Andrey Repin
2015-Mar-30 20:50 UTC
[Samba] Unable to browse system shares of a newly migrated AD DC
Greetings, Rowland Penny!>>> Hi Louis, It works for me >>> This appears in log.smbd on my DC when I run the same command: >>> [2015/03/30 10:15:42.442881, 3] >>> ../source3/smbd/service.c:856(make_connection_snum) >>> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT >>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566) >>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone' >>> So the questions are, what are the permissions on /tmp and is user >>> '3000009' on the DC 'Everyone' >> Permissions are fine, but migration did not create "Users" group in AD. >> How can I resolve it?> I would be very very surprised if it hasn't been created, 'wbinfo -g' > will not show it though, try this:> ldbedit -e nano -H /var/lib/samba/private/sam.ldb > '(&(objectclass=group)(cn=users))'# editing 1 records # record 1 dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan cn: Users description: Users are prevented from making accidental or intentional system- wide changes and can run most applications member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan instanceType: 4 whenCreated: 20150329223248.0Z uSNCreated: 3563 name: Users objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961 objectSid: S-1-5-32-545 sAMAccountName: Users sAMAccountType: 536870912 systemFlags: -1946157056 groupType: -2147483643 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan isCriticalSystemObject: TRUE gidNumber: 30002 whenChanged: 20150329223254.0Z objectClass: top objectClass: posixGroup objectClass: group msSFU30NisDomain: ccenter uSNChanged: 3798 distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan> and the same command will show who '3000009' is:> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb > '(&(objectClass=sidMap)(xidNumber=3000009))'> If you haven't get 'ldbedit', install ldb-toolsThat is one handy tool, I may say!> When you run the second command, what does the line that starts 'cn:' show ?Nothing useful, unfortunately. # ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))' # editing 1 records # record 1 dn: CN=S-1-1-0 cn: S-1-1-0 objectClass: sidMap objectSid: S-1-1-0 type: ID_TYPE_BOTH xidNumber: 3000009 distinguishedName: CN=S-1-1-0 # 0 adds 0 modifies 0 deletes I suppose, the group mapping is screwed somehow. May be I've copied the wrong tdb from PDC? -- With best regards, Andrey Repin Monday, March 30, 2015 23:44:13 Sorry for my terrible english...
Rowland Penny
2015-Mar-30 21:16 UTC
[Samba] Unable to browse system shares of a newly migrated AD DC
On 30/03/15 21:50, Andrey Repin wrote:> Greetings, Rowland Penny! > >>>> Hi Louis, It works for me >>>> This appears in log.smbd on my DC when I run the same command: >>>> [2015/03/30 10:15:42.442881, 3] >>>> ../source3/smbd/service.c:856(make_connection_snum) >>>> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT >>>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566) >>>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone' >>>> So the questions are, what are the permissions on /tmp and is user >>>> '3000009' on the DC 'Everyone' >>> Permissions are fine, but migration did not create "Users" group in AD. >>> How can I resolve it? >> I would be very very surprised if it hasn't been created, 'wbinfo -g' >> will not show it though, try this: >> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >> '(&(objectclass=group)(cn=users))' > # editing 1 records > # record 1 > dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan > cn: Users > description: Users are prevented from making accidental or intentional system- > wide changes and can run most applications > member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan > member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan > member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan > instanceType: 4 > whenCreated: 20150329223248.0Z > uSNCreated: 3563 > name: Users > objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961 > objectSid: S-1-5-32-545 > sAMAccountName: Users > sAMAccountType: 536870912 > systemFlags: -1946157056 > groupType: -2147483643 > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan > isCriticalSystemObject: TRUE > gidNumber: 30002 > whenChanged: 20150329223254.0Z > objectClass: top > objectClass: posixGroup > objectClass: group > msSFU30NisDomain: ccenter > uSNChanged: 3798 > distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan > >> and the same command will show who '3000009' is: >> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb >> '(&(objectClass=sidMap)(xidNumber=3000009))' >> If you haven't get 'ldbedit', install ldb-tools > That is one handy tool, I may say! > >> When you run the second command, what does the line that starts 'cn:' show ? > Nothing useful, unfortunately.Yes it does :-) It shows that your '3000009' is like my '3000013' is the group 'Everyone'> > # ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))' > # editing 1 records > # record 1 > dn: CN=S-1-1-0 > cn: S-1-1-0 > objectClass: sidMap > objectSid: S-1-1-0 > type: ID_TYPE_BOTH > xidNumber: 3000009 > distinguishedName: CN=S-1-1-0 > > # 0 adds 0 modifies 0 deletes > > I suppose, the group mapping is screwed somehow. > May be I've copied the wrong tdb from PDC? > >Now as we have confirmed that your windows DC is running the same command as mine and mine works, we need to look at what is different between your DC and mine. This would seem to be that samba cannot write to the /tmp directory, so I will ask again (but in a slightly different way), what does 'ls -la / | grep tmp' show ?? Mine shows this: root at dc01:~# ls -la / | grep tmp drwxrwxrwt 8 root root 4096 Mar 30 22:09 tmp Which shows that any user or group can read,write or enter the /tmp directory. Rowland
Andrey Repin
2015-Mar-30 23:27 UTC
[Samba] Unable to browse system shares of a newly migrated AD DC
Greetings, Rowland Penny!>>>>> Hi Louis, It works for me >>>>> This appears in log.smbd on my DC when I run the same command: >>>>> [2015/03/30 10:15:42.442881, 3] >>>>> ../source3/smbd/service.c:856(make_connection_snum) >>>>> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT >>>>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566) >>>>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone' >>>>> So the questions are, what are the permissions on /tmp and is user >>>>> '3000009' on the DC 'Everyone' >>>> Permissions are fine, but migration did not create "Users" group in AD. >>>> How can I resolve it? >>> I would be very very surprised if it hasn't been created, 'wbinfo -g' >>> will not show it though, try this: >>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>> '(&(objectclass=group)(cn=users))' >> # editing 1 records >> # record 1 >> dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan >> cn: Users >> description: Users are prevented from making accidental or intentional system- >> wide changes and can run most applications >> member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan >> member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan >> member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan >> instanceType: 4 >> whenCreated: 20150329223248.0Z >> uSNCreated: 3563 >> name: Users >> objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961 >> objectSid: S-1-5-32-545 >> sAMAccountName: Users >> sAMAccountType: 536870912 >> systemFlags: -1946157056 >> groupType: -2147483643 >> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan >> isCriticalSystemObject: TRUE >> gidNumber: 30002 >> whenChanged: 20150329223254.0Z >> objectClass: top >> objectClass: posixGroup >> objectClass: group >> msSFU30NisDomain: ccenter >> uSNChanged: 3798 >> distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan >> >>> and the same command will show who '3000009' is: >>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb >>> '(&(objectClass=sidMap)(xidNumber=3000009))' >>> If you haven't get 'ldbedit', install ldb-tools >> That is one handy tool, I may say! >> >>> When you run the second command, what does the line that starts 'cn:' show ? >> Nothing useful, unfortunately.> Yes it does :-)> It shows that your '3000009' is like my '3000013' is the group 'Everyone'>> >> # ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))' >> # editing 1 records >> # record 1 >> dn: CN=S-1-1-0 >> cn: S-1-1-0 >> objectClass: sidMap >> objectSid: S-1-1-0 >> type: ID_TYPE_BOTH >> xidNumber: 3000009 >> distinguishedName: CN=S-1-1-0 >> >> # 0 adds 0 modifies 0 deletes >> >> I suppose, the group mapping is screwed somehow. >> May be I've copied the wrong tdb from PDC? >> >>> Now as we have confirmed that your windows DC is running the same > command as mine and mine works, we need to look at what is different > between your DC and mine. This would seem to be that samba cannot write > to the /tmp directory, so I will ask again (but in a slightly different > way), what does 'ls -la / | grep tmp' show ??> Mine shows this:> root at dc01:~# ls -la / | grep tmp > drwxrwxrwt 8 root root 4096 Mar 30 22:09 tmp> Which shows that any user or group can read,write or enter the /tmp > directory.Mine shows the same. I was intended to include it, but lost in resend somehow. # ls -ld /tmp drwxrwxrwt 2 root root 4096 Mar 30 23:47 /tmp # ls -lnd /tmp drwxrwxrwt 2 0 0 4096 Mar 30 23:47 /tmp That's why I'm puzzled to no end. Any logs I can enable to get better info? -- With best regards, Andrey Repin Tuesday, March 31, 2015 00:51:30 Sorry for my terrible english...
Maybe Matching Threads
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC
- Unable to browse system shares of a newly migrated AD DC