Andrey Repin
2015-Mar-30 14:07 UTC
[Samba] Unable to browse system shares of a newly migrated AD DC
Greetings, Rowland Penny! <Trying to resend, sorry for possible duplicates.>> On 30/03/15 10:06, L.P.H. van Belle wrote:Please don't top-post. It make messages very hard to read.>> I think this wont work since the user connectig isnt known in the AD, >> since the user connecting is mapped to user nobody.I'm doing s simple check (anonymous listing of DC shares) as per instructions.>> auth_check_password_send: Checking password for unmapped user []\[]@[] >> auth_check_password_send: mapped user is: [CCENTER]\[]@[] >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' >> connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) >> and 'force unknown acl user = true' for service IPC$ >> >> cat /etc/passwd | grep nobody >> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh >> >> and by default "Guest" (nobody) is disabled in the AD. >> >> >> >> Greetz, >> >> Louis >> >>> Hi Louis, It works for me> This appears in log.smbd on my DC when I run the same command:> [2015/03/30 10:15:42.442881, 3] > ../source3/smbd/service.c:856(make_connection_snum) > dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT > AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'> So the questions are, what are the permissions on /tmp and is user > '3000009' on the DC 'Everyone'Permissions are fine, but migration did not create "Users" group in AD. How can I resolve it? # wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy # getent group ... CCENTER\Enterprise Read-Only Domain Controllers:*:3000012: CCENTER\Domain Admins:*:512: CCENTER\Domain Users:*:513: CCENTER\Domain Guests:*:514: CCENTER\Domain Computers:*:515: CCENTER\Domain Controllers:*:3000013: CCENTER\Schema Admins:*:3000006: CCENTER\Enterprise Admins:*:3000005: CCENTER\Group Policy Creator Owners:*:3000003: CCENTER\Read-Only Domain Controllers:*:3000014: CCENTER\DnsUpdateProxy:*:3000015: -- With best regards, Andrey Repin Monday, March 30, 2015 15:51:58 Sorry for my terrible english...
Rowland Penny
2015-Mar-30 15:09 UTC
[Samba] Unable to browse system shares of a newly migrated AD DC
On 30/03/15 15:07, Andrey Repin wrote:> Greetings, Rowland Penny! > > <Trying to resend, sorry for possible duplicates.> > >> On 30/03/15 10:06, L.P.H. van Belle wrote: > Please don't top-post. It make messages very hard to read. > >>> I think this wont work since the user connectig isnt known in the AD, >>> since the user connecting is mapped to user nobody. > I'm doing s simple check (anonymous listing of DC shares) as per instructions. > >>> auth_check_password_send: Checking password for unmapped user []\[]@[] >>> auth_check_password_send: mapped user is: [CCENTER]\[]@[] >>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' >>> connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) >>> and 'force unknown acl user = true' for service IPC$ >>> >>> cat /etc/passwd | grep nobody >>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh >>> >>> and by default "Guest" (nobody) is disabled in the AD. >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >> Hi Louis, It works for me >> This appears in log.smbd on my DC when I run the same command: >> [2015/03/30 10:15:42.442881, 3] >> ../source3/smbd/service.c:856(make_connection_snum) >> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT >> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566) >> 3000013 on my DC is SID S-1-1-0, which is 'Everyone' >> So the questions are, what are the permissions on /tmp and is user >> '3000009' on the DC 'Everyone' > Permissions are fine, but migration did not create "Users" group in AD. > How can I resolve it? > > # wbinfo -g > Enterprise Read-Only Domain Controllers > Domain Admins > Domain Users > Domain Guests > Domain Computers > Domain Controllers > Schema Admins > Enterprise Admins > Group Policy Creator Owners > Read-Only Domain Controllers > DnsUpdateProxy > > # getent group > ... > CCENTER\Enterprise Read-Only Domain Controllers:*:3000012: > CCENTER\Domain Admins:*:512: > CCENTER\Domain Users:*:513: > CCENTER\Domain Guests:*:514: > CCENTER\Domain Computers:*:515: > CCENTER\Domain Controllers:*:3000013: > CCENTER\Schema Admins:*:3000006: > CCENTER\Enterprise Admins:*:3000005: > CCENTER\Group Policy Creator Owners:*:3000003: > CCENTER\Read-Only Domain Controllers:*:3000014: > CCENTER\DnsUpdateProxy:*:3000015: > >I would be very very surprised if it hasn't been created, 'wbinfo -g' will not show it though, try this: ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(&(objectclass=group)(cn=users))' and the same command will show who '3000009' is: ldbedit -e nano -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))' If you haven't get 'ldbedit', install ldb-tools When you run the second command, what does the line that starts 'cn:' show ? Rowland
Andrey Repin
2015-Mar-30 20:50 UTC
[Samba] Unable to browse system shares of a newly migrated AD DC
Greetings, Rowland Penny!>>> Hi Louis, It works for me >>> This appears in log.smbd on my DC when I run the same command: >>> [2015/03/30 10:15:42.442881, 3] >>> ../source3/smbd/service.c:856(make_connection_snum) >>> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT >>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566) >>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone' >>> So the questions are, what are the permissions on /tmp and is user >>> '3000009' on the DC 'Everyone' >> Permissions are fine, but migration did not create "Users" group in AD. >> How can I resolve it?> I would be very very surprised if it hasn't been created, 'wbinfo -g' > will not show it though, try this:> ldbedit -e nano -H /var/lib/samba/private/sam.ldb > '(&(objectclass=group)(cn=users))'# editing 1 records # record 1 dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan cn: Users description: Users are prevented from making accidental or intentional system- wide changes and can run most applications member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan instanceType: 4 whenCreated: 20150329223248.0Z uSNCreated: 3563 name: Users objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961 objectSid: S-1-5-32-545 sAMAccountName: Users sAMAccountType: 536870912 systemFlags: -1946157056 groupType: -2147483643 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan isCriticalSystemObject: TRUE gidNumber: 30002 whenChanged: 20150329223254.0Z objectClass: top objectClass: posixGroup objectClass: group msSFU30NisDomain: ccenter uSNChanged: 3798 distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan> and the same command will show who '3000009' is:> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb > '(&(objectClass=sidMap)(xidNumber=3000009))'> If you haven't get 'ldbedit', install ldb-toolsThat is one handy tool, I may say!> When you run the second command, what does the line that starts 'cn:' show ?Nothing useful, unfortunately. # ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))' # editing 1 records # record 1 dn: CN=S-1-1-0 cn: S-1-1-0 objectClass: sidMap objectSid: S-1-1-0 type: ID_TYPE_BOTH xidNumber: 3000009 distinguishedName: CN=S-1-1-0 # 0 adds 0 modifies 0 deletes I suppose, the group mapping is screwed somehow. May be I've copied the wrong tdb from PDC? -- With best regards, Andrey Repin Monday, March 30, 2015 23:44:13 Sorry for my terrible english...
Possibly Parallel Threads
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC