On Mon, 25 Mar 2024 07:39:21 +0100
Kai via samba <samba at lists.samba.org> wrote:
> Hello everyone,
>
> I have a Samba setup with an AD controller (DC01) and set up a second
> system which should work as file share (filesrv01).
> I was setting it up using this manual:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Somehow, I broke the administrator's account.
No, I doubt if you have.
> After I set up a test
> share, I got RPC server unavailable errors. I started investigating
> and found test commands like this:
> rpcclient -I 10.18.1.4 -U administrator -c srvinfo atr2
Hmm, you appear to be trying to connect to a computer called 'atr2',
yet your DC is called 'DC01' and your Unix domain member is called
'filesrv01'
> Password for [JUE\administrator]:
> Cannot connect to server. ?Error was NT_STATUS_INVALID_SID
>
> Here I got this invalid SID error. The log file shows me:
> [2024/03/24 22:23:53.903483, ?0]
> ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
> ?Unable to convert first SID
> (S-1-5-21-3102633239-3317503863-27722425-500) in user token to a UID.
> ?Conversion was returned as type 0, full token:
> [2024/03/24 22:23:53.903588, ?0]
> ../../libcli/security/security_token.c:51(security_token_debug)
> ?Security token SIDs (14):
> ???SID[ ?0]: S-1-5-21-3102633239-3317503863-27722425-500
'500' is the RID for Administrator, so you do not appear to have broken
it.
> ???SID[ ?1]: S-1-5-21-3102633239-3317503863-27722425-513
> ???SID[ ?2]: S-1-5-21-3102633239-3317503863-27722425-512
> ???SID[ ?3]: S-1-5-21-3102633239-3317503863-27722425-572
> ???SID[ ?4]: S-1-5-21-3102633239-3317503863-27722425-519
> ???SID[ ?5]: S-1-5-21-3102633239-3317503863-27722425-518
> ???SID[ ?6]: S-1-5-21-3102633239-3317503863-27722425-520
> ???SID[ ?7]: S-1-1-0
> ???SID[ ?8]: S-1-5-2
> ???SID[ ?9]: S-1-5-11
> ???SID[ 10]: S-1-5-64-10
> ???SID[ 11]: S-1-5-32-544
> ???SID[ 12]: S-1-5-32-545
> ???SID[ 13]: S-1-5-32-554
> ??Privileges (0x ???????1FFFFF00):
> ???Privilege[ ?0]: SeTakeOwnershipPrivilege
> ???Privilege[ ?1]: SeBackupPrivilege
> ???Privilege[ ?2]: SeRestorePrivilege
> ???Privilege[ ?3]: SeRemoteShutdownPrivilege
> ???Privilege[ ?4]: SeSecurityPrivilege
> ???Privilege[ ?5]: SeSystemtimePrivilege
> ???Privilege[ ?6]: SeShutdownPrivilege
> ???Privilege[ ?7]: SeDebugPrivilege
> ???Privilege[ ?8]: SeSystemEnvironmentPrivilege
> ???Privilege[ ?9]: SeSystemProfilePrivilege
> ???Privilege[ 10]: SeProfileSingleProcessPrivilege
> ???Privilege[ 11]: SeIncreaseBasePriorityPrivilege
> ???Privilege[ 12]: SeLoadDriverPrivilege
> ???Privilege[ 13]: SeCreatePagefilePrivilege
> ???Privilege[ 14]: SeIncreaseQuotaPrivilege
> ???Privilege[ 15]: SeChangeNotifyPrivilege
> ???Privilege[ 16]: SeUndockPrivilege
> ???Privilege[ 17]: SeManageVolumePrivilege
> ???Privilege[ 18]: SeImpersonatePrivilege
> ???Privilege[ 19]: SeCreateGlobalPrivilege
> ???Privilege[ 20]: SeEnableDelegationPrivilege
> ??Rights (0x ????????????403):
> ???Right[ ?0]: SeInteractiveLogonRight
> ???Right[ ?1]: SeNetworkLogonRight
> ???Right[ ?2]: SeRemoteInteractiveLogonRight
>
> It seems as if I've got a problem between Unix and Windows user IDs,
> but I don't know how to check without further destruction.
> Currently my only idea was the command
> net rpc rights grant "SAMDOM\Domain Admins"
SeDiskOperatorPrivilege
> -U "JUE\administrator"
If you entered the command exactly as above, then you have a major
error. The wiki is written from the perspective of a self compiled
version of Samba and uses 'SAMDOM' as an example NetBIOS domain name.
Anywhere you see 'SAMDOM' on the wiki, you are supposed to replace it
with your NetBIOS domain name.
> from the manual which could have caused problems as all other ones
> should only have local effect on the file server.
>
> Could this be? Did I forget some Unix attachment?
>
> I don't know if it's helpful, but this is the smb.conf of the
domain
> controller:
> [global]
> ???????netbios name = DC01
> ???????realm = JUE.BRK
> ???????server role = active directory domain controller
> ???????workgroup = JUE
>
> ???????dns forwarder = 8.8.8.8
>
> ???????idmap_ldb:use rfc2307 = yes
>
> ???????tls enabled ?= yes
> ???????tls keyfile ?= tls/dc01.jue.brk.key
> ???????tls certfile = tls/dc01.jue.brk.crt
> ???????tls cafile ??= tls/rootCA.crt
>
> ???????template shell = /bin/bash
> ???????template homedir = /home/%U
>
> ??idmap config * : ?????????????backend = tdb
> ??idmap config * : ?????????????range ??= 3000-7999
> ??idmap config JUE : backend = ldap
> ??idmap config JUE : range ??= 100000-999999
The 'idmap config' lines do NOTHING on a DC, I suggest you remove them.
> ??template shell = /bin/bash
So good that you have it twice.
> ????????winbind nss info = template
Again, the line above does nothing on a DC.
> ???????include = /etc/samba/shares.conf
You have a fileserver, yet you are adding shares to a DC ?
>
> [sysvol]
> ???????path = /var/lib/samba/sysvol
> ???????read only = No
>
> [netlogon]
> ???????path = /var/lib/samba/sysvol/jue.brk/scripts
> ???????read only = No
>
> Thank you for any hints!
> Kai
Please post the output of 'testparm -s' when ran on your fileserver.
Rowland