winbind finds all domain users except Administrator
Locked
winbind finds all domain users except Administrator
 
|
Hi,
I have a samba 4.7 DC (Red Hat) and a Solaris 10 Member (also 4.7.0). I started winbindd and can get all users in my domain via "getent passwd" except MYDOM\Administrator. I can get it via wbinfo however: # wbinfo -n "MYDOM\Administrator" S-1-5-21-.......-500 SID_USER (1) In the winbind log with log level = 10, when I do getent passwd "MYDOM\Administrator I always see this: [2017/11/13 18:27:25.255682, 5] ../source3/winbindd/winbindd_getpwnam.c:136(winbindd_getpwnam_recv) Could not convert S-1-5-21-.......-500: NT_STATUS_NO_SUCH_USER I have the idmap configured like this: idmap config MYDOM : backend = ad idmap config MYDOM : range = 100 - 60000 idmap config * : backend = tdb idmap config * : range = 60001 - 61000 I already tried to delete all tdb and ldb but I can't get it working. This issue seems very much related to this previous thread: https://lists.samba.org/archive/samba/2015-May/191931.html So I am suspecting some Solaris-specific problem. Does someone have an idea what could be the problem? The counter part to winbindd_getpwnam_recv is winbindd_getpwnam_send, right? And this is executed on the DC? So do I have to debug there? Thanks, Fabian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Re: winbind finds all domain users except Administrator
|
|
On Mon, 13 Nov 2017 22:34:16 +0100
Fabian Fritz via samba <[hidden email]> wrote: > Hi, > > I have a samba 4.7 DC (Red Hat) and a Solaris 10 Member (also 4.7.0). > I started winbindd and can get all users in my domain via "getent > passwd" except MYDOM\Administrator. I can get it via wbinfo however: > > # wbinfo -n "MYDOM\Administrator" > > S-1-5-21-.......-500 SID_USER (1) > > In the winbind log with log level = 10, when I do getent passwd > "MYDOM\Administrator I always see this: > > [2017/11/13 18:27:25.255682, 5] > > ../source3/winbindd/winbindd_getpwnam.c:136(winbindd_getpwnam_recv) > > Could not convert S-1-5-21-.......-500: NT_STATUS_NO_SUCH_USER > > I have the idmap configured like this: > > > idmap config MYDOM : backend = ad > > idmap config MYDOM : range = 100 - 60000 This range means you cannot have ANY local Unix users, what happens if something goes wrong and you need to log in as a local user ?? You also seem to be missing a line: idmap config MYDOM : schema_mode = rfc2307 None of this has anything to do with your problem, mainly because you do not have a problem ;-) You should not be able to log into a Unix domain member as Administrator, you should map Administrator to 'root' in a user.map and then log in as root if need be. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Re: winbind finds all domain users except Administrator
|
|
On Mon, 13 Nov 2017 23:15:15 +0100
Fabian Fritz <[hidden email]> wrote: > I see. I know, the range is a bit odd, but I previously used NIS to > get the Unix users from another machine. Now I'm updating to AD and > don't use NIS anymore.Since I want to keep all the file ownerships (I > use this solaris member as a file server), I had to map the domain > users to that same range. OK, hindsight is a wonderful thing, but starting the ID range at 100 isn't a good idea (for the reason I gave), but sometimes you have to. > > > I used the Administrator to login to some Windows machine in the > domain and was surprised when I got a ACCESS_DENIED when I tried to > mount a network share there. So this only happens for Administrator? > So I have to use one of the users in the domain admins group when I > need to do administrative stuff on my windows machines and also need > the shares? If you use a user.map, Administrator becomes 'root' on Unix domain members and root can do anything on a Unix domain member. Try reading this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs If you have any questions after reading that, just ask ;-) Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Re: winbind finds all domain users except Administrator
|
|
I tried mapping to root but I still get an ACCESS_DENIED when I try to
mount a share from the domain member. I'd be very surprised if the samba admin account is the one and only account that is intentionally denied from accessing shares on a member. I'm pretty sure this is a bug. I tried this again with two clean installs (4.7.1) on Linux, one in a VM. Compare this on the DC: # ./bin/wbinfo -n'MYDOM\administrator' S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1) # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500" 0 to this on the Domain member: # ./bin/wbinfo -n'MYDOM\Administrator' S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1) # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500" failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to uid With other accounts I don't see that error. In the log.winbindd (log level = 10) on the member I see this: [2017/11/14 20:14:36.631151, 1, pid=2654, effective(0, 0), real(0, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs out: struct wbint_Sids2UnixIDs ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_UID (1) domain_index : 0x00000000 (0) rid : 0x000001f4 (500) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) So it seems like I get back -1 (0xffffffff) as the uid. Should I file a bug ticket? Thanks, Fabian 2017-11-14 10:35 GMT+01:00 Rowland Penny via samba <[hidden email]>: > On Mon, 13 Nov 2017 23:15:15 +0100 > Fabian Fritz <[hidden email]> wrote: > > > I see. I know, the range is a bit odd, but I previously used NIS to > > get the Unix users from another machine. Now I'm updating to AD and > > don't use NIS anymore.Since I want to keep all the file ownerships (I > > use this solaris member as a file server), I had to map the domain > > users to that same range. > > OK, hindsight is a wonderful thing, but starting the ID range at 100 > isn't a good idea (for the reason I gave), but sometimes you have to. > > > > > > > I used the Administrator to login to some Windows machine in the > > domain and was surprised when I got a ACCESS_DENIED when I tried to > > mount a network share there. So this only happens for Administrator? > > So I have to use one of the users in the domain admins group when I > > need to do administrative stuff on my windows machines and also need > > the shares? > > If you use a user.map, Administrator becomes 'root' on Unix domain > members and root can do anything on a Unix domain member. > > Try reading this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > If you have any questions after reading that, just ask ;-) > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Re: winbind finds all domain users except Administrator
|
|
On Tue, 14 Nov 2017 21:36:49 +0100
Fabian Fritz <[hidden email]> wrote: > I tried mapping to root but I still get an ACCESS_DENIED when I try to > mount a share from the domain member. > > I'd be very surprised if the samba admin account is the one and only > account that is intentionally denied from accessing shares on a > member. > > I'm pretty sure this is a bug. I tried this again with two clean > installs (4.7.1) on Linux, one in a VM. Compare this on the DC: > > # ./bin/wbinfo -n'MYDOM\administrator' > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1) > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500" > 0 > > to this on the Domain member: > > # ./bin/wbinfo -n'MYDOM\Administrator' > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1) > > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500" > > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to > uid > > With other accounts I don't see that error. > > In the log.winbindd (log level = 10) on the member I see this: > > [2017/11/14 20:14:36.631151, 1, pid=2654, effective(0, 0), real(0, > 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug) > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs > out: struct wbint_Sids2UnixIDs > ids : * > ids: struct wbint_TransIDArray > num_ids : 0x00000001 (1) > ids: ARRAY(1) > ids: struct wbint_TransID > type : ID_TYPE_UID > (1) domain_index : 0x00000000 (0) > rid : 0x000001f4 > (500) xid: struct unixid > id : > 0xffffffff (4294967295) > type : > ID_TYPE_NOT_SPECIFIED (0) > > > So it seems like I get back -1 (0xffffffff) as the uid. Should I file > a bug ticket? NO You do not use Administrator as a normal user on Unix, you wouldn't use Administrator like this on Windows. Using wbinfo just shows that winbind can connect to AD, it doesn't show that the Unix OS knows who the AD users are, you need to use 'getent' for this. You are using the winbind 'ad' backend with the range '100-60000' Does 'Domain Users' have a gidNumber attribute containing a number inside this range ? Even if it does, you will not get the Unix OS to recognise Administrator, because Administrator is mapped to 'root' and the Unix ID for 'root' is '0' and '0' is outside the '100-60000' range. I know what your next thought will be, give Administrator a uidNumber inside the range, well, yes you could, but this would turn Administrator into a normal user as far as the Unix OS is concerned and isn't recommended. Just use another user to mount the share ;-) Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Re: winbind finds all domain users except Administrator
|
|
Okay, right.
Is there anything that the Samba admininistrator account can do that the users in the group domain admins can't (other than direct configurations on the samba server)? Also on a kind of unrelated note: I have several Unix servers that used NIS up until now to get the users. I would prefer if they could get the username like right now, without the MYDOM\ prefix. Is it possible to configure winbind to leave out the domain or strip it? Or could I have them use LDAP to get the username from my DC without the domain? user map isn't an option, as then they'd have to have the accounts locally as well and I'd have to keep track of updates. Thank you, Fabian 2017-11-14 22:00 GMT+01:00 Rowland Penny via samba <[hidden email]>: > On Tue, 14 Nov 2017 21:36:49 +0100 > Fabian Fritz <[hidden email]> wrote: > > > I tried mapping to root but I still get an ACCESS_DENIED when I try to > > mount a share from the domain member. > > > > I'd be very surprised if the samba admin account is the one and only > > account that is intentionally denied from accessing shares on a > > member. > > > > I'm pretty sure this is a bug. I tried this again with two clean > > installs (4.7.1) on Linux, one in a VM. Compare this on the DC: > > > > # ./bin/wbinfo -n'MYDOM\administrator' > > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1) > > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500" > > 0 > > > > to this on the Domain member: > > > > # ./bin/wbinfo -n'MYDOM\Administrator' > > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1) > > > > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500" > > > > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > > Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to > > uid > > > > With other accounts I don't see that error. > > > > In the log.winbindd (log level = 10) on the member I see this: > > > > [2017/11/14 20:14:36.631151, 1, pid=2654, effective(0, 0), real(0, > > 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug) > > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs > > out: struct wbint_Sids2UnixIDs > > ids : * > > ids: struct wbint_TransIDArray > > num_ids : 0x00000001 (1) > > ids: ARRAY(1) > > ids: struct wbint_TransID > > type : ID_TYPE_UID > > (1) domain_index : 0x00000000 (0) > > rid : 0x000001f4 > > (500) xid: struct unixid > > id : > > 0xffffffff (4294967295) > > type : > > ID_TYPE_NOT_SPECIFIED (0) > > > > > > So it seems like I get back -1 (0xffffffff) as the uid. Should I file > > a bug ticket? > > NO > > You do not use Administrator as a normal user on Unix, you wouldn't use > Administrator like this on Windows. > > Using wbinfo just shows that winbind can connect to AD, it doesn't show > that the Unix OS knows who the AD users are, you need to use 'getent' > for this. > > You are using the winbind 'ad' backend with the range '100-60000' > Does 'Domain Users' have a gidNumber attribute containing a number > inside this range ? > Even if it does, you will not get the Unix OS to recognise > Administrator, because Administrator is mapped to 'root' and the Unix > ID for 'root' is '0' and '0' is outside the '100-60000' range. > I know what your next thought will be, give Administrator a uidNumber > inside the range, well, yes you could, but this would turn > Administrator into a normal user as far as the Unix OS is concerned > and isn't recommended. > > Just use another user to mount the share ;-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Re: winbind finds all domain users except Administrator
|
|
On Tue, 14 Nov 2017 22:27:18 +0100
Fabian Fritz via samba <[hidden email]> wrote: > Okay, right. > > Is there anything that the Samba admininistrator account can do that > the users in the group domain admins can't (other than direct > configurations on the samba server)? Quite a bit, but you can upgrade Domain Admins to do most of what Administrator can do this with: net rpc rights grant "DOMAIN\Domain Admins" PRIVILEGE -UAdministrator Where 'PRIVILEGE' is one of these: SeMachineAccountPrivilege Add machines to domain SeTakeOwnershipPrivilege Take ownership of files or other objects SeBackupPrivilege Back up files and directories SeRestorePrivilege Restore files and directories SeRemoteShutdownPrivilege Force shutdown from a remote system SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeDiskOperatorPrivilege Manage disk shares SeSecurityPrivilege System security SeSystemtimePrivilege Set the system clock SeShutdownPrivilege Shutdown the system SeDebugPrivilege Debug processes SeSystemEnvironmentPrivilege Modify system environment SeSystemProfilePrivilege Profile the system SeProfileSingleProcessPrivilege Profile one process SeIncreaseBasePriorityPrivilege Increase base priority SeLoadDriverPrivilege Load drivers SeCreatePagefilePrivilege Create page files SeIncreaseQuotaPrivilege Increase quota SeChangeNotifyPrivilege Register for change notify SeUndockPrivilege Undock devices SeManageVolumePrivilege Manage system volumes SeImpersonatePrivilege Impersonate users SeCreateGlobalPrivilege Create global SeEnableDelegationPrivilege Enable Delegation > > Also on a kind of unrelated note: I have several Unix servers that > used NIS up until now to get the users. I would prefer if they could > get the username like right now, without the MYDOM\ prefix. Is it > possible to configure winbind to leave out the domain or strip it? Or > could I have them use LDAP to get the username from my DC without the > domain? user map isn't an option, as then they'd have to have the > accounts locally as well and I'd have to keep track of updates. That one is very easy on Unix domain members (it doesn't work on DCs). Add 'winbind use default domain = yes' to smb.conf on the Unix domain member, then restart Samba. Rowland > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
«
Return to Samba - General
|
1 view|%1 views
| Free forum by Nabble | Edit this page |