L.P.H. van Belle
2015-Mar-30 09:06 UTC
[Samba] Unable to browse system shares of a newly migrated AD DC
I think this wont work since the user connectig isnt known in the AD, since the user connecting is mapped to user nobody. auth_check_password_send: Checking password for unmapped user []\[]@[] auth_check_password_send: mapped user is: [CCENTER]\[]@[] connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) and 'force unknown acl user = true' for service IPC$ cat /etc/passwd | grep nobody nobody:x:65534:65534:nobody:/nonexistent:/bin/sh and by default "Guest" (nobody) is disabled in the AD. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: maandag 30 maart 2015 10:49 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Unable to browse system shares of a >newly migrated AD DC > >On 30/03/15 00:01, Andrey Repin wrote: >> Greetings, Rowland Penny! >> >>> [2015/03/30 01:05:38.096168, 3, effective(0, 0), real(0, 0)] >>> ../source4/auth/ntlm/auth.c:270(auth_check_password_send) >>> auth_check_password_send: Checking password for unmapped >user []\[]@[] >>> auth_check_password_send: mapped user is: [CCENTER]\[]@[] >>> [2015/03/30 01:05:38.125440, 2, effective(0, 0), real(0, 0)] >>> ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr) >>> connect_acl_xattr: setting 'inherit acls = true' 'dos >filemode = true' >>> and 'force unknown acl user = true' for service IPC$ >>> [2015/03/30 01:05:38.127532, 3, effective(0, 0), real(0, 0)] >>> ../source3/smbd/service.c:856(make_connection_snum) >>> 127.0.0.1 (ipv4:127.0.0.1:45066) connect to service IPC$ >initially as >>> user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) (pid 882) >>> [2015/03/30 01:05:38.127627, 3, effective(0, 0), real(0, 0)] >>> ../source3/smbd/reply.c:1024(reply_tcon_and_X) >>> tconX service=IPC$ >>> [2015/03/30 01:05:38.128477, 3, effective(0, 0), real(0, 0)] >>> ../source3/smbd/process.c:1802(process_smb) >>> Transaction 3 of length 106 (0 toread) >>> [2015/03/30 01:05:38.128537, 3, effective(0, 0), real(0, 0)] >>> ../source3/smbd/process.c:1405(switch_message) >>> switch message SMBntcreateX (pid 882) conn 0xb893b588 >>> [2015/03/29 22:05:38.128622, 3, effective(65534, 3000009), >real(65534, 0)] >> By the way, what the group 3000009 is supposed to be? Domain >Users? Domain >> Admins? >> >>> ../source3/smbd/service.c:197(set_current_service) >>> chdir (/tmp) failed, reason: Permission denied >>> [2015/03/29 22:05:38.128674, 3, effective(65534, 3000009), >real(65534, 0)] >>> ../source3/smbd/error.c:82(error_packet_set) >>> NT error packet at ../source3/smbd/process.c(1524) >cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED >>> [2015/03/29 22:05:38.138398, 3, effective(65534, 3000009), >real(65534, 0)] >>> ../source3/smbd/process.c:1802(process_smb) >>> Transaction 4 of length 118 (0 toread) >>> [2015/03/29 22:05:38.138453, 3, effective(65534, 3000009), >real(65534, 0)] >>> ../source3/smbd/process.c:1405(switch_message) >>> switch message SMBtrans (pid 882) conn 0xb893b588 >>> [2015/03/29 22:05:38.138494, 3, effective(65534, 3000009), >real(65534, 0)] >>> ../source3/smbd/service.c:197(set_current_service) >>> chdir (/tmp) failed, reason: Permission denied >>> [2015/03/29 22:05:38.138529, 3, effective(65534, 3000009), >real(65534, 0)] >>> ../source3/smbd/error.c:82(error_packet_set) >>> NT error packet at ../source3/smbd/process.c(1524) >cmd=37 (SMBtrans) NT_STATUS_ACCESS_DENIED >>> [2015/03/29 22:05:38.139702, 3, effective(65534, 3000009), >real(65534, 0)] >>> ../source3/smbd/process.c:1802(process_smb) >>> Transaction 5 of length 39 (0 toread) >>> [2015/03/29 22:05:38.139771, 3, effective(65534, 3000009), >real(65534, 0)] >>> ../source3/smbd/process.c:1405(switch_message) >>> switch message SMBtdis (pid 882) conn 0xb893b588 >>> [2015/03/30 01:05:38.139897, 3, effective(0, 0), real(0, 0)] >>> ../source3/smbd/service.c:1130(close_cnum) >>> 127.0.0.1 (ipv4:127.0.0.1:45066) closed connection to >service IPC$ >>> [2015/03/30 01:05:38.141264, 3, effective(0, 0), real(0, 0)] >>> ../source3/smbd/server_exit.c:221(exit_server_common) >>> Server exit (failed to receive smb request) >> >> -- >> WBR, >> Andrey Repin, 30.03.2015, <01:54> >> >> Sorry for my terrible english... >> > >OK, It would seem that you possibly have a problem with your /tmp >directory, it should be readable and writeable by anybody i.e. on my DC >ls -la / shows: > >drwxrwxrwt 14 root root 4096 Mar 30 09:17 tmp > >As for who '3000009' is, you can find out this by running (on the DC) >'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb' and >searching for >'3000009', on my DC this results in this: > >dn: CN=S-1-5-32-545 >cn: S-1-5-32-545 >objectClass: sidMap >objectSid: S-1-5-32-545 >type: ID_TYPE_BOTH >xidNumber: 3000009 >distinguishedName: CN=S-1-5-32-545 > >So '3000009' has the SID 'S-1-5-32-545' >To find out who this is go here: >http://support.microsoft.com/en-us/kb/243330 > >This reveals that this is the SID of the 'Users' group > >This is probably true for your DC, but I would check your DC, >as you can >have differences between DCs. > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2015-Mar-30 09:26 UTC
[Samba] Unable to browse system shares of a newly migrated AD DC
On 30/03/15 10:06, L.P.H. van Belle wrote:> I think this wont work since the user connectig isnt known in the AD, > since the user connecting is mapped to user nobody. > > > auth_check_password_send: Checking password for unmapped user []\[]@[] > auth_check_password_send: mapped user is: [CCENTER]\[]@[] > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' > connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) > and 'force unknown acl user = true' for service IPC$ > > cat /etc/passwd | grep nobody > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > > and by default "Guest" (nobody) is disabled in the AD. > > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: rowlandpenny at googlemail.com >> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >> Verzonden: maandag 30 maart 2015 10:49 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Unable to browse system shares of a >> newly migrated AD DC >> >> On 30/03/15 00:01, Andrey Repin wrote: >>> Greetings, Rowland Penny! >>> >>>> [2015/03/30 01:05:38.096168, 3, effective(0, 0), real(0, 0)] >>>> ../source4/auth/ntlm/auth.c:270(auth_check_password_send) >>>> auth_check_password_send: Checking password for unmapped >> user []\[]@[] >>>> auth_check_password_send: mapped user is: [CCENTER]\[]@[] >>>> [2015/03/30 01:05:38.125440, 2, effective(0, 0), real(0, 0)] >>>> ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr) >>>> connect_acl_xattr: setting 'inherit acls = true' 'dos >> filemode = true' >>>> and 'force unknown acl user = true' for service IPC$ >>>> [2015/03/30 01:05:38.127532, 3, effective(0, 0), real(0, 0)] >>>> ../source3/smbd/service.c:856(make_connection_snum) >>>> 127.0.0.1 (ipv4:127.0.0.1:45066) connect to service IPC$ >> initially as >>>> user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) (pid 882) >>>> [2015/03/30 01:05:38.127627, 3, effective(0, 0), real(0, 0)] >>>> ../source3/smbd/reply.c:1024(reply_tcon_and_X) >>>> tconX service=IPC$ >>>> [2015/03/30 01:05:38.128477, 3, effective(0, 0), real(0, 0)] >>>> ../source3/smbd/process.c:1802(process_smb) >>>> Transaction 3 of length 106 (0 toread) >>>> [2015/03/30 01:05:38.128537, 3, effective(0, 0), real(0, 0)] >>>> ../source3/smbd/process.c:1405(switch_message) >>>> switch message SMBntcreateX (pid 882) conn 0xb893b588 >>>> [2015/03/29 22:05:38.128622, 3, effective(65534, 3000009), >> real(65534, 0)] >>> By the way, what the group 3000009 is supposed to be? Domain >> Users? Domain >>> Admins? >>> >>>> ../source3/smbd/service.c:197(set_current_service) >>>> chdir (/tmp) failed, reason: Permission denied >>>> [2015/03/29 22:05:38.128674, 3, effective(65534, 3000009), >> real(65534, 0)] >>>> ../source3/smbd/error.c:82(error_packet_set) >>>> NT error packet at ../source3/smbd/process.c(1524) >> cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED >>>> [2015/03/29 22:05:38.138398, 3, effective(65534, 3000009), >> real(65534, 0)] >>>> ../source3/smbd/process.c:1802(process_smb) >>>> Transaction 4 of length 118 (0 toread) >>>> [2015/03/29 22:05:38.138453, 3, effective(65534, 3000009), >> real(65534, 0)] >>>> ../source3/smbd/process.c:1405(switch_message) >>>> switch message SMBtrans (pid 882) conn 0xb893b588 >>>> [2015/03/29 22:05:38.138494, 3, effective(65534, 3000009), >> real(65534, 0)] >>>> ../source3/smbd/service.c:197(set_current_service) >>>> chdir (/tmp) failed, reason: Permission denied >>>> [2015/03/29 22:05:38.138529, 3, effective(65534, 3000009), >> real(65534, 0)] >>>> ../source3/smbd/error.c:82(error_packet_set) >>>> NT error packet at ../source3/smbd/process.c(1524) >> cmd=37 (SMBtrans) NT_STATUS_ACCESS_DENIED >>>> [2015/03/29 22:05:38.139702, 3, effective(65534, 3000009), >> real(65534, 0)] >>>> ../source3/smbd/process.c:1802(process_smb) >>>> Transaction 5 of length 39 (0 toread) >>>> [2015/03/29 22:05:38.139771, 3, effective(65534, 3000009), >> real(65534, 0)] >>>> ../source3/smbd/process.c:1405(switch_message) >>>> switch message SMBtdis (pid 882) conn 0xb893b588 >>>> [2015/03/30 01:05:38.139897, 3, effective(0, 0), real(0, 0)] >>>> ../source3/smbd/service.c:1130(close_cnum) >>>> 127.0.0.1 (ipv4:127.0.0.1:45066) closed connection to >> service IPC$ >>>> [2015/03/30 01:05:38.141264, 3, effective(0, 0), real(0, 0)] >>>> ../source3/smbd/server_exit.c:221(exit_server_common) >>>> Server exit (failed to receive smb request) >>> -- >>> WBR, >>> Andrey Repin, 30.03.2015, <01:54> >>> >>> Sorry for my terrible english... >>> >> OK, It would seem that you possibly have a problem with your /tmp >> directory, it should be readable and writeable by anybody i.e. on my DC >> ls -la / shows: >> >> drwxrwxrwt 14 root root 4096 Mar 30 09:17 tmp >> >> As for who '3000009' is, you can find out this by running (on the DC) >> 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb' and >> searching for >> '3000009', on my DC this results in this: >> >> dn: CN=S-1-5-32-545 >> cn: S-1-5-32-545 >> objectClass: sidMap >> objectSid: S-1-5-32-545 >> type: ID_TYPE_BOTH >> xidNumber: 3000009 >> distinguishedName: CN=S-1-5-32-545 >> >> So '3000009' has the SID 'S-1-5-32-545' >> To find out who this is go here: >> http://support.microsoft.com/en-us/kb/243330 >> >> This reveals that this is the SID of the 'Users' group >> >> This is probably true for your DC, but I would check your DC, >> as you can >> have differences between DCs. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>Hi Louis, It works for me This appears in log.smbd on my DC when I run the same command: [2015/03/30 10:15:42.442881, 3] ../source3/smbd/service.c:856(make_connection_snum) dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566) 3000013 on my DC is SID S-1-1-0, which is 'Everyone' So the questions are, what are the permissions on /tmp and is user '3000009' on the DC 'Everyone' Rowland
L.P.H. van Belle
2015-Mar-30 09:38 UTC
[Samba] Unable to browse system shares of a newly migrated AD DC
I've never got this to work ok with "Guest" users. I'll watch the thread... if you manage to get this working. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: maandag 30 maart 2015 11:26 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Unable to browse system shares of a >newly migrated AD DC > >On 30/03/15 10:06, L.P.H. van Belle wrote: >> I think this wont work since the user connectig isnt known in the AD, >> since the user connecting is mapped to user nobody. >> >> >> auth_check_password_send: Checking password for unmapped >user []\[]@[] >> auth_check_password_send: mapped user is: [CCENTER]\[]@[] >> connect_acl_xattr: setting 'inherit acls = true' 'dos >filemode = true' >> connect to service IPC$ initially as user NT >AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) >> and 'force unknown acl user = true' for service IPC$ >> >> cat /etc/passwd | grep nobody >> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh >> >> and by default "Guest" (nobody) is disabled in the AD. >> >> >> >> Greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: rowlandpenny at googlemail.com >>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >>> Verzonden: maandag 30 maart 2015 10:49 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Unable to browse system shares of a >>> newly migrated AD DC >>> >>> On 30/03/15 00:01, Andrey Repin wrote: >>>> Greetings, Rowland Penny! >>>> >>>>> [2015/03/30 01:05:38.096168, 3, effective(0, 0), real(0, 0)] >>>>> ../source4/auth/ntlm/auth.c:270(auth_check_password_send) >>>>> auth_check_password_send: Checking password for unmapped >>> user []\[]@[] >>>>> auth_check_password_send: mapped user is: [CCENTER]\[]@[] >>>>> [2015/03/30 01:05:38.125440, 2, effective(0, 0), real(0, 0)] >>>>> ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr) >>>>> connect_acl_xattr: setting 'inherit acls = true' 'dos >>> filemode = true' >>>>> and 'force unknown acl user = true' for service IPC$ >>>>> [2015/03/30 01:05:38.127532, 3, effective(0, 0), real(0, 0)] >>>>> ../source3/smbd/service.c:856(make_connection_snum) >>>>> 127.0.0.1 (ipv4:127.0.0.1:45066) connect to service IPC$ >>> initially as >>>>> user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, >gid=3000009) (pid 882) >>>>> [2015/03/30 01:05:38.127627, 3, effective(0, 0), real(0, 0)] >>>>> ../source3/smbd/reply.c:1024(reply_tcon_and_X) >>>>> tconX service=IPC$ >>>>> [2015/03/30 01:05:38.128477, 3, effective(0, 0), real(0, 0)] >>>>> ../source3/smbd/process.c:1802(process_smb) >>>>> Transaction 3 of length 106 (0 toread) >>>>> [2015/03/30 01:05:38.128537, 3, effective(0, 0), real(0, 0)] >>>>> ../source3/smbd/process.c:1405(switch_message) >>>>> switch message SMBntcreateX (pid 882) conn 0xb893b588 >>>>> [2015/03/29 22:05:38.128622, 3, effective(65534, 3000009), >>> real(65534, 0)] >>>> By the way, what the group 3000009 is supposed to be? Domain >>> Users? Domain >>>> Admins? >>>> >>>>> ../source3/smbd/service.c:197(set_current_service) >>>>> chdir (/tmp) failed, reason: Permission denied >>>>> [2015/03/29 22:05:38.128674, 3, effective(65534, 3000009), >>> real(65534, 0)] >>>>> ../source3/smbd/error.c:82(error_packet_set) >>>>> NT error packet at ../source3/smbd/process.c(1524) >>> cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED >>>>> [2015/03/29 22:05:38.138398, 3, effective(65534, 3000009), >>> real(65534, 0)] >>>>> ../source3/smbd/process.c:1802(process_smb) >>>>> Transaction 4 of length 118 (0 toread) >>>>> [2015/03/29 22:05:38.138453, 3, effective(65534, 3000009), >>> real(65534, 0)] >>>>> ../source3/smbd/process.c:1405(switch_message) >>>>> switch message SMBtrans (pid 882) conn 0xb893b588 >>>>> [2015/03/29 22:05:38.138494, 3, effective(65534, 3000009), >>> real(65534, 0)] >>>>> ../source3/smbd/service.c:197(set_current_service) >>>>> chdir (/tmp) failed, reason: Permission denied >>>>> [2015/03/29 22:05:38.138529, 3, effective(65534, 3000009), >>> real(65534, 0)] >>>>> ../source3/smbd/error.c:82(error_packet_set) >>>>> NT error packet at ../source3/smbd/process.c(1524) >>> cmd=37 (SMBtrans) NT_STATUS_ACCESS_DENIED >>>>> [2015/03/29 22:05:38.139702, 3, effective(65534, 3000009), >>> real(65534, 0)] >>>>> ../source3/smbd/process.c:1802(process_smb) >>>>> Transaction 5 of length 39 (0 toread) >>>>> [2015/03/29 22:05:38.139771, 3, effective(65534, 3000009), >>> real(65534, 0)] >>>>> ../source3/smbd/process.c:1405(switch_message) >>>>> switch message SMBtdis (pid 882) conn 0xb893b588 >>>>> [2015/03/30 01:05:38.139897, 3, effective(0, 0), real(0, 0)] >>>>> ../source3/smbd/service.c:1130(close_cnum) >>>>> 127.0.0.1 (ipv4:127.0.0.1:45066) closed connection to >>> service IPC$ >>>>> [2015/03/30 01:05:38.141264, 3, effective(0, 0), real(0, 0)] >>>>> ../source3/smbd/server_exit.c:221(exit_server_common) >>>>> Server exit (failed to receive smb request) >>>> -- >>>> WBR, >>>> Andrey Repin, 30.03.2015, <01:54> >>>> >>>> Sorry for my terrible english... >>>> >>> OK, It would seem that you possibly have a problem with your /tmp >>> directory, it should be readable and writeable by anybody >i.e. on my DC >>> ls -la / shows: >>> >>> drwxrwxrwt 14 root root 4096 Mar 30 09:17 tmp >>> >>> As for who '3000009' is, you can find out this by running >(on the DC) >>> 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb' and >>> searching for >>> '3000009', on my DC this results in this: >>> >>> dn: CN=S-1-5-32-545 >>> cn: S-1-5-32-545 >>> objectClass: sidMap >>> objectSid: S-1-5-32-545 >>> type: ID_TYPE_BOTH >>> xidNumber: 3000009 >>> distinguishedName: CN=S-1-5-32-545 >>> >>> So '3000009' has the SID 'S-1-5-32-545' >>> To find out who this is go here: >>> http://support.microsoft.com/en-us/kb/243330 >>> >>> This reveals that this is the SID of the 'Users' group >>> >>> This is probably true for your DC, but I would check your DC, >>> as you can >>> have differences between DCs. >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > >Hi Louis, It works for me > >This appears in log.smbd on my DC when I run the same command: > >[2015/03/30 10:15:42.442881, 3] >../source3/smbd/service.c:856(make_connection_snum) > dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT >AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566) > >3000013 on my DC is SID S-1-1-0, which is 'Everyone' > >So the questions are, what are the permissions on /tmp and is user >'3000009' on the DC 'Everyone' > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2015-Mar-30 10:11 UTC
[Samba] Unable to browse system shares of a newly migrated AD DC
On 30/03/15 10:38, L.P.H. van Belle wrote:> I've never got this to work ok with "Guest" users. > > I'll watch the thread... if you manage to get this working. > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: rowlandpenny at googlemail.com >> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >> Verzonden: maandag 30 maart 2015 11:26 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Unable to browse system shares of a >> newly migrated AD DC >> >> On 30/03/15 10:06, L.P.H. van Belle wrote: >>> I think this wont work since the user connectig isnt known in the AD, >>> since the user connecting is mapped to user nobody. >>> >>> >>> auth_check_password_send: Checking password for unmapped >> user []\[]@[] >>> auth_check_password_send: mapped user is: [CCENTER]\[]@[] >>> connect_acl_xattr: setting 'inherit acls = true' 'dos >> filemode = true' >>> connect to service IPC$ initially as user NT >> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) >>> and 'force unknown acl user = true' for service IPC$ >>> >>> cat /etc/passwd | grep nobody >>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh >>> >>> and by default "Guest" (nobody) is disabled in the AD. >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: rowlandpenny at googlemail.com >>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >>>> Verzonden: maandag 30 maart 2015 10:49 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Unable to browse system shares of a >>>> newly migrated AD DC >>>> >>>> On 30/03/15 00:01, Andrey Repin wrote: >>>>> Greetings, Rowland Penny! >>>>> >>>>>> [2015/03/30 01:05:38.096168, 3, effective(0, 0), real(0, 0)] >>>>>> ../source4/auth/ntlm/auth.c:270(auth_check_password_send) >>>>>> auth_check_password_send: Checking password for unmapped >>>> user []\[]@[] >>>>>> auth_check_password_send: mapped user is: [CCENTER]\[]@[] >>>>>> [2015/03/30 01:05:38.125440, 2, effective(0, 0), real(0, 0)] >>>>>> ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr) >>>>>> connect_acl_xattr: setting 'inherit acls = true' 'dos >>>> filemode = true' >>>>>> and 'force unknown acl user = true' for service IPC$ >>>>>> [2015/03/30 01:05:38.127532, 3, effective(0, 0), real(0, 0)] >>>>>> ../source3/smbd/service.c:856(make_connection_snum) >>>>>> 127.0.0.1 (ipv4:127.0.0.1:45066) connect to service IPC$ >>>> initially as >>>>>> user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, >> gid=3000009) (pid 882) >>>>>> [2015/03/30 01:05:38.127627, 3, effective(0, 0), real(0, 0)] >>>>>> ../source3/smbd/reply.c:1024(reply_tcon_and_X) >>>>>> tconX service=IPC$ >>>>>> [2015/03/30 01:05:38.128477, 3, effective(0, 0), real(0, 0)] >>>>>> ../source3/smbd/process.c:1802(process_smb) >>>>>> Transaction 3 of length 106 (0 toread) >>>>>> [2015/03/30 01:05:38.128537, 3, effective(0, 0), real(0, 0)] >>>>>> ../source3/smbd/process.c:1405(switch_message) >>>>>> switch message SMBntcreateX (pid 882) conn 0xb893b588 >>>>>> [2015/03/29 22:05:38.128622, 3, effective(65534, 3000009), >>>> real(65534, 0)] >>>>> By the way, what the group 3000009 is supposed to be? Domain >>>> Users? Domain >>>>> Admins? >>>>> >>>>>> ../source3/smbd/service.c:197(set_current_service) >>>>>> chdir (/tmp) failed, reason: Permission denied >>>>>> [2015/03/29 22:05:38.128674, 3, effective(65534, 3000009), >>>> real(65534, 0)] >>>>>> ../source3/smbd/error.c:82(error_packet_set) >>>>>> NT error packet at ../source3/smbd/process.c(1524) >>>> cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED >>>>>> [2015/03/29 22:05:38.138398, 3, effective(65534, 3000009), >>>> real(65534, 0)] >>>>>> ../source3/smbd/process.c:1802(process_smb) >>>>>> Transaction 4 of length 118 (0 toread) >>>>>> [2015/03/29 22:05:38.138453, 3, effective(65534, 3000009), >>>> real(65534, 0)] >>>>>> ../source3/smbd/process.c:1405(switch_message) >>>>>> switch message SMBtrans (pid 882) conn 0xb893b588 >>>>>> [2015/03/29 22:05:38.138494, 3, effective(65534, 3000009), >>>> real(65534, 0)] >>>>>> ../source3/smbd/service.c:197(set_current_service) >>>>>> chdir (/tmp) failed, reason: Permission denied >>>>>> [2015/03/29 22:05:38.138529, 3, effective(65534, 3000009), >>>> real(65534, 0)] >>>>>> ../source3/smbd/error.c:82(error_packet_set) >>>>>> NT error packet at ../source3/smbd/process.c(1524) >>>> cmd=37 (SMBtrans) NT_STATUS_ACCESS_DENIED >>>>>> [2015/03/29 22:05:38.139702, 3, effective(65534, 3000009), >>>> real(65534, 0)] >>>>>> ../source3/smbd/process.c:1802(process_smb) >>>>>> Transaction 5 of length 39 (0 toread) >>>>>> [2015/03/29 22:05:38.139771, 3, effective(65534, 3000009), >>>> real(65534, 0)] >>>>>> ../source3/smbd/process.c:1405(switch_message) >>>>>> switch message SMBtdis (pid 882) conn 0xb893b588 >>>>>> [2015/03/30 01:05:38.139897, 3, effective(0, 0), real(0, 0)] >>>>>> ../source3/smbd/service.c:1130(close_cnum) >>>>>> 127.0.0.1 (ipv4:127.0.0.1:45066) closed connection to >>>> service IPC$ >>>>>> [2015/03/30 01:05:38.141264, 3, effective(0, 0), real(0, 0)] >>>>>> ../source3/smbd/server_exit.c:221(exit_server_common) >>>>>> Server exit (failed to receive smb request) >>>>> -- >>>>> WBR, >>>>> Andrey Repin, 30.03.2015, <01:54> >>>>> >>>>> Sorry for my terrible english... >>>>> >>>> OK, It would seem that you possibly have a problem with your /tmp >>>> directory, it should be readable and writeable by anybody >> i.e. on my DC >>>> ls -la / shows: >>>> >>>> drwxrwxrwt 14 root root 4096 Mar 30 09:17 tmp >>>> >>>> As for who '3000009' is, you can find out this by running >> (on the DC) >>>> 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb' and >>>> searching for >>>> '3000009', on my DC this results in this: >>>> >>>> dn: CN=S-1-5-32-545 >>>> cn: S-1-5-32-545 >>>> objectClass: sidMap >>>> objectSid: S-1-5-32-545 >>>> type: ID_TYPE_BOTH >>>> xidNumber: 3000009 >>>> distinguishedName: CN=S-1-5-32-545 >>>> >>>> So '3000009' has the SID 'S-1-5-32-545' >>>> To find out who this is go here: >>>> http://support.microsoft.com/en-us/kb/243330 >>>> >>>> This reveals that this is the SID of the 'Users' group >>>> >>>> This is probably true for your DC, but I would check your DC, >>>> as you can >>>> have differences between DCs. >>>> >>>> Rowland >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >> Hi Louis, It works for me >> >> This appears in log.smbd on my DC when I run the same command: >> >> [2015/03/30 10:15:42.442881, 3] >> ../source3/smbd/service.c:856(make_connection_snum) >> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT >> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566) >> >> 3000013 on my DC is SID S-1-1-0, which is 'Everyone' >> >> So the questions are, what are the permissions on /tmp and is user >> '3000009' on the DC 'Everyone' >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>Hi Louis, If I run 'smbclient -L localhost -U%' on the DC, I get this: root at dc01:~# smbclient -L localhost -U% Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk testshare Disk IPC$ IPC IPC Service (Samba 4.1.17-Debian) Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian] Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP If I then run virtually the same command an a client (replacing 'localhost' with the DCs name), I get: rowland at ThinkPad ~ $ smbclient -L dc01 -U% Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk testshare Disk IPC$ IPC IPC Service (Samba 4.1.17-Debian) Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian] Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP Rowland
Andrey Repin
2015-Mar-30 14:07 UTC
[Samba] Unable to browse system shares of a newly migrated AD DC
Greetings, Rowland Penny! <Trying to resend, sorry for possible duplicates.>> On 30/03/15 10:06, L.P.H. van Belle wrote:Please don't top-post. It make messages very hard to read.>> I think this wont work since the user connectig isnt known in the AD, >> since the user connecting is mapped to user nobody.I'm doing s simple check (anonymous listing of DC shares) as per instructions.>> auth_check_password_send: Checking password for unmapped user []\[]@[] >> auth_check_password_send: mapped user is: [CCENTER]\[]@[] >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' >> connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) >> and 'force unknown acl user = true' for service IPC$ >> >> cat /etc/passwd | grep nobody >> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh >> >> and by default "Guest" (nobody) is disabled in the AD. >> >> >> >> Greetz, >> >> Louis >> >>> Hi Louis, It works for me> This appears in log.smbd on my DC when I run the same command:> [2015/03/30 10:15:42.442881, 3] > ../source3/smbd/service.c:856(make_connection_snum) > dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT > AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'> So the questions are, what are the permissions on /tmp and is user > '3000009' on the DC 'Everyone'Permissions are fine, but migration did not create "Users" group in AD. How can I resolve it? # wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy # getent group ... CCENTER\Enterprise Read-Only Domain Controllers:*:3000012: CCENTER\Domain Admins:*:512: CCENTER\Domain Users:*:513: CCENTER\Domain Guests:*:514: CCENTER\Domain Computers:*:515: CCENTER\Domain Controllers:*:3000013: CCENTER\Schema Admins:*:3000006: CCENTER\Enterprise Admins:*:3000005: CCENTER\Group Policy Creator Owners:*:3000003: CCENTER\Read-Only Domain Controllers:*:3000014: CCENTER\DnsUpdateProxy:*:3000015: -- With best regards, Andrey Repin Monday, March 30, 2015 15:51:58 Sorry for my terrible english...
Possibly Parallel Threads
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC