samba - Jan 2023 - Delegation of control failure for any built-in Security Principals

Hi Rowland.
The answers to your questions:
- Yes, it works fine with any other normal user (non-built in users), including
the domain administrator user.A. I'm referring to Debian architecture like
that, because that's exactly what's returned by? 'uname -m'
-> aarch64B. I prefer to build by myself, in order to disable all the stuff
which I know that I do not need for sure: printing support, avahi, dmapi,
systemd support, clustering, glusterfs.
Any ideas on how I can dig into this problem further?Here's my smb.conf:
[global]
??????? allow dns updates = secure only
??????? bind interfaces only = Yes
??????? disable spoolss = Yes
??????? interfaces = eth0
??????? ldap server require strong auth = Yes
??????? netbios name = DC
??????? ntlm auth = mschapv2-and-ntlmv2-only
??????? printcap name = /dev/null
??????? realm = DOMAIN.ORG
??????? restrict anonymous = 2
??????? server min protocol = SMB3
??????? server role = active directory domain controller
??????? tls cafile = tls/bundle_ca.crt
??????? tls certfile = tls/dc.crt
??????? tls enabled = Yes
??????? tls keyfile = tls/dc.key
??????? wins server = 10.1.1.4
??????? wins support = Yes
??????? workgroup = DOMAIN
??????? idmap_ldb:use rfc2307 = yes
??????? comment = "Domain Controller for domain.org"

Thanks.Sorin
 

    On Sunday, January 22, 2023 at 03:34:10 PM GMT+2, Sorin P. via samba
<samba at lists.samba.org> wrote:
 
 Hi team.

I am trying to allocate some rights to users in Active Directory, by using the
"Delegation of Control Wizard" from ADUC.
The steps I'm following were executed under the domain administrator user
and are the following:

1. open ADUC and right click the top level OU (Ex. domain.org)
2. from the pop-up menu, select ?Delegate Control??
3. click next in the first page of the wizard (which is the "Welcome"
page)
4. on the next page "Users or Groups", select the ?Add? button, and
type ?SELF? then ?Check Names?.
5. I'm getting an error window with the following message:
?? ?"Windows cannot process the object with the name "SELF"
because of the following error:
?? ?Name translation: Input name found, but not the associated output format.
?? ?
After the error, I am unable to continue with the wizard to delegate tasks.The
same error appears if I try to select any other built in security principals
like: Everyone or SYSTEM, etc
The logs show nothing suspicious (with log level 10).
The only log entry which I've found and looked strange to me was this one:
?? ?gendb_search_v: CN=Self,CN=WellKnown Security
Principals,CN=Configuration,DC=domain,DC=org NULL -> 1

Any ideas on what might be wrong?

The platform I'm using:
? Software:????? Samba Version 4.17.4 (built from source)
? OS:?????????????? Debian GNU/Linux 11 (bullseye)
? Architecture:???? aarch64
? Kernel:?????????? 5.15.84-v8+
Thanks a lot.Sorin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba

On 22/01/2023 16:27, Sorin P. via samba wrote:
> Hi Rowland.
> The answers to your questions:
> - Yes, it works fine with any other normal user (non-built in users),
including the domain administrator user.A. I'm referring to Debian
architecture like that, because that's exactly what's returned by?
'uname -m' -> aarch64B. I prefer to build by myself, in order to
disable all the stuff which I know that I do not need for sure: printing
support, avahi, dmapi, systemd support, clustering, glusterfs.
I do not see why you bother, but each to their own.
> Any ideas on how I can dig into this problem further?
Stop trying to use 'SELF', Samba appears to have nothing to map it to.

Here's my smb.conf:
> [global]
>  ??????? allow dns updates = secure only
>  ??????? bind interfaces only = Yes
>  ??????? disable spoolss = Yes
>  ??????? interfaces = eth0
>  ??????? ldap server require strong auth = Yes
>  ??????? netbios name = DC
>  ??????? ntlm auth = mschapv2-and-ntlmv2-only
>  ??????? printcap name = /dev/null
>  ??????? realm = DOMAIN.ORG
>  ??????? restrict anonymous = 2
>  ??????? server min protocol = SMB3
>  ??????? server role = active directory domain controller
>  ??????? tls cafile = tls/bundle_ca.crt
>  ??????? tls certfile = tls/dc.crt
>  ??????? tls enabled = Yes
>  ??????? tls keyfile = tls/dc.key
>  ??????? wins server = 10.1.1.4
>  ??????? wins support = Yes
>  ??????? workgroup = DOMAIN
>  ??????? idmap_ldb:use rfc2307 = yes
>  ??????? comment = "Domain Controller for domain.org"
Can I ask why you have set the 'wins server' parameter on something that
doesn't use wins ? Especially when you have set 'server min
protocol' to
SMB3.

Rowland