Sorin P.
2023-Jan-22 13:31 UTC
[Samba] Delegation of control failure for any built-in Security Principals
Hi team. I am trying to allocate some rights to users in Active Directory, by using the "Delegation of Control Wizard" from ADUC. The steps I'm following were executed under the domain administrator user and are the following: 1. open ADUC and right click the top level OU (Ex. domain.org) 2. from the pop-up menu, select ?Delegate Control?? 3. click next in the first page of the wizard (which is the "Welcome" page) 4. on the next page "Users or Groups", select the ?Add? button, and type ?SELF? then ?Check Names?. 5. I'm getting an error window with the following message: ?? ?"Windows cannot process the object with the name "SELF" because of the following error: ?? ?Name translation: Input name found, but not the associated output format. ?? ? After the error, I am unable to continue with the wizard to delegate tasks.The same error appears if I try to select any other built in security principals like: Everyone or SYSTEM, etc The logs show nothing suspicious (with log level 10). The only log entry which I've found and looked strange to me was this one: ?? ?gendb_search_v: CN=Self,CN=WellKnown Security Principals,CN=Configuration,DC=domain,DC=org NULL -> 1 Any ideas on what might be wrong? The platform I'm using: ? Software:????? Samba Version 4.17.4 (built from source) ? OS:?????????????? Debian GNU/Linux 11 (bullseye) ? Architecture:???? aarch64 ? Kernel:?????????? 5.15.84-v8+ Thanks a lot.Sorin
Rowland Penny
2023-Jan-22 14:46 UTC
[Samba] Delegation of control failure for any built-in Security Principals
On 22/01/2023 13:31, Sorin P. via samba wrote:> Hi team. > > I am trying to allocate some rights to users in Active Directory, by using the "Delegation of Control Wizard" from ADUC. > The steps I'm following were executed under the domain administrator user and are the following: > > 1. open ADUC and right click the top level OU (Ex. domain.org) > 2. from the pop-up menu, select ?Delegate Control?? > 3. click next in the first page of the wizard (which is the "Welcome" page) > 4. on the next page "Users or Groups", select the ?Add? button, and type ?SELF? then ?Check Names?. > 5. I'm getting an error window with the following message: > ?? ?"Windows cannot process the object with the name "SELF" because of the following error: > ?? ?Name translation: Input name found, but not the associated output format.I think that means that the user 'SELF' cannot be mapped, does it work with a domain user ?> > After the error, I am unable to continue with the wizard to delegate tasks.The same error appears if I try to select any other built in security principals like: Everyone or SYSTEM, etc > The logs show nothing suspicious (with log level 10). > The only log entry which I've found and looked strange to me was this one: > ?? ?gendb_search_v: CN=Self,CN=WellKnown Security Principals,CN=Configuration,DC=domain,DC=org NULL -> 1I think that means the same, the DN is valid, but the user is unknown on Linux.> > Any ideas on what might be wrong? > > The platform I'm using: > ? Software:????? Samba Version 4.17.4 (built from source) > ? OS:?????????????? Debian GNU/Linux 11 (bullseye) > ? Architecture:???? aarch64Can I ask why you are: A) referring to aarch64 on Debian, when they call it arm64 ? B) compiling Samba yourself when 4.17.4 is available from bullseye backports ? Nothing to do with your problem, just interested. Rowland
Sorin P.
2023-Jan-22 16:27 UTC
[Samba] Delegation of control failure for any built-in Security Principals
Hi Rowland. The answers to your questions: - Yes, it works fine with any other normal user (non-built in users), including the domain administrator user.A. I'm referring to Debian architecture like that, because that's exactly what's returned by? 'uname -m' -> aarch64B. I prefer to build by myself, in order to disable all the stuff which I know that I do not need for sure: printing support, avahi, dmapi, systemd support, clustering, glusterfs. Any ideas on how I can dig into this problem further?Here's my smb.conf: [global] ??????? allow dns updates = secure only ??????? bind interfaces only = Yes ??????? disable spoolss = Yes ??????? interfaces = eth0 ??????? ldap server require strong auth = Yes ??????? netbios name = DC ??????? ntlm auth = mschapv2-and-ntlmv2-only ??????? printcap name = /dev/null ??????? realm = DOMAIN.ORG ??????? restrict anonymous = 2 ??????? server min protocol = SMB3 ??????? server role = active directory domain controller ??????? tls cafile = tls/bundle_ca.crt ??????? tls certfile = tls/dc.crt ??????? tls enabled = Yes ??????? tls keyfile = tls/dc.key ??????? wins server = 10.1.1.4 ??????? wins support = Yes ??????? workgroup = DOMAIN ??????? idmap_ldb:use rfc2307 = yes ??????? comment = "Domain Controller for domain.org" Thanks.Sorin On Sunday, January 22, 2023 at 03:34:10 PM GMT+2, Sorin P. via samba <samba at lists.samba.org> wrote: Hi team. I am trying to allocate some rights to users in Active Directory, by using the "Delegation of Control Wizard" from ADUC. The steps I'm following were executed under the domain administrator user and are the following: 1. open ADUC and right click the top level OU (Ex. domain.org) 2. from the pop-up menu, select ?Delegate Control?? 3. click next in the first page of the wizard (which is the "Welcome" page) 4. on the next page "Users or Groups", select the ?Add? button, and type ?SELF? then ?Check Names?. 5. I'm getting an error window with the following message: ?? ?"Windows cannot process the object with the name "SELF" because of the following error: ?? ?Name translation: Input name found, but not the associated output format. ?? ? After the error, I am unable to continue with the wizard to delegate tasks.The same error appears if I try to select any other built in security principals like: Everyone or SYSTEM, etc The logs show nothing suspicious (with log level 10). The only log entry which I've found and looked strange to me was this one: ?? ?gendb_search_v: CN=Self,CN=WellKnown Security Principals,CN=Configuration,DC=domain,DC=org NULL -> 1 Any ideas on what might be wrong? The platform I'm using: ? Software:????? Samba Version 4.17.4 (built from source) ? OS:?????????????? Debian GNU/Linux 11 (bullseye) ? Architecture:???? aarch64 ? Kernel:?????????? 5.15.84-v8+ Thanks a lot.Sorin -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba