Sorin P.
2023-Jan-22 17:15 UTC
[Samba] Delegation of control failure for any built-in Security Principals
Hi Rowland.
What else can I use instead "SELF" then?
I'm trying to allow AD users to self-write sshPublicKeys attribute, which
I've already added to the schema.
Additionally, the same error appears when choosing "Everyone" instead
"SELF".
Not that I want to select "Everyone", but I expected to be able to
select it and not get an error.
The "wins server" entry is a leftover from some copy-pasted
configuration block found over the Internet, when I was trying to solve some old
problem which I don't remember about. I'll just remove it.
Thank you.
On Sunday, January 22, 2023 at 06:56:13 PM GMT+2, Rowland Penny via samba
<samba at lists.samba.org> wrote:
On 22/01/2023 16:27, Sorin P. via samba wrote:> Hi Rowland.
> The answers to your questions:
> - Yes, it works fine with any other normal user (non-built in users),
including the domain administrator user.A. I'm referring to Debian
architecture like that, because that's exactly what's returned by?
'uname -m' -> aarch64B. I prefer to build by myself, in order to
disable all the stuff which I know that I do not need for sure: printing
support, avahi, dmapi, systemd support, clustering, glusterfs.
I do not see why you bother, but each to their own.
> Any ideas on how I can dig into this problem further?
Stop trying to use 'SELF', Samba appears to have nothing to map it to.
Here's my smb.conf:> [global]
>? ??????? allow dns updates = secure only
>? ??????? bind interfaces only = Yes
>? ??????? disable spoolss = Yes
>? ??????? interfaces = eth0
>? ??????? ldap server require strong auth = Yes
>? ??????? netbios name = DC
>? ??????? ntlm auth = mschapv2-and-ntlmv2-only
>? ??????? printcap name = /dev/null
>? ??????? realm = DOMAIN.ORG
>? ??????? restrict anonymous = 2
>? ??????? server min protocol = SMB3
>? ??????? server role = active directory domain controller
>? ??????? tls cafile = tls/bundle_ca.crt
>? ??????? tls certfile = tls/dc.crt
>? ??????? tls enabled = Yes
>? ??????? tls keyfile = tls/dc.key
>? ??????? wins server = 10.1.1.4
>? ??????? wins support = Yes
>? ??????? workgroup = DOMAIN
>? ??????? idmap_ldb:use rfc2307 = yes
>? ??????? comment = "Domain Controller for domain.org"
Can I ask why you have set the 'wins server' parameter on something that
doesn't use wins ? Especially when you have set 'server min
protocol' to
SMB3.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba
Rowland Penny
2023-Jan-22 17:31 UTC
[Samba] Delegation of control failure for any built-in Security Principals
On 22/01/2023 17:15, Sorin P. wrote:> Hi Rowland. > > What else can I use instead "SELF" then? > I'm trying to allow AD users to self-write sshPublicKeys attribute, > which I've already added to the schema.you do realise that properly setup, SSH will work with kerberos, without keys or passwords.> > Additionally, the same error appears when choosing "Everyone" instead > "SELF".These Well Know SIDs do not have anything to map them to. If you must use keys, then surely the attribute is part of the uses AD object and as such should be owned by the user, who should have write permission. As I said (in a round about way), I use kerberos instead of keys. Rowland