samba - May 2017 - member domain idmap config ad/rid

>
> If you run getent passwd administrator on a DC, you should get
> something like this:
> root at dc1:~# getent passwd administrator
> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash

On my DC getent passwd administrator show nothing. :(

Is it necessary to map the root user to ADDC as well?

There is however a gotcha, on any domain
> joined windows machine there are two 'Administrators'. One is the
local
> Administrator and will not be mapped to 'root' and the other is
> 'Domain\Administrator', this is the one that is mapped to the Unix
user
> 'root'. So, if you logged in as just 'Administrator, this is
very
> likely to be your problem.

No, I logged in with user ADDC\administrator

On Tue, May 30, 2017 at 5:38 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 30 May 2017 17:19:04 -0300
> Elias Pereira <empbilly at gmail.com> wrote:
>
> > >
> > > Simple answer:
> > > Administrator, No
> > > Domain Admins, Yes
> >
> >
> > Ok. It was already that way.
> >
> > root at fileserver:/etc/samba# getent group
> > ...
> > domain admins:x:10004:
> > domain users:x:10000:
> > dap:x:10003:
> > dti:x:10001:
> >
> > For some reason with the administrator user is not working, I put my
> > user as domain admin and include him as a member of unix and now I
> > can access the security tab.
> >
> > http://i.imgur.com/tNBj8dal.png
> >
> > root at fileserver:/etc/samba# getent passwd elias.pereira
> > elias.pereira:*:10001:10000:Elias Pereira:/home/elias.pereira:/bin/sh
> > root at fileserver:/etc/samba# getent passwd administrator
> > root at fileserver:/etc/samba# getent passwd ADDC\administrator
> >
> > In the *getent passwd administrator* nothing appears. According to
> > your explanation, it should contain the value "0" !?
> >
> > What permissions that user.map file should have?
> >
> > root at fileserver:/etc/samba# getfacl user.map
> > # file: user.map
> > # owner: root
> > # group: root
> > user::rw-
> > group::r--
> > other::r--
> >
> >
>
> Bit more explaining ;-)
>
> If you run getent passwd administrator on a DC, you should get
> something like this:
>
> root at dc1:~# getent passwd administrator
> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
>
> But on a Unix domain member, you will get this:
>
> rowland at devstation:~$ getent passwd administrator
> rowland at devstation:~$
>
> Yes, nothing ;-)
>
> This is because Administrator is 'mapped' to root and the OS
doesn't
> know who Administrator is, but you should be able to do things from
> windows as Administrator. There is however a gotcha, on any domain
> joined windows machine there are two 'Administrators'. One is the
local
> Administrator and will not be mapped to 'root' and the other is
> 'Domain\Administrator', this is the one that is mapped to the Unix
user
> 'root'. So, if you logged in as just 'Administrator, this is
very
> likely to be your problem.
>
> getfacl against my user.map returns the same results as yours and
> everything works for me.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira

On Tue, 30 May 2017 17:53:19 -0300
Elias Pereira <empbilly at gmail.com> wrote:
> >
> > If you run getent passwd administrator on a DC, you should get
> > something like this:
> > root at dc1:~# getent passwd administrator
> > SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
> 
> 
> On my DC getent passwd administrator show nothing. :(
> 
> Is it necessary to map the root user to ADDC as well?
> 
> There is however a gotcha, on any domain
> > joined windows machine there are two 'Administrators'. One is
the
> > local Administrator and will not be mapped to 'root' and the
other
> > is 'Domain\Administrator', this is the one that is mapped to
the
> > Unix user 'root'. So, if you logged in as just
'Administrator, this
> > is very likely to be your problem.
> 
> 
> No, I logged in with user ADDC\administrator
> 
I think both of these may be caused by the same thing.

On a DC, Administrator is mapped in idmap.ldb, if you open this with
ldbedit and search for 500 (Administrators RID), you should find
something like this:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
cn: S-1-5-21-1768301897-3342589593-1064908849-500
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500

As you can see, The SID-500 is mapped to the xidNumber '0' and as we
all know, this the ID number for root.

I suggest you check in idmap.ldb on the DC that you have something like
the above. Also check that Administrators object in AD doesn't have a
uidNumber attribute, it shouldn't have and probably doesn't, but check
anyway

To get 'getent' to show users on the DC, you need to have
libnss_winbind set up just like on a domain member.

Rowland

Rowland,

I checked and got the entry for root in idmap.ldb

To get 'getent' to show users on the DC, you need to
have
> libnss_winbind set up just like on a domain member.

Okay. I installed the libnss-winbind package, configured the links to the
lib, and now the getent passwd administrator works.

Now, when running the testparm the error occurs:

idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

I need an entry "idmap config *: range = 3000-7999" in smb.conf of AD?

On Tue, May 30, 2017 at 6:20 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 30 May 2017 17:53:19 -0300
> Elias Pereira <empbilly at gmail.com> wrote:
>
> > >
> > > If you run getent passwd administrator on a DC, you should get
> > > something like this:
> > > root at dc1:~# getent passwd administrator
> > > SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
> >
> >
> > On my DC getent passwd administrator show nothing. :(
> >
> > Is it necessary to map the root user to ADDC as well?
> >
> > There is however a gotcha, on any domain
> > > joined windows machine there are two 'Administrators'.
One is the
> > > local Administrator and will not be mapped to 'root' and
the other
> > > is 'Domain\Administrator', this is the one that is mapped
to the
> > > Unix user 'root'. So, if you logged in as just
'Administrator, this
> > > is very likely to be your problem.
> >
> >
> > No, I logged in with user ADDC\administrator
> >
>
> I think both of these may be caused by the same thing.
>
> On a DC, Administrator is mapped in idmap.ldb, if you open this with
> ldbedit and search for 500 (Administrators RID), you should find
> something like this:
>
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> cn: S-1-5-21-1768301897-3342589593-1064908849-500
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500
>
> As you can see, The SID-500 is mapped to the xidNumber '0' and as
we
> all know, this the ID number for root.
>
> I suggest you check in idmap.ldb on the DC that you have something like
> the above. Also check that Administrators object in AD doesn't have a
> uidNumber attribute, it shouldn't have and probably doesn't, but
check
> anyway
>
> To get 'getent' to show users on the DC, you need to have
> libnss_winbind set up just like on a domain member.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira