samba - Feb 2016 - samba_upgradedns returned an error "Unable to find uid/gid for Domain Admins "

Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland
penny:
> On 01/02/16 22:24, Markus Dellermann wrote:
> > Hi at all,
> > 
> > i´am using samba 4.3.4 as "ad", "migrated by
classicupgrade" some time ago
> > from an nt4-domain.
> > 
> > By trying
> > samba_upgradedns --dns-backend=BIND9_DLZ
> > 
> > i get the following error:
> > 
> > Traceback (most recent call last):
> >    File "/usr/sbin/samba_upgradedns", line 262, in
<module>
> >    
> >      paths, lp.configfile, lp)
> >    
> >    File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> >    line
> > 
> > 298, in find_provision_key_parameters
> > 
> >      raise ProvisioningError("Unable to find uid/gid for Domain
Admins rid
> >      (%s-
> > 
> > %s" % (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR))
> > samba.provision.ProvisioningError: ProvisioningError: Unable to find
> > uid/gid for Domain Admins rid
> > (S-1-5-21-855155194-824588496-1214258294-500
> > 
> > "Domain Admins" seems to be in "ad"
> 
> Domain Admins may be in AD but that is not what is being searched for,
> it is actually searching for Administrator, have you do anything to
> Administrator in AD or idmap.ldb ?
> 
> Rowland
Hi Rowland,
ah, ok -thank your for your answer.

There is a local user named "administrator" in /etc/passwd
administrator:x:1039:100::/home/administrator:/bin/bash
There was a username-mapping  in /etc/samba/smbusers
#!root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator 
administrator
I have changed this two month ago, because that shoudn`t be needed.(?) 
Domain-Administrators UID in "aduc" is "10000" -is this
korrekt?

In my nt4-domain the domain-administrator was mapped to root and the rid
"500"
was assigned to root
Maybe this is missing now?
Do i have to assign this again?

Thank you

Markus

On 02/02/16 11:26, Markus Dellermann wrote:
> Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland penny:
>> On 01/02/16 22:24, Markus Dellermann wrote:
>>> Hi at all,
>>>
>>> i´am using samba 4.3.4 as "ad", "migrated by
classicupgrade" some time ago
>>> from an nt4-domain.
>>>
>>> By trying
>>> samba_upgradedns --dns-backend=BIND9_DLZ
>>>
>>> i get the following error:
>>>
>>> Traceback (most recent call last):
>>>     File "/usr/sbin/samba_upgradedns", line 262, in
<module>
>>>     
>>>       paths, lp.configfile, lp)
>>>     
>>>     File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>>>     line
>>>
>>> 298, in find_provision_key_parameters
>>>
>>>       raise ProvisioningError("Unable to find uid/gid for
Domain Admins rid
>>>       (%s-
>>>
>>> %s" % (str(names.domainsid),
security.DOMAIN_RID_ADMINISTRATOR))
>>> samba.provision.ProvisioningError: ProvisioningError: Unable to
find
>>> uid/gid for Domain Admins rid
>>> (S-1-5-21-855155194-824588496-1214258294-500
>>>
>>> "Domain Admins" seems to be in "ad"
>> Domain Admins may be in AD but that is not what is being searched for,
>> it is actually searching for Administrator, have you do anything to
>> Administrator in AD or idmap.ldb ?
>>
>> Rowland
> Hi Rowland,
> ah, ok -thank your for your answer.
>
> There is a local user named "administrator" in /etc/passwd
> administrator:x:1039:100::/home/administrator:/bin/bash
> There was a username-mapping  in /etc/samba/smbusers
> #!root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator
> administrator
> I have changed this two month ago, because that shoudn`t be needed.(?)
> Domain-Administrators UID in "aduc" is "10000" -is this
korrekt?
>
> In my nt4-domain the domain-administrator was mapped to root and the rid
"500"
> was assigned to root
> Maybe this is missing now?
> Do i have to assign this again?
>
> Thank you
>
> Markus
>
Ok, there are two schools of thought here, you can give Administrator a 
uidNumber attribute, but this, as far as Unix is concerned, turns 
'Administrator' into just another user, with no more privileges than any
other Unix user.

What I use on a domain member and recommend, is the use of the user 
mapping in smb.conf, with this 'Administrator' becomes 'root'
and as
such, has all the privileges of 'root'.

However, you are trying to do something on a DC and you shouldn't use 
the name mapping, as this should be done for you in idmap.ldb. I suggest 
you remove any users that appear in /etc/passwd, such as administrator, 
that are also in AD, I would also remove the uidNumber attribute from 
'Administrator' in AD.

This should then reset 'Administrator' to '0'

If I run 'getent passwd administrator' on a DC, I get:

SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash

but if run the same command on a domain member, I get nothing.

Rowland

Hi again,

Am Dienstag, 2. Februar 2016, 12:09:59 CET schrieb Rowland
penny:
> On 02/02/16 11:26, Markus Dellermann wrote:
> > Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland penny:
> >> On 01/02/16 22:24, Markus Dellermann wrote:
[....]
> Ok, there are two schools of thought here, you can give Administrator a
> uidNumber attribute, but this, as far as Unix is concerned, turns
> 'Administrator' into just another user, with no more privileges
than any
> other Unix user.
> 
> What I use on a domain member and recommend, is the use of the user
> mapping in smb.conf, with this 'Administrator' becomes
'root' and as
> such, has all the privileges of 'root'.
> 
Yes, so it is here alright on my members..
> However, you are trying to do something on a DC and you shouldn't use
> the name mapping, as this should be done for you in idmap.ldb. I suggest
> you remove any users that appear in /etc/passwd, such as administrator,
> that are also in AD, I would also remove the uidNumber attribute from
> 'Administrator' in AD.
OK
> 
> This should then reset 'Administrator' to '0'
> 
I have insert 0 there now and it gave "its already assigned...
I see now, there is the user "root" in ad with uid 0
I changed this, but maybe i should delete root from ad ?
(I think, i should have changed this before
classicupgrade)
> If I run 'getent passwd administrator' on a DC, I get:
> 
> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
> 
No, nothing, hm....
master:~ # getent passwd administrator
master:~ # getent passwd Administrator

master:~ # pdbedit -Lv administrator
Unix username:        Administrator
NT username:          
Account Flags:        [U          ]
User SID:             S-1-5-21-855155194-824588496-1214258294-500
Primary Group SID:    S-1-5-21-855155194-824588496-1214258294-513
Full Name:            
Home Directory:       \\samba\home\administrator
HomeDir Drive:        H:
Logon Script:         
Profile Path:         \\samba\profiles\administrator\.msprofile
Domain:               
Account desc:         Built-in account for administering the computer/domain
Workstations:         
Munged dial:          
Logon time:           Di, 02 Feb 2016 11:38:16 CET
Logoff time:          0
Kickoff time:         Do, 14 Sep 30828 04:48:05 CEST
Password last set:    Mi, 30 Sep 2015 19:23:24 CEST
Password can change:  Mi, 30 Sep 2015 19:23:24 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

master:~ # wbinfo -i administrator
4MA3MA\administrator:*:10000:10004::/home/4MA3MA/administrator:/bin/false


"samba_upgradedns --dns-backend=BIND9_DLZ" still doesnt work
> but if run the same command on a domain member, I get nothing.
> 
Yes!
> Rowland
Markus

Hi Rowland and al.
> On 02/02/16 11:26, Markus Dellermann wrote:
>> Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland penny:
>>> On 01/02/16 22:24, Markus Dellermann wrote:
>>>> Hi at all,
>>>>
>>>> i´am using samba 4.3.4 as "ad", "migrated by
classicupgrade" some
>>>> time ago
>>>> from an nt4-domain.
>>>>
>>>> By trying
>>>> samba_upgradedns --dns-backend=BIND9_DLZ
>>>>
>>>> i get the following error:
>>>>
>>>> Traceback (most recent call last):
>>>>     File "/usr/sbin/samba_upgradedns", line 262, in
<module>
>>>>       paths, lp.configfile, lp)
>>>>     File
>>>>
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>>>>     line
>>>>
>>>> 298, in find_provision_key_parameters
>>>>
>>>>       raise ProvisioningError("Unable to find uid/gid for
Domain
>>>> Admins rid
>>>>       (%s-
>>>>
>>>> %s" % (str(names.domainsid),
security.DOMAIN_RID_ADMINISTRATOR))
>>>> samba.provision.ProvisioningError: ProvisioningError: Unable to
find
>>>> uid/gid for Domain Admins rid
>>>> (S-1-5-21-855155194-824588496-1214258294-500
>>>>
>>>> "Domain Admins" seems to be in "ad"
>>> Domain Admins may be in AD but that is not what is being searched
for,
>>> it is actually searching for Administrator, have you do anything to
>>> Administrator in AD or idmap.ldb ?
>>>
>>> Rowland
>> Hi Rowland,
>> ah, ok -thank your for your answer.
>>
>> There is a local user named "administrator" in /etc/passwd
>> administrator:x:1039:100::/home/administrator:/bin/bash
>> There was a username-mapping  in /etc/samba/smbusers
>> #!root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator
>> administrator
>> I have changed this two month ago, because that shoudn`t be needed.(?)
>> Domain-Administrators UID in "aduc" is "10000" -is
this korrekt?
>>
>> In my nt4-domain the domain-administrator was mapped to root and the
>> rid "500"
>> was assigned to root
>> Maybe this is missing now?
>> Do i have to assign this again?
>>
>> Thank you
>>
>> Markus
>>
>
> Ok, there are two schools of thought here, you can give Administrator a
> uidNumber attribute, but this, as far as Unix is concerned, turns
> 'Administrator' into just another user, with no more privileges
than any
> other Unix user.
>
> What I use on a domain member and recommend, is the use of the user
> mapping in smb.conf, with this 'Administrator' becomes
'root' and as
> such, has all the privileges of 'root'.
To be picky on the terms, I'd say that the Windows equivalent of the 
root user would be "Local System". Administrator account is some kind
of
a super sudoers on modern version of Windows (cf. UAC and al.), and 
still there are many things that you cannot do unless going with "Local 
System".

And concerning domain member user mapping, some security ayatollah might 
even say that you should not use "domain admins" accounts for anything
else than AD maintenance, and urge you to use less privileged account 
with some extra local privileges to do domain members maintenance.

Cheers,

Denis
> However, you are trying to do something on a DC and you shouldn't use
> the name mapping, as this should be done for you in idmap.ldb. I suggest
> you remove any users that appear in /etc/passwd, such as administrator,
> that are also in AD, I would also remove the uidNumber attribute from
> 'Administrator' in AD.
>
> This should then reset 'Administrator' to '0'
>
> If I run 'getent passwd administrator' on a DC, I get:
>
> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
>
> but if run the same command on a domain member, I get nothing.
>
> Rowland
>
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr