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>
> That's nothing new, this was disused here many times.
>
> Today, I decided to try script
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh)
> by mr. van Belle and I ended with this error:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-544 to uid
>
> Confirmed:
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-544 to uid
>
> So I have problem with builtin group Administrators, other groups look
> good:
> wbinfo --sid-to-uid=S-1-5-32-549
> 15543
> wbinfo --sid-to-uid=S-1-5-11
> 15549
>
> DB seems to be ok:
> samba-tool dbcheck --cross-ncs --fix
> Checking 5227 objects
> Checked 5227 objects (0 errors)
>
> Is there any way to fix my domain?
>

There is probably nothing wrong with your domain, it looks like you
have given some of your windows AD groups a gidNumber:

S-1-5-32-549 is Server Operators

S-1-5-11 is Authenticated Users

They are both listed as 'ID_TYPE_BOTH' in idmap.ldb.

Can I suggest you go here:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

Check your AD and remove any gidNumber or uidNumber attributes from any
users or groups that appear on that page except for 'Domain Users'

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai,

I had a quick look at this. ( in the mid of server upgrades ) ..

You config looks ok.
This looks also ok.
> wbinfo --sid-to-uid=S-1-5-11
> 15549

Mine shows,
wbinfo --sid-to-uid=S-1-5-11
3000003

Normaly on a DC you should see 30000xx, but thats probely from the samba 3 upgrade.

Did you give these groups uid/gids, or did you use some mappings somewhere for these groups?
And after the upgrade, did you run net cache flush and restarted samba-ad-dc?

It should not matter what the uid/gid are if the checks all work out.

So we have to find first why this is not working for you.
wbinfo --sid-to-uid=S-1-5-32-544
3000000 <<< my output.

Compaired to your setup with to mine.

( this one is default set to 0 , you need minimal 2 in my opinion, i preffer 4)
winbind expand groups = 4

Beside that, almost the same, i use bind9_dlz you internal dns.
But that should not matter.

Start with the net cache flush and restart samba-ad-dc.



Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Ji??í ??erný via samba
> Verzonden: maandag 4 september 2017 13:53
> Aan: [hidden email]
> Onderwerp: [Samba] BUILTIN\Administrators - failed to call
> wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>
> Hello everyone.
> I'm trying to fix sysvol rights, because i see errors in
> output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class
> 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016
> F-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
>     lp)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1723, in checksysvolacl
>     direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1621, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s
> does not match expected value %s from GPO object' %
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>
> That's nothing new, this was disused here many times.
>
> Today, I decided to try script
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-
> sysvol.sh)
> by mr. van Belle and I ended with this error:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
> not convert sid S-1-5-32-544 to uid
>
> Confirmed:
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
> not convert sid S-1-5-32-544 to uid
>
> So I have problem with builtin group Administrators, other groups look
> good:
> wbinfo --sid-to-uid=S-1-5-32-549
> 15543
> wbinfo --sid-to-uid=S-1-5-11
> 15549
>
> DB seems to be ok:
> samba-tool dbcheck --cross-ncs --fix
> Checking 5227 objects
> Checked 5227 objects (0 errors)
>
> Is there any way to fix my domain?
>
> I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
> Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
> Here is my DS's smb.conf:
> # Global parameters
> [global]
>  workgroup = COMPANY
>  realm = samdom.company.cz
>  netbios name = DC01
>  server role = active directory domain controller  
> idmap_ldb:use rfc2307 = yes  dns forwarder = 192.168.1.34  
> allow dns updates = nonsecure  log level = 1  load printers =
> no  printing = bsd  printcap name = /dev/null  disable spoolss = yes
>
> [netlogon]
>  path = /var/lib/samba/sysvol/samdom.company.cz/scripts
>  read only = No
>  acl_xattr:ignore system acls = yes
>
> [sysvol]
>  path = /var/lib/samba/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes
>
>
>
>
> Yours sincerely
>  
> Ji??í ??erný
> System administrator
>  
> +420 775 860 300
> [hidden email]
> [hidden email]
>  
> SV metal spol. s r.o.
> Divec 99
> 500 03 Hradec Králové
> Czech republic
>  
> www.svmetal.cz
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
In reply to this post by Samba - General mailing list
Thank you both, Rowland and Louis.

I'll try to answer you both and give you more info about our domain.

Generally:
In the past, we have Samba 3.5 NT4 domain on SLES server (designed ages
before, never upgraded). In 2015 I finally decided to migrate to Samba 4
AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was ok, no
errors. AD worked (and working) as expected.
This summer, I managed Samba+ subscription from SerNet, so we upgraded
to 4.6.X. As I said, everything work, but sysvolcheck throws errors that
you discussed in other thread.

Original Samba 3 domain was combination of Samba and LDAP backed. So
domain scheme was populated by smbldap-tools. Users/groups were added by
LAM (so smbldap-tools too). UIDs/GIDs were populated by RIDs. ID map
range was from 500 to 10000, so every group and user in our domain have
UIDs/GIDs same as their RID. NSS was driven by LDAP (passwd, shadow and
group in nsswitch.conf had ldap directive).

After migration (in 2015) I changed this at least for new users and
groups. I know, that's not the best solution, but it worked I hadn't to
reset all ACLs on our fileservers.

Rowland:
Yes, our are right. There were UIDs and GIDs set on "system" users and
groups. I removed all (is removing in AUDC enough? I newer worked with
ldb tools) except Domain Users and Domain Admins (we use this group as
owner group on many shares on our fileservers).

Louis:
I thing that the "bad" numbers in my domain are legacy pro Samba 3 +
LDAP. AD service restart and net cache flush were executed many times as
we run this domain 2 years.

So what's next?
Do you think that I have to rearrange UIDs and GIDs in our domain to
match numeric pattern as in cleanly provisioned domain?


Thanks for you time. Have a nice day.


Yours sincerely
 
Jiří Černý
System administrator
 
+420 775 860 300
[hidden email]
[hidden email]
 
SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic
 
www.svmetal.cz


>>> Jiří Černý 4.9.2017 13:53 >>>
Hello everyone.
I'm trying to fix sysvol rights, because i see errors in output of
/usr/bin/samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line
270, in run
    lp)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1723, in checksysvolacl
    direct_db_access)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1674, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))

That's nothing new, this was disused here many times.

Today, I decided to try script
(https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh)
by mr. van Belle and I ended with this error:
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

Confirmed:
wbinfo --sid-to-uid=S-1-5-32-544
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

So I have problem with builtin group Administrators, other groups look
good:
wbinfo --sid-to-uid=S-1-5-32-549
15543
wbinfo --sid-to-uid=S-1-5-11
15549

DB seems to be ok:
samba-tool dbcheck --cross-ncs --fix
Checking 5227 objects
Checked 5227 objects (0 errors)

Is there any way to fix my domain?

I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
Here is my DS's smb.conf:
# Global parameters
[global]
 workgroup = COMPANY
 realm = samdom.company.cz
 netbios name = DC01
 server role = active directory domain controller
 idmap_ldb:use rfc2307 = yes
 dns forwarder = 192.168.1.34
 allow dns updates = nonsecure
 log level = 1
 load printers = no
 printing = bsd
 printcap name = /dev/null
 disable spoolss = yes

[netlogon]
 path = /var/lib/samba/sysvol/samdom.company.cz/scripts
 read only = No
 acl_xattr:ignore system acls = yes

[sysvol]
 path = /var/lib/samba/sysvol
 read only = No
 acl_xattr:ignore system acls = yes




Yours sincerely
 
Jiří Černý
System administrator
 
+420 775 860 300
[hidden email]
[hidden email]
 
SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic
 
www.svmetal.cz


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
Hai,

I leave the advice about the uid/gid numbering to Rowland, i can not give a good advice on that.

The script was made in such a way that it should not matter what uid/gids are where used.
The script looks them up for you, but it must be error free so we are sure what is set is correct.

If you look in the script, you see the four SID.

DC_SERVER_OPERATORS="S-1-5-32-549"
DC_ADMINISTRATORS="S-1-5-32-544"
DC_SYSTEM="S-1-5-18"
DC_AUTHENTICATED_USERS="S-1-5-11"
These must work in resolving with wbinfo to get the correct uid/gid for sysvol.

These wbinfo --... Tests

For "BUILTIN\Administrators" and BUILTIN\Server Operators
--sid-to-uid --uid-to-sid --gid-to-sid --sid-to-name --name-to-sid

For System and Authenticated users, these must be tested.
--sid-to-uid --uid-to-sid --gid-to-sid --sid-to-name


If one of these fail, you have a error in the setup, these should al resolv on the dc.
wbinfo --sid-to-uid="S-1-5-32-544"

wbinfo --uid-to-sid="The result of above (uid)", returns the value of above (S-1-5-32-544)
wbinfo --gid-to-sid="The result of the first, =(uid)=(gid)", returns the value of above (S-1-5-32-544)

wbinfo --sid-to-name="S-1-5-32-544" results in the name.
wbinfo --name-to-sid="The result of above (name)", returns the value of above (S-1-5-32-544)


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Ji??í ??erný via samba
> Verzonden: dinsdag 5 september 2017 10:25
> Aan: [hidden email]
> Onderwerp: Re: [Samba] BUILTIN\Administrators - failed to
> call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>
> Thank you both, Rowland and Louis.
>
> I'll try to answer you both and give you more info about our domain.
>
> Generally:
> In the past, we have Samba 3.5 NT4 domain on SLES server
> (designed ages before, never upgraded). In 2015 I finally
> decided to migrate to Samba 4 AD. In those day it was 4.2.
> samba-tool ntacl sysvolcheck was ok, no errors. AD worked
> (and working) as expected.
> This summer, I managed Samba+ subscription from SerNet, so we
> upgraded to 4.6.X. As I said, everything work, but
> sysvolcheck throws errors that you discussed in other thread.
>
> Original Samba 3 domain was combination of Samba and LDAP
> backed. So domain scheme was populated by smbldap-tools.
> Users/groups were added by LAM (so smbldap-tools too).
> UIDs/GIDs were populated by RIDs. ID map range was from 500
> to 10000, so every group and user in our domain have
> UIDs/GIDs same as their RID. NSS was driven by LDAP (passwd,
> shadow and group in nsswitch.conf had ldap directive).
>
> After migration (in 2015) I changed this at least for new
> users and groups. I know, that's not the best solution, but
> it worked I hadn't to reset all ACLs on our fileservers.
>
> Rowland:
> Yes, our are right. There were UIDs and GIDs set on "system"
> users and groups. I removed all (is removing in AUDC enough?
> I newer worked with ldb tools) except Domain Users and Domain
> Admins (we use this group as owner group on many shares on
> our fileservers).
>
> Louis:
> I thing that the "bad" numbers in my domain are legacy pro
> Samba 3 + LDAP. AD service restart and net cache flush were
> executed many times as we run this domain 2 years.
>
> So what's next?
> Do you think that I have to rearrange UIDs and GIDs in our
> domain to match numeric pattern as in cleanly provisioned domain?
>
>
> Thanks for you time. Have a nice day.
>
>
> Yours sincerely
>  
> Ji??í ??erný
> System administrator
>  
> +420 775 860 300
> [hidden email]
> [hidden email]
>  
> SV metal spol. s r.o.
> Divec 99
> 500 03 Hradec Králové
> Czech republic
>  
> www.svmetal.cz
>
>
> >>> Ji??í ??erný 4.9.2017 13:53 >>>
> Hello everyone.
> I'm trying to fix sysvol rights, because i see errors in
> output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class
> 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016
> F-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
>     lp)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
y", line 1723, in checksysvolacl
>     direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
y", line 1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
y", line 1621, in check_dir_acl

>     raise ProvisioningError('%s ACL on GPO directory %s %s
> does not match expected value %s from GPO object' %
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>
> That's nothing new, this was disused here many times.
>
> Today, I decided to try script
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-
> sysvol.sh)
> by mr. van Belle and I ended with this error:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
> not convert sid S-1-5-32-544 to uid
>
> Confirmed:
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
> not convert sid S-1-5-32-544 to uid
>
> So I have problem with builtin group Administrators, other groups look
> good:
> wbinfo --sid-to-uid=S-1-5-32-549
> 15543
> wbinfo --sid-to-uid=S-1-5-11
> 15549
>
> DB seems to be ok:
> samba-tool dbcheck --cross-ncs --fix
> Checking 5227 objects
> Checked 5227 objects (0 errors)
>
> Is there any way to fix my domain?
>
> I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
> Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
> Here is my DS's smb.conf:
> # Global parameters
> [global]
>  workgroup = COMPANY
>  realm = samdom.company.cz
>  netbios name = DC01
>  server role = active directory domain controller  
> idmap_ldb:use rfc2307 = yes  dns forwarder = 192.168.1.34  
> allow dns updates = nonsecure  log level = 1  load printers =
> no  printing = bsd  printcap name = /dev/null  disable spoolss = yes
>
> [netlogon]
>  path = /var/lib/samba/sysvol/samdom.company.cz/scripts
>  read only = No
>  acl_xattr:ignore system acls = yes
>
> [sysvol]
>  path = /var/lib/samba/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes
>
>
>
>
> Yours sincerely
>  
> Ji??í ??erný
> System administrator
>  
> +420 775 860 300
> [hidden email]
> [hidden email]
>  
> SV metal spol. s r.o.
> Divec 99
> 500 03 Hradec Králové
> Czech republic
>  
> www.svmetal.cz
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 05 Sep 2017 10:24:58 +0200
Jiří Černý via samba <[hidden email]> wrote:

> Thank you both, Rowland and Louis.
>
> I'll try to answer you both and give you more info about our domain.
>
> Generally:
> In the past, we have Samba 3.5 NT4 domain on SLES server (designed
> ages before, never upgraded). In 2015 I finally decided to migrate to
> Samba 4 AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was
> ok, no errors. AD worked (and working) as expected.
> This summer, I managed Samba+ subscription from SerNet, so we upgraded
> to 4.6.X. As I said, everything work, but sysvolcheck throws errors
> that you discussed in other thread.
>
> Original Samba 3 domain was combination of Samba and LDAP backed. So
> domain scheme was populated by smbldap-tools. Users/groups were added
> by LAM (so smbldap-tools too). UIDs/GIDs were populated by RIDs. ID
> map range was from 500 to 10000, so every group and user in our
> domain have UIDs/GIDs same as their RID. NSS was driven by LDAP
> (passwd, shadow and group in nsswitch.conf had ldap directive).

This was perfectly common, nobody thought this would ever be a problem,
mainly because you had to have a user or group in /etc/passwd
or /etc/group mapped to a Samba.
Now with AD, you do not need a user or group in /etc/passwd
or /etc/group, so any user or group that uses the RID as a Unix ID is
probably too low and is denying the use of any local Unix users

>
> After migration (in 2015) I changed this at least for new users and
> groups. I know, that's not the best solution, but it worked I hadn't
> to reset all ACLs on our fileservers.
>
> Rowland:
> Yes, our are right. There were UIDs and GIDs set on "system" users and
> groups. I removed all (is removing in AUDC enough? I newer worked with
> ldb tools) except Domain Users and Domain Admins (we use this group as
> owner group on many shares on our fileservers).

I hope you are not thinking of using GPOs, 'Domain Admins' needs to own
things is 'sysvol' and cannot if they are a group (the gidNumber makes
them a group)

>
> Louis:
> I thing that the "bad" numbers in my domain are legacy pro Samba 3 +
> LDAP. AD service restart and net cache flush were executed many times
> as we run this domain 2 years.
>
> So what's next?
> Do you think that I have to rearrange UIDs and GIDs in our domain to
> match numeric pattern as in cleanly provisioned domain?

If you can change the Unix IDs, then this is the way to go

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 5 Sep 2017 10:48:52 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Hai,
>
> I leave the advice about the uid/gid numbering to Rowland, i can not
> give a good advice on that.
>
> The script was made in such a way that it should not matter what
> uid/gids are where used. The script looks them up for you, but it
> must be error free so we are sure what is set is correct.

Not entirely true (in my opinion) the script should ensure that whilst
the SIDs do resolve, they should resolve in a way that allows them to
do what they need to do, which in some cases is group being a user. The
only way to do this, the ID must come from idmap.ldb on a DC.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
In reply to this post by Samba - General mailing list
To Rowland:
> This was perfectly common, nobody thought this would ever be a
problem,mainly because you had to have a user or group in /etc/passwd>
or /etc/group mapped to a Samba. Now with AD, you do not need a user or
group in /etc/passwd or /etc/group, so any user or group that uses the
RID as a Unix ID is> probably too low and is denying the use of any
local Unix users
Yes, but where is main problem/failure? We had working Samba 3 domain
with LDAP backend. Made by documentation. We migrated to Samba 4 AD, of
course with assistance of documentation/wiki.
So there was no failure in process of migration, but it lead to ID
mapping mess which I can't fix.

> I hope you are not thinking of using GPOs, 'Domain Admins' needs to
own things is 'sysvol' and cannot if they are a group (the gidNumber
makes them a group)Of course I am thinking of using GPOs. Windows are ok
with it, because it uses SIDs. I have problems only in linux, because
bad ID mapping, respectively samba-tool ntacl sysvolcheck, because it's
expecting diferent ID numbers as I have.
Domain Admins is group. Only deference is that in our (migrated) domain
id has objectClass top; posixgroup; group and in cleanly provisioned AD
it has only top; group.
But in both cases I see group. So I have to apologize, because I
probably don't understand you.
So if I set GID, then ID mapping in linux makes that as group, but if
it's not set, than Samba makes some "magic" and give Domain Admins ID as
this "goup" act as user?
> If you can change the Unix IDs, then this is the way to goNot problem
there in linux side or AUDC to change it. But it doesn't like it will
help me. Now, I have all BUILTIN groups without GID, cache flushed but
now luck. Even if I removed all bad GIDs and checked possible collision
with UNIX groups. Samba doesn't give me IDs like 30000, bud something
different. Look at my sysvol:
getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: 1037
# group: 544
user::rwx
user:10037:rwx
user:15543:r-x
user:15544:rwx
user:15554:r-x
group::rwx
group:544:rwx
group:BUILTIN\134server\040operators:r-x
group:15544:rwx
group:15554:r-x
mask::rwx
other::---
default:user::rwx
default:user:1037:rwx
default:user:15543:r-x
default:user:15544:rwx
default:user:15554:r-x
default:group::---
default:group:544:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:15544:rwx
default:group:15554:r-x
default:mask::rwx
default:other::---As you can see, there is something with 15000 + RID
pattern. Definitely from old LDAP backend. 544 are
BUILTIN\Administrators, 1037 is old UID of COMPANY\Administrator. Even
if I deleted GIDs and flushed cache it doesn't work:
wbinfo -i Administrator
COMPANY\administrator:*:0:513::/home/COMPANY/administrator:/bin/false
I am afraid that our domain is bad provisioned (upgraded) from
beginning. Is there any tool/advance, how to manually fix/change IDs in
Samba AD? And some kind of list of ID which Samba AD uses in it's "ID
magic"?
I believe that can be fixed by setting the "right" numbers.
Thank you for you help. I really appreciate it.Jiří

>>> Jiří Černý 5.9.2017 10:24 >>>
Thank you both, Rowland and Louis.

I'll try to answer you both and give you more info about our domain.

Generally:
In the past, we have Samba 3.5 NT4 domain on SLES server (designed ages
before, never upgraded). In 2015 I finally decided to migrate to Samba 4
AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was ok, no
errors. AD worked (and working) as expected.
This summer, I managed Samba+ subscription from SerNet, so we upgraded
to 4.6.X. As I said, everything work, but sysvolcheck throws errors that
you discussed in other thread.

Original Samba 3 domain was combination of Samba and LDAP backed. So
domain scheme was populated by smbldap-tools. Users/groups were added by
LAM (so smbldap-tools too). UIDs/GIDs were populated by RIDs. ID map
range was from 500 to 10000, so every group and user in our domain have
UIDs/GIDs same as their RID. NSS was driven by LDAP (passwd, shadow and
group in nsswitch.conf had ldap directive).

After migration (in 2015) I changed this at least for new users and
groups. I know, that's not the best solution, but it worked I hadn't to
reset all ACLs on our fileservers.

Rowland:
Yes, our are right. There were UIDs and GIDs set on "system" users and
groups. I removed all (is removing in AUDC enough? I newer worked with
ldb tools) except Domain Users and Domain Admins (we use this group as
owner group on many shares on our fileservers).

Louis:
I thing that the "bad" numbers in my domain are legacy pro Samba 3 +
LDAP. AD service restart and net cache flush were executed many times as
we run this domain 2 years.

So what's next?
Do you think that I have to rearrange UIDs and GIDs in our domain to
match numeric pattern as in cleanly provisioned domain?


Thanks for you time. Have a nice day.


Yours sincerely
 
Jiří Černý
System administrator
 
+420 775 860 300
[hidden email]
[hidden email]
 
SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic
 
www.svmetal.cz


>>> Jiří Černý 4.9.2017 13:53 >>>
Hello everyone.
I'm trying to fix sysvol rights, because i see errors in output of
/usr/bin/samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line
270, in run
    lp)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1723, in checksysvolacl
    direct_db_access)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1674, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))

That's nothing new, this was disused here many times.

Today, I decided to try script
(https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh)
by mr. van Belle and I ended with this error:
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

Confirmed:
wbinfo --sid-to-uid=S-1-5-32-544
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

So I have problem with builtin group Administrators, other groups look
good:
wbinfo --sid-to-uid=S-1-5-32-549
15543
wbinfo --sid-to-uid=S-1-5-11
15549

DB seems to be ok:
samba-tool dbcheck --cross-ncs --fix
Checking 5227 objects
Checked 5227 objects (0 errors)

Is there any way to fix my domain?

I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
Here is my DS's smb.conf:
# Global parameters
[global]
 workgroup = COMPANY
 realm = samdom.company.cz
 netbios name = DC01
 server role = active directory domain controller
 idmap_ldb:use rfc2307 = yes
 dns forwarder = 192.168.1.34
 allow dns updates = nonsecure
 log level = 1
 load printers = no
 printing = bsd
 printcap name = /dev/null
 disable spoolss = yes

[netlogon]
 path = /var/lib/samba/sysvol/samdom.company.cz/scripts
 read only = No
 acl_xattr:ignore system acls = yes

[sysvol]
 path = /var/lib/samba/sysvol
 read only = No
 acl_xattr:ignore system acls = yes




Yours sincerely
 
Jiří Černý
System administrator
 
+420 775 860 300
[hidden email]
[hidden email]
 
SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic
 
www.svmetal.cz


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
On Tue, 05 Sep 2017 12:22:47 +0200
Jiří Černý via samba <[hidden email]> wrote:

> To Rowland:
> > This was perfectly common, nobody thought this would ever be a
>> problem,mainly because you had to have a user or group
>> in /etc/passwd>
>> or /etc/group mapped to a Samba. Now with AD, you do not need a user
>> or group in /etc/passwd or /etc/group, so any user or group that uses
>> the RID as a Unix ID is> probably too low and is denying the use of
>> any local Unix users

> Yes, but where is main problem/failure? We had working Samba 3 domain
> with LDAP backend. Made by documentation. We migrated to Samba 4 AD,
> of course with assistance of documentation/wiki.
> So there was no failure in process of migration, but it lead to ID
> mapping mess which I can't fix.

The problem lies way back when the domain was set up. As I said,
everybody thought that using the RID as a Unix ID was an acceptable
thing to do. Hindsight has proven this wasn't such a good idea, a lot
of the RIDs are in the 500 range (including Domain Users). This means
that if you use the winbind 'ad' backend, you need to set the lower
Domain range to '500' to get any of your users known to Unix, this
means you cannot have ANY local Unix users.
 
>
> > I hope you are not thinking of using GPOs, 'Domain Admins' needs to
>> own things is 'sysvol' and cannot if they are a group (the gidNumber
>> makes them a group)

> Of course I am thinking of using GPOs. Windows
> are ok with it, because it uses SIDs. I have problems only in linux,
> because bad ID mapping, respectively samba-tool ntacl sysvolcheck,
> because it's expecting diferent ID numbers as I have.
> Domain Admins is group. Only deference is that in our (migrated)
> domain id has objectClass top; posixgroup; group and in cleanly
> provisioned AD it has only top; group.

You do not need 'posixgroup', it is an auxiliary objectclass of group,
you can add any of the rfc2307 attributes without it.
 
> But in both cases I see group. So I have to apologize, because I
> probably don't understand you.
> So if I set GID, then ID mapping in linux makes that as group, but if
> it's not set, than Samba makes some "magic" and give Domain Admins ID
> as this "goup" act as user?

It isn't really magic, idmap on a DC works two ways, the first is when
a user or group first contacts the DC, it is given an xidNumber, this
is stored in idmap.ldb on the DC, it also set to a 'type'. This can be
'ID_TYPE_UID', 'ID_TYPE_GID' or 'ID_TYPE_BOTH', the later means that a
group is also a user. The second way is if you give a user a uidNumber
or give a group a gidNumber, this turns off what is in idmap.ldb and
makes the user or group become just a user or group, in the case of
Domain Admins, this stops the group owning anything in 'sysvol'

> > If you can change the Unix IDs, then this is the way to goNot
> > problem
> there in linux side or AUDC to change it. But it doesn't like it will
> help me. Now, I have all BUILTIN groups without GID, cache flushed but
> now luck. Even if I removed all bad GIDs and checked possible
> collision with UNIX groups. Samba doesn't give me IDs like 30000, bud
> something different. Look at my sysvol:
> getfacl /var/lib/samba/sysvol/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/
> # owner: 1037
> # group: 544
> user::rwx
> user:10037:rwx
> user:15543:r-x
> user:15544:rwx
> user:15554:r-x
> group::rwx
> group:544:rwx
> group:BUILTIN\134server\040operators:r-x
> group:15544:rwx
> group:15554:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:1037:rwx
> default:user:15543:r-x
> default:user:15544:rwx
> default:user:15554:r-x
> default:group::---
> default:group:544:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:15544:rwx
> default:group:15554:r-x
> default:mask::rwx
> default:other::---As you can see, there is something with 15000 + RID
> pattern. Definitely from old LDAP backend. 544 are
> BUILTIN\Administrators, 1037 is old UID of COMPANY\Administrator. Even
> if I deleted GIDs and flushed cache it doesn't work:
> wbinfo -i Administrator
> COMPANY\administrator:*:0:513::/home/COMPANY/administrator:/bin/false
> I am afraid that our domain is bad provisioned (upgraded) from
> beginning. Is there any tool/advance, how to manually fix/change IDs
> in Samba AD? And some kind of list of ID which Samba AD uses in it's
> "ID magic"?
> I believe that can be fixed by setting the "right" numbers.
> Thank you for you help. I really appreciate it.Jiří
>

Try restarting Sambaand then run 'getent group Domain\ Admins'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
In reply to this post by Samba - General mailing list
Thank you very much for clarifying the ID mapping "magic";)
 
> You do not need 'posixgroup', it is an auxiliary objectclass of
group, you can add any of the rfc2307 attributes without it.
Well, is there any option to remove it? Because "posixgroup" is on
every group that was migrated from Samba 3.
And I cannot edit this attribute in ADUC (delete button is grayed).

> Try restarting Samba and then run 'getent group Domain\ Admins'
getent group Domain\ Admins
COMPANY\domain admins:x:512:

Which is expected, because it has set NIS domain and GID in ADUC. But
when I look to sysvol, I don't see Domain admins but
BUILTIN\Administrators (Domain Admins are members of this group). So I
am confused by behavior of BUILTIN groups.
I made some investigations about BUILTIN\Administrators.

Production domain (migrated from Samba 3):
wbinfo --sid-to-uid=S-1-5-32-544
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

ldbsearch -H /var/lib/samba/private/idmap.ldb | grep S-1-5-32-544 -A2
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_GID
xidNumber: 15538
distinguishedName: CN=S-1-5-32-544

Testing lab domain (provisioned from scratch):
wbinfo --sid-to-uid=S-1-5-32-544
3000003

ldbsearch -H /usr/local/samba/private/idmap.ldb | grep S-1-5-32-544
-A2
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-32-544

Almost every (except 0, 99 and 100) BUILTIN xidNumber on my migrated
domain starts with 15000. On provisioned domain it starts with 3000000.
Is that the way to fix my errors? Correct idmap.ldb to match cleanly
provisioned Samba AD? Is save to edit this file?


Jiří

On Tue, 05 Sep 2017 12:22:47 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:

>> To Rowland:
>>> This was perfectly common, nobody thought this would ever be a
>>> problem,mainly because you had to have a user or group
>>> in /etc/passwd>
>>> or /etc/group mapped to a Samba. Now with AD, you do not need a
user
>>> or group in /etc/passwd or /etc/group, so any user or group that
uses
>>> the RID as a Unix ID is> probably too low and is denying the use
of
>>> any local Unix users

>> Yes, but where is main problem/failure? We had working Samba 3
domain
>> with LDAP backend. Made by documentation. We migrated to Samba 4
AD,
>> of course with assistance of documentation/wiki.
>> So there was no failure in process of migration, but it lead to ID
>> mapping mess which I can't fix.

>The problem lies way back when the domain was set up. As I said,
>everybody thought that using the RID as a Unix ID was an acceptable
>thing to do. Hindsight has proven this wasn't such a good idea, a lot
>of the RIDs are in the 500 range (including Domain Users). This means
>that if you use the winbind 'ad' backend, you need to set the lower
>Domain range to '500' to get any of your users known to Unix, this
>means you cannot have ANY local Unix users.

>>
>>> I hope you are not thinking of using GPOs, 'Domain Admins' needs
to
>>> own things is 'sysvol' and cannot if they are a group (the
gidNumber
>>> makes them a group)

>> Of course I am thinking of using GPOs. Windows
>>are ok with it, because it uses SIDs. I have problems only in linux,
>> because bad ID mapping, respectively samba-tool ntacl sysvolcheck,
>> because it's expecting diferent ID numbers as I have.
>> Domain Admins is group. Only deference is that in our (migrated)
>> domain id has objectClass top; posixgroup; group and in cleanly
>> provisioned AD it has only top; group.

>You do not need 'posixgroup', it is an auxiliary objectclass of
group,
>you can add any of the rfc2307 attributes without it.

> But in both cases I see group. So I have to apologize, because I
> probably don't understand you.
> So if I set GID, then ID mapping in linux makes that as group, but
if
> it's not set, than Samba makes some "magic" and give Domain Admins
ID
> as this "goup" act as user?

>It isn't really magic, idmap on a DC works two ways, the first is
when
>a user or group first contacts the DC, it is given an xidNumber, this
>is stored in idmap.ldb on the DC, it also set to a 'type'. This can
be
>'ID_TYPE_UID', 'ID_TYPE_GID' or 'ID_TYPE_BOTH', the later means that
a
>group is also a user. The second way is if you give a user a
uidNumber
>or give a group a gidNumber, this turns off what is in idmap.ldb and
>makes the user or group become just a user or group, in the case of
>Domain Admins, this stops the group owning anything in 'sysvol'

>> > If you can change the Unix IDs, then this is the way to goNot
>> > problem
>> there in linux side or AUDC to change it. But it doesn't like it
will
>> help me. Now, I have all BUILTIN groups without GID, cache flushed
but
>> now luck. Even if I removed all bad GIDs and checked possible
>> collision with UNIX groups. Samba doesn't give me IDs like 30000,
bud

>> something different. Look at my sysvol:
>> getfacl /var/lib/samba/sysvol/
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol/
>> # owner: 1037
>> # group: 544
>> user::rwx
>> user:10037:rwx
>> user:15543:r-x
>> user:15544:rwx
>> user:15554:r-x
>> group::rwx
>> group:544:rwx
>> group:BUILTIN\134server\040operators:r-x
>> group:15544:rwx
>> group:15554:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:1037:rwx
>> default:user:15543:r-x
>> default:user:15544:rwx
>> default:user:15554:r-x
>> default:group::---
>> default:group:544:rwx
>> default:group:BUILTIN\134server\040operators:r-x
>> default:group:15544:rwx
>> default:group:15554:r-x
>> default:mask::rwx
>> default:other::---As you can see, there is something with 15000 +
RID
>> pattern. Definitely from old LDAP backend. 544 are
>> BUILTIN\Administrators, 1037 is old UID of COMPANY\Administrator.
Even
>> if I deleted GIDs and flushed cache it doesn't work:
>> wbinfo -i Administrator
>>
COMPANY\administrator:*:0:513::/home/COMPANY/administrator:/bin/false
>> I am afraid that our domain is bad provisioned (upgraded) from
>> beginning. Is there any tool/advance, how to manually fix/change
IDs
>> in Samba AD? And some kind of list of ID which Samba AD uses in
it's
>> "ID magic"?
>> I believe that can be fixed by setting the "right" numbers.
>> Thank you for you help. I really appreciate it.Jiří
>>

Try restarting Sambaand then run 'getent group Domain\ Admins'

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
On Tue, 05 Sep 2017 14:01:37 +0200
Jiří Černý via samba <[hidden email]> wrote:

> Thank you very much for clarifying the ID mapping "magic";)
>  
>> You do not need 'posixgroup', it is an auxiliary objectclass of
>> group, you can add any of the rfc2307 attributes without it.

> Well, is there any option to remove it? Because "posixgroup" is on
> every group that was migrated from Samba 3.
> And I cannot edit this attribute in ADUC (delete button is grayed).

It is probably 'greyed' out because no Windows tools use it or will add
it. You will probably need to use Unix tools (ldb or ldap) to remove
them, but you can if you so wish ignore them. What you should never do
is to rely on them being there, because they may or may not be there.

>
> > Try restarting Samba and then run 'getent group Domain\ Admins'
> getent group Domain\ Admins
> COMPANY\domain admins:x:512:
>
> Which is expected, because it has set NIS domain and GID in ADUC.

You need to remove the gidNumber from Domain Admins. If you add any
GPOs to 'sysvol' (other than the two default ones), they will be
created in 'sysvol\DOMAIN.LOCAL\Policies\{GUID}'
And the Sddl will be:

O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519)

The important bit (as far as the Unix OS is concerned) is 'O:DAG:DA',
which if we expand it becomes 'O:DA G:DA'
O = Owner
G = Group
DA = Domain Admins

So we can see that Domain Admins is both the owner and group of the
directory. If Domain Admins has a gidNumber it is just a group and
'O:DAG:DA' becomes 'O:??G:DA'


> But
> when I look to sysvol, I don't see Domain admins but
> BUILTIN\Administrators (Domain Admins are members of this group). So I
> am confused by behavior of BUILTIN groups.
> I made some investigations about BUILTIN\Administrators.
>
> Production domain (migrated from Samba 3):
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-544 to uid
>
> ldbsearch -H /var/lib/samba/private/idmap.ldb | grep S-1-5-32-544 -A2
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_GID
> xidNumber: 15538
> distinguishedName: CN=S-1-5-32-544

and mine is:

dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544


>
> Testing lab domain (provisioned from scratch):
> wbinfo --sid-to-uid=S-1-5-32-544
> 3000003
>
> ldbsearch -H /usr/local/samba/private/idmap.ldb | grep S-1-5-32-544
> -A2
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000003
> distinguishedName: CN=S-1-5-32-544
>
> Almost every (except 0, 99 and 100) BUILTIN xidNumber on my migrated
> domain starts with 15000. On provisioned domain it starts with
> 3000000. Is that the way to fix my errors? Correct idmap.ldb to match
> cleanly provisioned Samba AD? Is save to edit this file?
>
>

It is perfectly safe to edit, in fact if you add another DC, you have
to edit it on the second DC by overwriting it with the idmap.ldb from
the first.

Let me have a look at the classicupgrade code and get back to you, it
shouldn't create xidNumbers like that. Speaking of which, can you check
in idmap.ldb for the DN 'dn: CN=CONFIG'. What are 'lowerBound' and
'upperBound' set to ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
Rowland,

Are (one) these not an option for him to correct this?

      --allocate-uid                                 Get a new UID out of idmap
      --allocate-gid                                 Get a new GID out of idmap
      --set-uid-mapping=UID,SID                      Create or modify uid to sid mapping in idmap
      --set-gid-mapping=GID,SID                      Create or modify gid to sid mapping in idmap
      --remove-uid-mapping=UID,SID                   Remove uid to sid mapping in idmap
      --remove-gid-mapping=GID,SID                   Remove gid to sid mapping in idmap
      --sids-to-unix-ids=Sid-List                    Translate SIDs to Unix IDs
      --unix-ids-to-sids=ID-List (u<num> g<num>)     Translate Unix IDs to SIDs


Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: dinsdag 5 september 2017 14:42
> Aan: [hidden email]
> Onderwerp: Re: [Samba] BUILTIN\Administrators - failed to
> call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>
> On Tue, 05 Sep 2017 14:01:37 +0200
> Ji??í ??erný via samba <[hidden email]> wrote:
>
> > Thank you very much for clarifying the ID mapping "magic";)
> >  
> >> You do not need 'posixgroup', it is an auxiliary objectclass of
> >> group, you can add any of the rfc2307 attributes without it.
>
> > Well, is there any option to remove it? Because "posixgroup" is on
> > every group that was migrated from Samba 3.
> > And I cannot edit this attribute in ADUC (delete button is grayed).
>
> It is probably 'greyed' out because no Windows tools use it
> or will add it. You will probably need to use Unix tools (ldb
> or ldap) to remove them, but you can if you so wish ignore
> them. What you should never do is to rely on them being
> there, because they may or may not be there.
>
> >
> > > Try restarting Samba and then run 'getent group Domain\ Admins'
> > getent group Domain\ Admins
> > COMPANY\domain admins:x:512:
> >
> > Which is expected, because it has set NIS domain and GID in ADUC.
>
> You need to remove the gidNumber from Domain Admins. If you
> add any GPOs to 'sysvol' (other than the two default ones),
> they will be created in 'sysvol\DOMAIN.LOCAL\Policies\{GUID}'
> And the Sddl will be:
>
> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0
> x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-
> 5-21-2695348288-4157658249-429813502-519)
>
> The important bit (as far as the Unix OS is concerned) is
> 'O:DAG:DA', which if we expand it becomes 'O:DA G:DA'
> O = Owner
> G = Group
> DA = Domain Admins
>
> So we can see that Domain Admins is both the owner and group
> of the directory. If Domain Admins has a gidNumber it is just
> a group and 'O:DAG:DA' becomes 'O:??G:DA'
>
>
> > But
> > when I look to sysvol, I don't see Domain admins but
> > BUILTIN\Administrators (Domain Admins are members of this
> group). So I
> > am confused by behavior of BUILTIN groups.
> > I made some investigations about BUILTIN\Administrators.
> >
> > Production domain (migrated from Samba 3):
> > wbinfo --sid-to-uid=S-1-5-32-544
> > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
> not convert
> > sid S-1-5-32-544 to uid
> >
> > ldbsearch -H /var/lib/samba/private/idmap.ldb | grep
> S-1-5-32-544 -A2
> > dn: CN=S-1-5-32-544
> > cn: S-1-5-32-544
> > objectClass: sidMap
> > objectSid: S-1-5-32-544
> > type: ID_TYPE_GID
> > xidNumber: 15538
> > distinguishedName: CN=S-1-5-32-544
>
> and mine is:
>
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
>
>
> >
> > Testing lab domain (provisioned from scratch):
> > wbinfo --sid-to-uid=S-1-5-32-544
> > 3000003
> >
> > ldbsearch -H /usr/local/samba/private/idmap.ldb | grep S-1-5-32-544
> > -A2
> > dn: CN=S-1-5-32-544
> > cn: S-1-5-32-544
> > objectClass: sidMap
> > objectSid: S-1-5-32-544
> > type: ID_TYPE_BOTH
> > xidNumber: 3000003
> > distinguishedName: CN=S-1-5-32-544
> >
> > Almost every (except 0, 99 and 100) BUILTIN xidNumber on my
> migrated
> > domain starts with 15000. On provisioned domain it starts with
> > 3000000. Is that the way to fix my errors? Correct
> idmap.ldb to match
> > cleanly provisioned Samba AD? Is save to edit this file?
> >
> >
>
> It is perfectly safe to edit, in fact if you add another DC,
> you have to edit it on the second DC by overwriting it with
> the idmap.ldb from the first.
>
> Let me have a look at the classicupgrade code and get back to
> you, it shouldn't create xidNumbers like that. Speaking of
> which, can you check in idmap.ldb for the DN 'dn: CN=CONFIG'.
> What are 'lowerBound' and 'upperBound' set to ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
On Tue, 5 Sep 2017 14:45:02 +0200
L.P.H. van Belle <[hidden email]> wrote:

> Rowland,
>
> Are (one) these not an option for him to correct this?
>
>       --allocate-uid                                 Get a new UID
> out of idmap --allocate-gid                                 Get a new
> GID out of idmap --set-uid-mapping=UID,SID
> Create or modify uid to sid mapping in idmap
> --set-gid-mapping=GID,SID                      Create or modify gid
> to sid mapping in idmap
> --remove-uid-mapping=UID,SID                   Remove uid to sid
> mapping in idmap --remove-gid-mapping=GID,SID
> Remove gid to sid mapping in idmap
> --sids-to-unix-ids=Sid-List                    Translate SIDs to Unix
> IDs --unix-ids-to-sids=ID-List (u<num> g<num>)     Translate Unix IDs
> to SIDs
>

Don't think so, the problem seems to be that somebody thought it would
be a good idea to mess with idmap.ldb during the classicupgrade.

This from upgrade.py:

    logger.info("Adding groups")
    try:
        # Export groups to samba4 backend
        logger.info("Importing groups")
        for g in grouplist:
            # Ignore uninitialized groups (gid = -1)
            if g.gid != -1:
                add_group_from_mapping_entry(result.samdb, g, logger)
                add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid, "ID_TYPE_GID", logger)
                add_posix_attrs(samdb=result.samdb, sid=g.sid,
                name=g.nt_name, nisdomain=domainname.lower(),
                xid_type="ID_TYPE_GID", logger=logger)

There is a similar one for users.

I am beginning to think that it is a BAD idea to upgrade from a PDC to
an AD DC, you would probably be better off creating a new AD domain and
exporting the users & groups to it, that way you can ensure it works as
expected.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
In reply to this post by Samba - General mailing list
Well, we are getting somewere...;)

>It is probably 'greyed' out because no Windows tools use it or will
add it. You will probably need to use Unix tools (ldb or ldap) to
remove>them, but you can if you so wish ignore them. What you should
never do is to rely on them being there, because they may or may not be
there.Ok, I'll let it be there> You need to remove the gidNumber from
Domain Admins. If you add any GPOs to 'sysvol' (other than the two
default ones), they will be
> created in 'sysvol\DOMAIN.LOCAL\Policies\{GUID}'
> And the Sddl will be:
>
>
O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519)
>
> The important bit (as far as the Unix OS is concerned) is
'O:DAG:DA',
> which if we expand it becomes 'O:DA G:DA'
> O = Owner
> G = Group
> DA = Domain Admins
>
> So we can see that Domain Admins is both the owner and group of the
directory. If Domain Admins has a gidNumber it is just a group and
> 'O:DAG:DA' becomes 'O:??G:DA'Deleted. Now, I can do samba-tool ntacl
sysvolreset and samba-tool ntacl sysvolcheck without errors.Domain
Admins ID is now:getent group 'Domain Admins'
SVMETAL\domain admins:x:15655:
> It is perfectly safe to edit, in fact if you add another DC, you have
to edit it on the second DC by overwriting it with the idmap.ldb from>
the first.> > Let me have a look at the classicupgrade code and get back
to you, it shouldn't create xidNumbers like that. Speaking of which, can
you check> in idmap.ldb for the DN 'dn: CN=CONFIG'. What are
'lowerBound' and 'upperBound' set to ?
You're right, I remember dumping of that file and copying to second DC.
Interesting is, that on Samba 4.2 there was no problem about
sysvolcheck/reset:
UIDs/GIDs were absolutely same, I didn't do any changes on
them.ldbsearch -H /var/lib/samba/private/idmap.ldb | grep "dn:
CN=CONFIG" -A6 -B1
# record 8
dn: CN=CONFIG
cn: CONFIG
upperBound: 4000000
lowerBound: 15543
xidNumber: 15655
distinguishedName: CN=CONFIG
Which is very interesting, because is has same xidNumber as Domain
Admins

Jiří


On Tue, 05 Sep 2017 14:01:37 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:

> Thank you very much for clarifying the ID mapping "magic";)
>  
>> You do not need 'posixgroup', it is an auxiliary objectclass of
>> group, you can add any of the rfc2307 attributes without it.
>
> Well, is there any option to remove it? Because "posixgroup" is on
> every group that was migrated from Samba 3.
> And I cannot edit this attribute in ADUC (delete button is grayed).
>
> It is probably 'greyed' out because no Windows tools use it or will
add
> it. You will probably need to use Unix tools (ldb or ldap) to remove
> them, but you can if you so wish ignore them. What you should never
do
> is to rely on them being there, because they may or may not be
there.

>
>
> > Try restarting Samba and then run 'getent group Domain\ Admins'
> getent group Domain\ Admins
> COMPANY\domain admins:x:512:
>
> Which is expected, because it has set NIS domain and GID in ADUC.
>
> You need to remove the gidNumber from Domain Admins. If you add any
> GPOs to 'sysvol' (other than the two default ones), they will be
> created in 'sysvol\DOMAIN.LOCAL\Policies\{GUID}'
> And the Sddl will be:
>
>
O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519)
>
> The important bit (as far as the Unix OS is concerned) is
'O:DAG:DA',

> which if we expand it becomes 'O:DA G:DA'
> O = Owner
> G = Group
> DA = Domain Admins
>
> So we can see that Domain Admins is both the owner and group of the
> directory. If Domain Admins has a gidNumber it is just a group and
> 'O:DAG:DA' becomes 'O:??G:DA'
>
>
> But
> when I look to sysvol, I don't see Domain admins but
> BUILTIN\Administrators (Domain Admins are members of this group). So
I
> am confused by behavior of BUILTIN groups.
> I made some investigations about BUILTIN\Administrators.
>
> Production domain (migrated from Samba 3):
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-544 to uid
>
> ldbsearch -H /var/lib/samba/private/idmap.ldb | grep S-1-5-32-544
-A2

> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_GID
> xidNumber: 15538
> distinguishedName: CN=S-1-5-32-544
>
> and mine is:
>
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
>
>
>
> Testing lab domain (provisioned from scratch):
> wbinfo --sid-to-uid=S-1-5-32-544
> 3000003
>
> ldbsearch -H /usr/local/samba/private/idmap.ldb | grep S-1-5-32-544
> -A2
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000003
> distinguishedName: CN=S-1-5-32-544
>
> Almost every (except 0, 99 and 100) BUILTIN xidNumber on my migrated
> domain starts with 15000. On provisioned domain it starts with
> 3000000. Is that the way to fix my errors? Correct idmap.ldb to
match
> cleanly provisioned Samba AD? Is save to edit this file?
>
>
>
> It is perfectly safe to edit, in fact if you add another DC, you
have
> to edit it on the second DC by overwriting it with the idmap.ldb
from
> the first.
>
> Let me have a look at the classicupgrade code and get back to you,
it
> shouldn't create xidNumbers like that. Speaking of which, can you
check
> in idmap.ldb for the DN 'dn: CN=CONFIG'. What are 'lowerBound' and
> 'upperBound' set to ?
>
> Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
On Tue, 05 Sep 2017 15:07:33 +0200
Jiří Černý via samba <[hidden email]> wrote:

> Well, we are getting somewere...;)
>
> >It is probably 'greyed' out because no Windows tools use it or will
> add it. You will probably need to use Unix tools (ldb or ldap) to
> remove>them, but you can if you so wish ignore them. What you should
> never do is to rely on them being there, because they may or may not
> be there.Ok, I'll let it be there> You need to remove the gidNumber
> from Domain Admins. If you add any GPOs to 'sysvol' (other than the
> two default ones), they will be
> > created in 'sysvol\DOMAIN.LOCAL\Policies\{GUID}'
> > And the Sddl will be:
> >
> >
> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519)
> >
> > The important bit (as far as the Unix OS is concerned) is
> 'O:DAG:DA',
> > which if we expand it becomes 'O:DA G:DA'
> > O = Owner
> > G = Group
> > DA = Domain Admins
> >
> > So we can see that Domain Admins is both the owner and group of the
> directory. If Domain Admins has a gidNumber it is just a group and
> > 'O:DAG:DA' becomes 'O:??G:DA'Deleted. Now, I can do samba-tool ntacl
> sysvolreset and samba-tool ntacl sysvolcheck without errors.Domain
> Admins ID is now:getent group 'Domain Admins'
> SVMETAL\domain admins:x:15655:
> > It is perfectly safe to edit, in fact if you add another DC, you
> > have
> to edit it on the second DC by overwriting it with the idmap.ldb from>
> the first.> > Let me have a look at the classicupgrade code and get
> back to you, it shouldn't create xidNumbers like that. Speaking of
> which, can you check> in idmap.ldb for the DN 'dn: CN=CONFIG'. What
> are 'lowerBound' and 'upperBound' set to ?
> You're right, I remember dumping of that file and copying to second
> DC. Interesting is, that on Samba 4.2 there was no problem about
> sysvolcheck/reset:
> UIDs/GIDs were absolutely same, I didn't do any changes on
> them.ldbsearch -H /var/lib/samba/private/idmap.ldb | grep "dn:
> CN=CONFIG" -A6 -B1
> # record 8
> dn: CN=CONFIG
> cn: CONFIG
> upperBound: 4000000
> lowerBound: 15543
> xidNumber: 15655
> distinguishedName: CN=CONFIG
> Which is very interesting, because is has same xidNumber as Domain
> Admins
>

When you provision a new domain, it is set 3000000, but, seemingly, when
you run the classicupgrade it gets sets to a lower number (never
actually run a classicupgrade) based on what is in your old domain.

Not sure what to suggest here, do you feel up to sending me (offlist) a
copy of your idmap.ldb ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
In reply to this post by Samba - General mailing list
>When you provision a new domain, it is set 3000000, but, seemingly,
when you run the classicupgrade it gets sets to a lower number (never
actually run a classicupgrade) based on what is in your old domain.
> Not sure what to suggest here, do you feel up to sending me (offlist)
a copy of your idmap.ldb ?
>
>Rowland

Thank you again, Rowland, for your time.
I think that different ID ranges in my domain is ok, at lest we will
survive it, Is it desired behavior, as I assume, that getent group
cannot list Domain Admins (and other groups) without setting UNIX GID.
GPO processing is now ok, at least there is no errors of sysvolcheck
and sysvolreset.
So there is one thing I'd like to solve. Problem with
BUILTIN\Administrators, which is motive I started this discussion.
Probably there are problems also with other BUILTIN groups except
BUILTIN\Server Operators, which is mapped right.

wbinfo --sid-to-uid="S-1-5-32-544"
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

So I cannot use samba-check-set-sysvol.sh for example.

I'm sending you idmap.ldb for inspection.



Interesting is, that in my lab domain (provisioned from scratch) was
set UNIX GID on Domain Computers and Controllers. I didn't have the
reason to set this manually...



Jiří
>>> Jiří Černý 5.9.2017 15:07 >>>
Well, we are getting somewere...;)

>It is probably 'greyed' out because no Windows tools use it or will
add it. You will probably need to use Unix tools (ldb or ldap) to
remove>them, but you can if you so wish ignore them. What you should
never do is to rely on them being there, because they may or may not be
there.Ok, I'll let it be there> You need to remove the gidNumber from
Domain Admins. If you add any GPOs to 'sysvol' (other than the two
default ones), they will be
> created in 'sysvol\DOMAIN.LOCAL\Policies\{GUID}'
> And the Sddl will be:
>
>
O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519)
>
> The important bit (as far as the Unix OS is concerned) is
'O:DAG:DA',
> which if we expand it becomes 'O:DA G:DA'
> O = Owner
> G = Group
> DA = Domain Admins
>
> So we can see that Domain Admins is both the owner and group of the
directory. If Domain Admins has a gidNumber it is just a group and
> 'O:DAG:DA' becomes 'O:??G:DA'Deleted. Now, I can do samba-tool ntacl
sysvolreset and samba-tool ntacl sysvolcheck without errors.Domain
Admins ID is now:getent group 'Domain Admins'
SVMETAL\domain admins:x:15655:
> It is perfectly safe to edit, in fact if you add another DC, you have
to edit it on the second DC by overwriting it with the idmap.ldb from>
the first.> > Let me have a look at the classicupgrade code and get back
to you, it shouldn't create xidNumbers like that. Speaking of which, can
you check> in idmap.ldb for the DN 'dn: CN=CONFIG'. What are
'lowerBound' and 'upperBound' set to ?
You're right, I remember dumping of that file and copying to second DC.
Interesting is, that on Samba 4.2 there was no problem about
sysvolcheck/reset:
UIDs/GIDs were absolutely same, I didn't do any changes on
them.ldbsearch -H /var/lib/samba/private/idmap.ldb | grep "dn:
CN=CONFIG" -A6 -B1
# record 8
dn: CN=CONFIG
cn: CONFIG
upperBound: 4000000
lowerBound: 15543
xidNumber: 15655
distinguishedName: CN=CONFIG
Which is very interesting, because is has same xidNumber as Domain
Admins

Jiří


On Tue, 05 Sep 2017 14:01:37 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:

> Thank you very much for clarifying the ID mapping "magic";)
>  
>> You do not need 'posixgroup', it is an auxiliary objectclass of
>> group, you can add any of the rfc2307 attributes without it.
>
> Well, is there any option to remove it? Because "posixgroup" is on
> every group that was migrated from Samba 3.
> And I cannot edit this attribute in ADUC (delete button is grayed).
>
> It is probably 'greyed' out because no Windows tools use it or will
add
> it. You will probably need to use Unix tools (ldb or ldap) to remove
> them, but you can if you so wish ignore them. What you should never
do
> is to rely on them being there, because they may or may not be
there.

>
>
> > Try restarting Samba and then run 'getent group Domain\ Admins'
> getent group Domain\ Admins
> COMPANY\domain admins:x:512:
>
> Which is expected, because it has set NIS domain and GID in ADUC.
>
> You need to remove the gidNumber from Domain Admins. If you add any
> GPOs to 'sysvol' (other than the two default ones), they will be
> created in 'sysvol\DOMAIN.LOCAL\Policies\{GUID}'
> And the Sddl will be:
>
>
O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519)
>
> The important bit (as far as the Unix OS is concerned) is
'O:DAG:DA',

> which if we expand it becomes 'O:DA G:DA'
> O = Owner
> G = Group
> DA = Domain Admins
>
> So we can see that Domain Admins is both the owner and group of the
> directory. If Domain Admins has a gidNumber it is just a group and
> 'O:DAG:DA' becomes 'O:??G:DA'
>
>
> But
> when I look to sysvol, I don't see Domain admins but
> BUILTIN\Administrators (Domain Admins are members of this group). So
I
> am confused by behavior of BUILTIN groups.
> I made some investigations about BUILTIN\Administrators.
>
> Production domain (migrated from Samba 3):
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-544 to uid
>
> ldbsearch -H /var/lib/samba/private/idmap.ldb | grep S-1-5-32-544
-A2

> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_GID
> xidNumber: 15538
> distinguishedName: CN=S-1-5-32-544
>
> and mine is:
>
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
>
>
>
> Testing lab domain (provisioned from scratch):
> wbinfo --sid-to-uid=S-1-5-32-544
> 3000003
>
> ldbsearch -H /usr/local/samba/private/idmap.ldb | grep S-1-5-32-544
> -A2
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000003
> distinguishedName: CN=S-1-5-32-544
>
> Almost every (except 0, 99 and 100) BUILTIN xidNumber on my migrated
> domain starts with 15000. On provisioned domain it starts with
> 3000000. Is that the way to fix my errors? Correct idmap.ldb to
match
> cleanly provisioned Samba AD? Is save to edit this file?
>
>
>
> It is perfectly safe to edit, in fact if you add another DC, you
have
> to edit it on the second DC by overwriting it with the idmap.ldb
from
> the first.
>
> Let me have a look at the classicupgrade code and get back to you,
it
> shouldn't create xidNumbers like that. Speaking of which, can you
check
> in idmap.ldb for the DN 'dn: CN=CONFIG'. What are 'lowerBound' and
> 'upperBound' set to ?
>
> Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
On Wed, 06 Sep 2017 10:24:08 +0200
Jiří Černý via samba <[hidden email]> wrote:

> Thank you again, Rowland, for your time.
> I think that different ID ranges in my domain is ok, at lest we will
> survive it, Is it desired behavior, as I assume, that getent group
> cannot list Domain Admins (and other groups) without setting UNIX GID.
> GPO processing is now ok, at least there is no errors of sysvolcheck
> and sysvolreset.
> So there is one thing I'd like to solve. Problem with
> BUILTIN\Administrators, which is motive I started this discussion.
> Probably there are problems also with other BUILTIN groups except
> BUILTIN\Server Operators, which is mapped right.
>
> wbinfo --sid-to-uid="S-1-5-32-544"
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-544 to uid

I feel this all has something to do with the classicupgrade, the
command works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"' work ?

>
> So I cannot use samba-check-set-sysvol.sh for example.
>
> I'm sending you idmap.ldb for inspection.

I haven't received it yet, but will examine and comment on it when I do.

>
>
>
> Interesting is, that in my lab domain (provisioned from scratch) was
> set UNIX GID on Domain Computers and Controllers. I didn't have the
> reason to set this manually...

Yes, but is this set on the computers object in sam.ldb as a gidNumber
or in idmap.ldb as a xidNumber ?
A gidNumber can be used on any Unix machine in the domain, a xidNumber
will only be used on the DC.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
In reply to this post by Samba - General mailing list
> I feel this all has something to do with the classicupgrade, the command works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"' work ?Yes. Take a look:wbinfo --sid-to-gid="S-1-5-32-544"
15538wbinfo --gid-info=15538
BUILTIN\administrators:x:15538:

> I haven't received it yet, but will examine and comment on it when I do.I sent it to <rpenny at samba.org>, so I hope that antispam filters do their job not so hard;)
> Yes, but is this set on the computers object in sam.ldb as a gidNumber or in idmap.ldb as a xidNumber ?I mean in ADUC, i didn't inspected databases. I was NIS domain and GIDs in UNIX Attributes tab of ADUC.
So it was definetely gidNumber. Stored propably in sam.ldb.

Is enough to just set NIS domnain to <none> in ADUC to "clear" GID at groups/users which shouldn't have it?
> A gidNumber can be used on any Unix machine in the domain, a xidNumber will only be used on the DC.Finally I got it. Forgive me, sometimes it takes quite long time than my brain assembles all information together:D

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
On Wed, 06 Sep 2017 11:24:17 +0200
Jiří Černý via samba <[hidden email]> wrote:

>> I feel this all has something to do with the classicupgrade, the
>> command works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"'
>> work ?

> Yes. Take a look:wbinfo --sid-to-gid="S-1-5-32-544"
> 15538wbinfo --gid-info=15538
> BUILTIN\administrators:x:15538:
>
>> I haven't received it yet, but will examine and comment on it when
>> I do.I sent it to <rpenny at samba.org>, so I hope that antispam
>> filters do their job not so hard;)

>> Yes, but is this set on the
>> computers object in sam.ldb as a gidNumber or in idmap.ldb as a
>> xidNumber ?

> I mean in ADUC, i didn't inspected databases. I was NIS
> domain and GIDs in UNIX Attributes tab of ADUC.
> So it was definetely gidNumber. Stored propably in sam.ldb.

If you don't have any Unix machine (other than the Samba AD DC) you do
not need any uidNumber or gidNumber attributes in AD.

>
> Is enough to just set NIS domnain to <none> in ADUC to "clear" GID at
> groups/users which shouldn't have it?

No, sorry that will not work.

>> A gidNumber can be used on any Unix machine in the domain, a
>> xidNumber will only be used on the DC.

> Finally I got it. Forgive me, sometimes it takes quite long time than
> my brain assembles all information together:D
>

No problem

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Samba - General mailing list
In reply to this post by Samba - General mailing list
>On Wed, 06 Sep 2017 11:24:17 +0200>Jiří Černý via samba <samba at
lists.samba.org
( https://lists.samba.org/mailman/listinfo/samba) > wrote:>>> I feel
this all has something to do with the classicupgrade, the>> command
works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"'>> work ?>> Yes.
Take a look:wbinfo --sid-to-gid="S-1-5-32-544"> 15538wbinfo
--gid-info=15538> BUILTIN\administrators:x:15538:>>> I haven't received
it yet, but will examine and comment on it when>> I do.I sent it to
<rpenny at samba.org>, so I hope that antispam>> filters do their job
not so hard;) >>> Yes, but is this set on the>> computers object in
sam.ldb as a gidNumber or in idmap.ldb as a>> xidNumber ?>> I mean in
ADUC, i didn't inspected databases. I was NIS> domain and GIDs in UNIX
Attributes tab of ADUC.> So it was definetely gidNumber. Stored propably
in sam.ldb.>>If you don't have any Unix machine (other than the Samba AD
DC) you do>not need any uidNumber or gidNumber attributes in AD.We have
5 linux fileservers, so we really need this function. Also we use LDAP
login to our intranet (Plone) of which plugin uses UIDs/GIDs.
I presonally use Fedora laptop and desktop joined to domain by realmd
and sssd, which work well. In past I made some work on project of
'CentOS linux desktop', so there is chance, that we will need UNIX
attributes at least for user acounts and Domain Users group as primary
group. But we don't need set numeric IDs for other "default" domain
groups like BUILTIN and Domain\xxxxx.> > Is enough to just set NIS
domnain to <none> in ADUC to "clear" GID at> groups/users which
shouldn't have it?>> No, sorry that will not work.Probably yes or maybe
we don't understand each other.
I tested it in lab domain (Samba 4.7rc4) by ldbsearch in sam.ldb. If I
set NIS domain and GID (in ADUC), then there appear msSFU30NisDomain:
and gidNumber: attributes.
When I set NIS domain to <none>, both attributes disappear.>> A
gidNumber can be used on any Unix machine in the domain, a>> xidNumber
will only be used on the DC. >> Finally I got it. Forgive me, sometimes
it takes quite long time than> my brain assembles all information
together:D> >>No problem>>RowlandCan I have the proposal?
Is it possible to edit wiki page about Classic upgrade?
At least add some warning about possibility of problems with ID map
ranges migrated from ancient Samba 3.X+LDAP systems?

And second. Is possible to change Classic upgrade scripts to have
option of not copying of GIDs to "default" groups?
I think it should be enough. migration script copy members of that
groups but skip copying of GIDs.Not for us, it will be difficult to fix
our domain (but I believe that amazing guys here help me to fix that
goddamn BUILTIN Admins;)), but for another people who will migrate S3
NT4 domain to S4 AD.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12