Samba › Samba - General

winbind finds all domain users except Administrator

Classic

List

Threaded

7 messages Options

Samba - General mailing list

winbind finds all domain users except Administrator

Hi,

I have a samba 4.7 DC (Red Hat) and a Solaris 10 Member (also 4.7.0). I
started winbindd and can get all users in my domain via "getent passwd"
except MYDOM\Administrator. I can get it via wbinfo however:

# wbinfo -n "MYDOM\Administrator"

S-1-5-21-.......-500 SID_USER (1)

In the winbind log with log level = 10, when I do getent passwd
"MYDOM\Administrator I always see this:

[2017/11/13 18:27:25.255682, 5]

../source3/winbindd/winbindd_getpwnam.c:136(winbindd_getpwnam_recv)

Could not convert S-1-5-21-.......-500: NT_STATUS_NO_SUCH_USER

I have the idmap configured like this:

idmap config MYDOM : backend = ad

idmap config MYDOM : range = 100 - 60000

idmap config * : backend = tdb

idmap config * : range = 60001 - 61000

I already tried to delete all tdb and ldb but I can't get it working.

This issue seems very much related to this previous thread:
https://lists.samba.org/archive/samba/2015-May/191931.html

So I am suspecting some Solaris-specific problem. Does someone have an idea
what could be the problem?

The counter part to winbindd_getpwnam_recv is winbindd_getpwnam_send,
right? And this is executed on the DC? So do I have to debug there?

Thanks,

Fabian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Samba - General mailing list

Re: winbind finds all domain users except Administrator

On Mon, 13 Nov 2017 22:34:16 +0100
Fabian Fritz via samba <[hidden email]> wrote:

> Hi,
>
> I have a samba 4.7 DC (Red Hat) and a Solaris 10 Member (also 4.7.0).
> I started winbindd and can get all users in my domain via "getent
> passwd" except MYDOM\Administrator. I can get it via wbinfo however:
>
> # wbinfo -n "MYDOM\Administrator"
>
> S-1-5-21-.......-500 SID_USER (1)
>
> In the winbind log with log level = 10, when I do getent passwd
> "MYDOM\Administrator I always see this:
>
> [2017/11/13 18:27:25.255682, 5]
>
> ../source3/winbindd/winbindd_getpwnam.c:136(winbindd_getpwnam_recv)
>
> Could not convert S-1-5-21-.......-500: NT_STATUS_NO_SUCH_USER
>
> I have the idmap configured like this:
>
>
> idmap config MYDOM : backend = ad
>
> idmap config MYDOM : range = 100 - 60000

This range means you cannot have ANY local Unix users, what happens if
something goes wrong and you need to log in as a local user ??

You also seem to be missing a line:

idmap config MYDOM : schema_mode = rfc2307

None of this has anything to do with your problem, mainly because you
do not have a problem ;-)

You should not be able to log into a Unix domain member as
Administrator, you should map Administrator to 'root' in a user.map and
then log in as root if need be.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Samba - General mailing list

Re: winbind finds all domain users except Administrator

On Mon, 13 Nov 2017 23:15:15 +0100
Fabian Fritz <[hidden email]> wrote:

> I see. I know, the range is a bit odd, but I previously used NIS to
> get the Unix users from another machine. Now I'm updating to AD and
> don't use NIS anymore.Since I want to keep all the file ownerships (I
> use this solaris member as a file server), I had to map the domain
> users to that same range.

OK, hindsight is a wonderful thing, but starting the ID range at 100
isn't a good idea (for the reason I gave), but sometimes you have to.

>
>
> I used the Administrator to login to some Windows machine in the
> domain and was surprised when I got a ACCESS_DENIED when I tried to
> mount a network share there. So this only happens for Administrator?
> So I have to use one of the users in the domain admins group when I
> need to do administrative stuff on my windows machines and also need
> the shares?

If you use a user.map, Administrator becomes 'root' on Unix domain
members and root can do anything on a Unix domain member.

Try reading this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

If you have any questions after reading that, just ask ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Samba - General mailing list

Re: winbind finds all domain users except Administrator

I tried mapping to root but I still get an ACCESS_DENIED when I try to
mount a share from the domain member.

I'd be very surprised if the samba admin account is the one and only
account that is intentionally denied from accessing shares on a member.

I'm pretty sure this is a bug. I tried this again with two clean installs
(4.7.1) on Linux, one in a VM. Compare this on the DC:

# ./bin/wbinfo -n'MYDOM\administrator'
S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
# ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
0

to this on the Domain member:

# ./bin/wbinfo -n'MYDOM\Administrator'
S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)

# ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"

failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to uid

With other accounts I don't see that error.

In the log.winbindd (log level = 10) on the member I see this:

[2017/11/14 20:14:36.631151, 1, pid=2654, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
out: struct wbint_Sids2UnixIDs
ids : *
ids: struct wbint_TransIDArray
num_ids : 0x00000001 (1)
ids: ARRAY(1)
ids: struct wbint_TransID
type : ID_TYPE_UID (1)
domain_index : 0x00000000 (0)
rid : 0x000001f4 (500)
xid: struct unixid
id : 0xffffffff
(4294967295)
type :
ID_TYPE_NOT_SPECIFIED (0)

So it seems like I get back -1 (0xffffffff) as the uid. Should I file a bug
ticket?

Thanks,
Fabian

2017-11-14 10:35 GMT+01:00 Rowland Penny via samba <[hidden email]>:

> On Mon, 13 Nov 2017 23:15:15 +0100
> Fabian Fritz <[hidden email]> wrote:
>
> > I see. I know, the range is a bit odd, but I previously used NIS to
> > get the Unix users from another machine. Now I'm updating to AD and
> > don't use NIS anymore.Since I want to keep all the file ownerships (I
> > use this solaris member as a file server), I had to map the domain
> > users to that same range.
>
> OK, hindsight is a wonderful thing, but starting the ID range at 100
> isn't a good idea (for the reason I gave), but sometimes you have to.
>
> >
> >
> > I used the Administrator to login to some Windows machine in the
> > domain and was surprised when I got a ACCESS_DENIED when I tried to
> > mount a network share there. So this only happens for Administrator?
> > So I have to use one of the users in the domain admins group when I
> > need to do administrative stuff on my windows machines and also need
> > the shares?
>
> If you use a user.map, Administrator becomes 'root' on Unix domain
> members and root can do anything on a Unix domain member.
>
> Try reading this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> If you have any questions after reading that, just ask ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Samba - General mailing list

Re: winbind finds all domain users except Administrator

On Tue, 14 Nov 2017 21:36:49 +0100
Fabian Fritz <[hidden email]> wrote:

> I tried mapping to root but I still get an ACCESS_DENIED when I try to
> mount a share from the domain member.
>
> I'd be very surprised if the samba admin account is the one and only
> account that is intentionally denied from accessing shares on a
> member.
>
> I'm pretty sure this is a bug. I tried this again with two clean
> installs (4.7.1) on Linux, one in a VM. Compare this on the DC:
>
> # ./bin/wbinfo -n'MYDOM\administrator'
> S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
> # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
> 0
>
> to this on the Domain member:
>
> # ./bin/wbinfo -n'MYDOM\Administrator'
> S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
>
> # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
>
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to
> uid
>
> With other accounts I don't see that error.
>
> In the log.winbindd (log level = 10) on the member I see this:
>
> [2017/11/14 20:14:36.631151, 1, pid=2654, effective(0, 0), real(0,
> 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
> wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
> out: struct wbint_Sids2UnixIDs
> ids : *
> ids: struct wbint_TransIDArray
> num_ids : 0x00000001 (1)
> ids: ARRAY(1)
> ids: struct wbint_TransID
> type : ID_TYPE_UID
> (1) domain_index : 0x00000000 (0)
> rid : 0x000001f4
> (500) xid: struct unixid
> id :
> 0xffffffff (4294967295)
> type :
> ID_TYPE_NOT_SPECIFIED (0)
>
>
> So it seems like I get back -1 (0xffffffff) as the uid. Should I file
> a bug ticket?

NO

You do not use Administrator as a normal user on Unix, you wouldn't use
Administrator like this on Windows.

Using wbinfo just shows that winbind can connect to AD, it doesn't show
that the Unix OS knows who the AD users are, you need to use 'getent'
for this.

You are using the winbind 'ad' backend with the range '100-60000'
Does 'Domain Users' have a gidNumber attribute containing a number
inside this range ?
Even if it does, you will not get the Unix OS to recognise
Administrator, because Administrator is mapped to 'root' and the Unix
ID for 'root' is '0' and '0' is outside the '100-60000' range.
I know what your next thought will be, give Administrator a uidNumber
inside the range, well, yes you could, but this would turn
Administrator into a normal user as far as the Unix OS is concerned
and isn't recommended.

Just use another user to mount the share ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Samba - General mailing list

Re: winbind finds all domain users except Administrator

Okay, right.

Is there anything that the Samba admininistrator account can do that the
users in the group domain admins can't (other than direct configurations on
the samba server)?

Also on a kind of unrelated note: I have several Unix servers that used NIS
up until now to get the users. I would prefer if they could get the
username like right now, without the MYDOM\ prefix. Is it possible to
configure winbind to leave out the domain or strip it? Or could I have them
use LDAP to get the username from my DC without the domain? user map isn't
an option, as then they'd have to have the accounts locally as well and I'd
have to keep track of updates.

Thank you,
Fabian

2017-11-14 22:00 GMT+01:00 Rowland Penny via samba <[hidden email]>:

> On Tue, 14 Nov 2017 21:36:49 +0100
> Fabian Fritz <[hidden email]> wrote:
>
> > I tried mapping to root but I still get an ACCESS_DENIED when I try to
> > mount a share from the domain member.
> >
> > I'd be very surprised if the samba admin account is the one and only
> > account that is intentionally denied from accessing shares on a
> > member.
> >
> > I'm pretty sure this is a bug. I tried this again with two clean
> > installs (4.7.1) on Linux, one in a VM. Compare this on the DC:
> >
> > # ./bin/wbinfo -n'MYDOM\administrator'
> > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
> > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
> > 0
> >
> > to this on the Domain member:
> >
> > # ./bin/wbinfo -n'MYDOM\Administrator'
> > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
> >
> > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
> >
> > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to
> > uid
> >
> > With other accounts I don't see that error.
> >
> > In the log.winbindd (log level = 10) on the member I see this:
> >
> > [2017/11/14 20:14:36.631151, 1, pid=2654, effective(0, 0), real(0,
> > 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
> > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
> > out: struct wbint_Sids2UnixIDs
> > ids : *
> > ids: struct wbint_TransIDArray
> > num_ids : 0x00000001 (1)
> > ids: ARRAY(1)
> > ids: struct wbint_TransID
> > type : ID_TYPE_UID
> > (1) domain_index : 0x00000000 (0)
> > rid : 0x000001f4
> > (500) xid: struct unixid
> > id :
> > 0xffffffff (4294967295)
> > type :
> > ID_TYPE_NOT_SPECIFIED (0)
> >
> >
> > So it seems like I get back -1 (0xffffffff) as the uid. Should I file
> > a bug ticket?
>
> NO
>
> You do not use Administrator as a normal user on Unix, you wouldn't use
> Administrator like this on Windows.
>
> Using wbinfo just shows that winbind can connect to AD, it doesn't show
> that the Unix OS knows who the AD users are, you need to use 'getent'
> for this.
>
> You are using the winbind 'ad' backend with the range '100-60000'
> Does 'Domain Users' have a gidNumber attribute containing a number
> inside this range ?
> Even if it does, you will not get the Unix OS to recognise
> Administrator, because Administrator is mapped to 'root' and the Unix
> ID for 'root' is '0' and '0' is outside the '100-60000' range.
> I know what your next thought will be, give Administrator a uidNumber
> inside the range, well, yes you could, but this would turn
> Administrator into a normal user as far as the Unix OS is concerned
> and isn't recommended.
>
> Just use another user to mount the share ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Samba - General mailing list

Re: winbind finds all domain users except Administrator

On Tue, 14 Nov 2017 22:27:18 +0100
Fabian Fritz via samba <[hidden email]> wrote:

> Okay, right.
>
> Is there anything that the Samba admininistrator account can do that
> the users in the group domain admins can't (other than direct
> configurations on the samba server)?

Quite a bit, but you can upgrade Domain Admins to do most of what
Administrator can do this with:

net rpc rights grant "DOMAIN\Domain Admins"
PRIVILEGE -UAdministrator

Where 'PRIVILEGE' is one of these:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares
SeSecurityPrivilege System security
SeSystemtimePrivilege Set the system clock
SeShutdownPrivilege Shutdown the system
SeDebugPrivilege Debug processes
SeSystemEnvironmentPrivilege Modify system environment
SeSystemProfilePrivilege Profile the system
SeProfileSingleProcessPrivilege Profile one process
SeIncreaseBasePriorityPrivilege Increase base priority
SeLoadDriverPrivilege Load drivers
SeCreatePagefilePrivilege Create page files
SeIncreaseQuotaPrivilege Increase quota
SeChangeNotifyPrivilege Register for change notify
SeUndockPrivilege Undock devices
SeManageVolumePrivilege Manage system volumes
SeImpersonatePrivilege Impersonate users
SeCreateGlobalPrivilege Create global
SeEnableDelegationPrivilege Enable Delegation

>
> Also on a kind of unrelated note: I have several Unix servers that
> used NIS up until now to get the users. I would prefer if they could
> get the username like right now, without the MYDOM\ prefix. Is it
> possible to configure winbind to leave out the domain or strip it? Or
> could I have them use LDAP to get the username from my DC without the
> domain? user map isn't an option, as then they'd have to have the
> accounts locally as well and I'd have to keep track of updates.

That one is very easy on Unix domain members (it doesn't work on DCs).
Add 'winbind use default domain = yes' to smb.conf on the Unix domain
member, then restart Samba.

Rowland

>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba