thr3ads.net - samba - [Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator [Aug 2022]

If this information is useful, please help other people find it:
Share via:

Oliver

2022-Aug-04 16:54 UTC

[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator

Dear all,

some research later, I did some queries on my PDC and secondary DC.
I figure out, that the LDAP queries works and the group membership for 
LDAP is working.

I found an error, when run samba-tool on the secondary DC. There is a 
missing secrets.ldb and sam.ldb? .
You will find it at the end of this message.

Can you help me to fix this?
What did I wrong?

Regards,

Oliver

General questionsmarks, may somebody could answer:
- getent not works on Primary DC
- wbinfo on Primary DC run with or without given Domain e.g. 
"DOMAIN\\USER" & "USER"
- wbinfo on secondarys DC only runs with given Domain e.g.
"DOMAIN\\USER"
- ldbsearch works only to remote host Primary DC.
- samba-tool on primary DC runs only without given Domain e.G. "USER"

Thank's in advanced!

Oliver


Troubleshoot on Primary DC DC01:
1)# getent
# getent group "Domain Users"
# getent group "DOMAIN\\Domain Users"
# getent passwd "james.bond"
# getent passwd "DOMAIN\\james.bond"
- no output for getent

2)# wbinfo
# wbinfo --group-info "Domain Users"
DOMAIN\domain users:x:10000:
# wbinfo --group-info "DOMAIN\\Domain Users"
DOMAIN\domain users:x:10000:

3) ldbsearch
# ldbsearch -H ldap://DC01 -b 
"CN=Administrator,CN=Users,DC=DOMAIN,DC=local" memberOf primaryGroupID
-U Administrator
Password for [DOMAIN\Administrator]:
# record 1
dn: CN=Administrator,CN=Users,DC=DOMAIN,DC=local
primaryGroupID: 513
memberOf: CN=Domain Admins,CN=Users,DC=DOMAIN,DC=local
memberOf: CN=Schema Admins,CN=Users,DC=DOMAIN,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=DOMAIN,DC=local
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=DOMAIN,DC=local
memberOf: CN=Administrators,CN=Builtin,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals

# ldbsearch -H ldap://DC01 -b 
"CN=james.bond,OU=Users,DC=DOMAIN,DC=local" memberOf primaryGroupID -U
Administrator
Password for [DOMAIN\Administrator]:
# record 1
dn: CN=james.bond,OU=Users,DC=DOMAIN,DC=local
primaryGroupID: 513
memberOf: 
CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals

# ldbsearch -H ldap://DC01 -b 
"CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local"
member memberOf primaryGroupID -U Administrator
# record 1
dn: CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
memberOf: 
CN=sec-file-home-administrator,OU=Gruppen,OU=DOMAIN-OnPrem,DC=DOMAIN,DC=local
member: 
CN=james.bond,OU=Weitere-Mitglieder,OU=Familie,OU=Mitglieder,OU=Zuhaus
 ?e, DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals


# ldbsearch -H ldap://DC01 -b 
"CN=sec-file-home-administrator,OU=Gruppen,DC=DOMAIN,DC=local" member 
memberOf primaryGroupID -U Administrator
# record 1
dn: CN=sec-file-home-administrator,OU=Gruppen,DC=DOMAIN,DC=local
member: 
CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals

4) Cache Datas
ls -ll /usr/local/samba/var/cache/
insgesamt 16
-rw------- 1 root root 12288? 4. Aug 15:46 netsamlogon_cache.tdb
drwxr-xr-x 2 root root? 4096 25. Feb 16:27 printing

5)? tdb - Backends
ls -ll /usr/local/samba/private/
insgesamt 1012
drwx------ 2 root root?? 4096? 4. Aug 17:07 msg.sock
-rw------- 1 root root? 32768? 3. Aug 14:27 netlogon_creds_cli.tdb
-rw------- 1 root root 421888? 4. Jul 17:11 passdb.tdb
-rw------- 1 root root 577536 30. Jul 10:02 secrets.tdb

6) samba-tool
# samba-tool group listmembers "Domain Users"
svc-linuxreader-ldap
krbtgt
dns-DC01
svc-linuxreader-krb
svc-nextcloud-ldap
james.bond
Administrator
# samba-tool group listmembers "DOMAIN\\Domain Users"
ERROR: Failed to list members of "DOMAIN\Domain Users" group - Unable
to
find group "DOMAIN\Domain Users"
# samba-tool group listmembers "sec-file-home-administrator"
sec-admin-home-fileshare-administrator
# samba-tool group listmembers
"sec-admin-home-fileshare-administrator"
sec-admin-home-fileshare-administrator


Troubleshoot on secondary DC DC02:
1)# getent
# getent group "Domain Users"
# getent group "DOMAIN\\Domain Users"
DOMAIN\domain users:x:10000:
# getent passwd "james.bond"
# getent passwd "DOMAIN\\james.bond"
DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash


2)# wbinfo
# wbinfo --group-info "Domain Users"
DOMAIN\domain users:x:10000:
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group Domain Users
# wbinfo --group-info "DOMAIN\\Domain Users"
DOMAIN\domain users:x:10000:

3) ldbsearch
# ldbsearch -H ldap://DC01 -b 
"CN=james.bond,OU=Users,DC=DOMAIN,DC=local" memberOf primaryGroupID -U
Administrator
Password for [DOMAIN\Administrator]:
# record 1
dn: CN=james.bond,OU=Users,DC=DOMAIN,DC=local
primaryGroupID: 513
memberOf: 
CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals

# ldbsearch -H ldap://DC01 -b 
"CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local"
member memberOf primaryGroupID -U Administrator
# record 1
dn: CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
memberOf: CN=sec-file-home-administrator,OU=Gruppen,,DC=DOMAIN,DC=local
member: CN=james.bond,OU=Users,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals


# ldbsearch -H ldap://DC01 -b 
"CN=sec-file-home-administrator,OU=Gruppen,DC=DOMAIN,DC=local" member 
memberOf primaryGroupID -U Administrator
# record 1
dn: CN=sec-file-home-administrator,OU=Gruppen,DC=DOMAIN,DC=local
member: 
CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals

4) Cache Datas
ls -ll /usr/local/samba/var/cache/
insgesamt 20
-rw-r--r-- 1 root root?? 235? 4. Aug 17:18 browse.dat
-rw------- 1 root root 12288 31. Jul 11:21 netsamlogon_cache.tdb
drwxr-xr-x 2 root root? 4096? 4. Jul 17:11 printing


5) tdb - Backends
ls -ll /usr/local/samba/private/
insgesamt 1012
drwx------ 2 root root?? 4096? 4. Aug 17:20 msg.sock
-rw------- 1 root root? 32768? 3. Aug 14:27 netlogon_creds_cli.tdb
-rw------- 1 root root 421888? 4. Jul 17:11 passdb.tdb
-rw------- 1 root root 577536 30. Jul 10:02 secrets.tdb

6) samba-tool
# samba-tool group listmembers "Domain Users"
ldb: ltdb: tdb(/usr/local/samba/private/secrets.ldb): tdb_open_ex: could 
not open file /usr/local/samba/private/secrets.ldb: No such file or 
directory

ldb: Unable to open tdb '/usr/local/samba/private/secrets.ldb': No such 
file or directory
ldb: Failed to connect to '/usr/local/samba/private/secrets.ldb' with 
backend 'tdb': Unable to open tdb 
'/usr/local/samba/private/secrets.ldb': No such file or directory
ltdb: tdb(/usr/local/samba/private/sam.ldb): tdb_open_ex: could not open 
file /usr/local/samba/private/sam.ldb: No such file or directory

Unable to open tdb '/usr/local/samba/private/sam.ldb': No such file or 
directory
Failed to connect to 'tdb:///usr/local/samba/private/sam.ldb' with 
backend 'tdb': Unable to open tdb
'/usr/local/samba/private/sam.ldb': No
such file or directory
ERROR: Failed to list members of "Domain Users" group - (1,
"Unable to
open tdb '/usr/local/samba/private/sam.ldb': No such file or
directory")
 ? File 
"/usr/local/samba/lib/python3.9/site-packages/samba/netcmd/group.py", 
line 527, in run
 ??? samdb = SamDB(url=H, session_info=system_session(),
 ? File "/usr/local/samba/lib/python3.9/site-packages/samba/samdb.py",
line 70, in __init__
 ??? super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
 ? File 
"/usr/local/samba/lib/python3.9/site-packages/samba/__init__.py", line
114, in __init__
 ??? self.connect(url, flags, options)
 ? File "/usr/local/samba/lib/python3.9/site-packages/samba/samdb.py",
line 86, in connect
 ??? super(SamDB, self).connect(url=url, flags=flags,

Rowland Penny

2022-Aug-04 18:05 UTC

head link

[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator

On Thu, 2022-08-04 at 18:54 +0200, Oliver via samba
wrote:> Dear all,
> 
> some research later, I did some queries on my PDC and secondary DC.
You do not have a PDC and secondary DC, you just have two DC's and one
of them holds all the FSMO roles. In all other things, they should be
identical.
> I figure out, that the LDAP queries works and the group membership
> for 
> LDAP is working.
> 
> I found an error, when run samba-tool on the secondary DC. There is
> a 
> missing secrets.ldb and sam.ldb  .
If you do not have secrets.ldb and sam.ldb on a DC, then you have
really big problems. Have you checked if they exist or not ?
> You will find it at the end of this message.
> 
> Can you help me to fix this?
> What did I wrong?
> 
> Regards,
> 
> Oliver
> 
> General questionsmarks, may somebody could answer:
> - getent not works on Primary DC
Do you have libpam-winbind and libnss-winbind installed ?
Or if you complied Samba yourself, did you create the required links ?
> - wbinfo on Primary DC run with or without given Domain e.g. 
> "DOMAIN\\USER" & "USER"
This is how it is supposed to work.
> - wbinfo on secondarys DC only runs with given Domain e.g.
> "DOMAIN\\USER"
Hmm, that isn't correct.
> - ldbsearch works only to remote host DC.
'ldbsearch' should work on both DC's

I do hope that '.local' is a replacement for your correct TLD

I think you need to compare your first DC with your second DC, they
should, apart from the hostname ipaddress etc, be identical.

I would also do some reading up on AD attributes (for instance, a group
will never have a primaryGroupID attribute).

Rowland

samba - Aug 2022 - Cannot set Windows ACL on Sharefolder with other user than Administrator

[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator

[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator