samba - Feb 2016 - samba_upgradedns returned an error "Unable to find uid/gid for Domain Admins "

Hi again,

Am Dienstag, 2. Februar 2016, 12:09:59 CET schrieb Rowland
penny:
> On 02/02/16 11:26, Markus Dellermann wrote:
> > Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland penny:
> >> On 01/02/16 22:24, Markus Dellermann wrote:
[....]
> Ok, there are two schools of thought here, you can give Administrator a
> uidNumber attribute, but this, as far as Unix is concerned, turns
> 'Administrator' into just another user, with no more privileges
than any
> other Unix user.
> 
> What I use on a domain member and recommend, is the use of the user
> mapping in smb.conf, with this 'Administrator' becomes
'root' and as
> such, has all the privileges of 'root'.
> 
Yes, so it is here alright on my members..
> However, you are trying to do something on a DC and you shouldn't use
> the name mapping, as this should be done for you in idmap.ldb. I suggest
> you remove any users that appear in /etc/passwd, such as administrator,
> that are also in AD, I would also remove the uidNumber attribute from
> 'Administrator' in AD.
OK
> 
> This should then reset 'Administrator' to '0'
> 
I have insert 0 there now and it gave "its already assigned...
I see now, there is the user "root" in ad with uid 0
I changed this, but maybe i should delete root from ad ?
(I think, i should have changed this before
classicupgrade)
> If I run 'getent passwd administrator' on a DC, I get:
> 
> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
> 
No, nothing, hm....
master:~ # getent passwd administrator
master:~ # getent passwd Administrator

master:~ # pdbedit -Lv administrator
Unix username:        Administrator
NT username:          
Account Flags:        [U          ]
User SID:             S-1-5-21-855155194-824588496-1214258294-500
Primary Group SID:    S-1-5-21-855155194-824588496-1214258294-513
Full Name:            
Home Directory:       \\samba\home\administrator
HomeDir Drive:        H:
Logon Script:         
Profile Path:         \\samba\profiles\administrator\.msprofile
Domain:               
Account desc:         Built-in account for administering the computer/domain
Workstations:         
Munged dial:          
Logon time:           Di, 02 Feb 2016 11:38:16 CET
Logoff time:          0
Kickoff time:         Do, 14 Sep 30828 04:48:05 CEST
Password last set:    Mi, 30 Sep 2015 19:23:24 CEST
Password can change:  Mi, 30 Sep 2015 19:23:24 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

master:~ # wbinfo -i administrator
4MA3MA\administrator:*:10000:10004::/home/4MA3MA/administrator:/bin/false


"samba_upgradedns --dns-backend=BIND9_DLZ" still doesnt work
> but if run the same command on a domain member, I get nothing.
> 
Yes!
> Rowland
Markus

On 02/02/16 13:38, Markus Dellermann wrote:
> Hi again,
>
> Am Dienstag, 2. Februar 2016, 12:09:59 CET schrieb Rowland penny:
>> On 02/02/16 11:26, Markus Dellermann wrote:
>>> Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland penny:
>>>> On 01/02/16 22:24, Markus Dellermann wrote:
> [....]
>> Ok, there are two schools of thought here, you can give Administrator a
>> uidNumber attribute, but this, as far as Unix is concerned, turns
>> 'Administrator' into just another user, with no more privileges
than any
>> other Unix user.
>>
>> What I use on a domain member and recommend, is the use of the user
>> mapping in smb.conf, with this 'Administrator' becomes
'root' and as
>> such, has all the privileges of 'root'.
>>
> Yes, so it is here alright on my members..
>
>> However, you are trying to do something on a DC and you shouldn't
use
>> the name mapping, as this should be done for you in idmap.ldb. I
suggest
>> you remove any users that appear in /etc/passwd, such as administrator,
>> that are also in AD, I would also remove the uidNumber attribute from
>> 'Administrator' in AD.
> OK
>> This should then reset 'Administrator' to '0'
>>
> I have insert 0 there now and it gave "its already assigned...
No, I said *remove* the uidNumber attribute from Administrator in AD. If 
I run (on a DC) 'ldbedit -e nano -H /usr/local/samba/private/sam.ldb' 
and then search for Administrator, I get this:

dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20151106115615.0Z
uSNCreated: 3545
name: Administrator
objectGUID: fc9d301b-d893-4cc7-8167-8d977c531afb
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130912845750000000
primaryGroupID: 513
objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
adminCount: 1
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
  om
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com
memberOf: CN=Group Policy Creator 
Owners,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
userAccountControl: 66048
accountExpires: 0
whenChanged: 20151111112600.0Z
uSNChanged: 5899
distinguishedName: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com

If I then run 'ldbedit -e nano -H /usr/local/samba/private/idmap.ldb' 
and search for the SID-RID I obtained above, I get this:

dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500

The above is what maps 'Administrator' to 'root' on a DC.
> I see now, there is the user "root" in ad with uid 0
> I changed this, but maybe i should delete root from ad ?
No, put root back to being uid 0
> (I think, i should have changed this before classicupgrade)
Again NO.
>> If I run 'getent passwd administrator' on a DC, I get:
>>
>> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
>>
> No, nothing, hm....
> master:~ # getent passwd administrator
> master:~ # getent passwd Administrator
This is probably because you are messing with Administrator.

Rowland

Hi!
Am Dienstag, 2. Februar 2016, 13:58:59 CET schrieb Rowland
penny:
> On 02/02/16 13:38, Markus Dellermann wrote:
> > Hi again,
> > 
> > Am Dienstag, 2. Februar 2016, 12:09:59 CET schrieb Rowland penny:
> >> On 02/02/16 11:26, Markus Dellermann wrote:
> >>> Am Dienstag, 2. Februar 2016, 09:51:03 CET schrieb Rowland
penny:
> >>>> On 01/02/16 22:24, Markus Dellermann wrote:
> > [....]
> > 
[...]
> > I have insert 0 there now and it gave "its already assigned...
> 
> No, I said *remove* the uidNumber attribute from Administrator in AD. If
Yes you have!
> I run (on a DC) 'ldbedit -e nano -H
/usr/local/samba/private/sam.ldb'
> and then search for Administrator, I get this:
> 
> dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20151106115615.0Z
> uSNCreated: 3545
> name: Administrator
> objectGUID: fc9d301b-d893-4cc7-8167-8d977c531afb
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 130912845750000000
> primaryGroupID: 513
> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> adminCount: 1
> logonCount: 0
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
>   om
> isCriticalSystemObject: TRUE
> memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com
> memberOf: CN=Group Policy Creator
> Owners,CN=Users,DC=samdom,DC=example,DC=com
> memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com
> memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com
> memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
> userAccountControl: 66048
> accountExpires: 0
> whenChanged: 20151111112600.0Z
> uSNChanged: 5899
> distinguishedName: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
> 
OK!
> If I then run 'ldbedit -e nano -H
/usr/local/samba/private/idmap.ldb'
> and search for the SID-RID I obtained above, I get this:
> 
> dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> objectClass: sidMap
> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> 
> The above is what maps 'Administrator' to 'root' on a DC.
> 
Argh!

ldbedit -e nano -H  /var/lib/samba/private/idmap.ldb        
no matching records - cannot edit

Something seems to go wrong here.
To be short - i replaced to idmap.ldb from my backup now and it works!
> > I see now, there is the user "root" in ad with uid 0
> > I changed this, but maybe i should delete root from ad ?
> 
> No, put root back to being uid 0
OK
> > (I think, i should have changed this before classicupgrade)
> 
> Again NO.
> 
> >> If I run 'getent passwd administrator' on a DC, I get:
> >> 
> >> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
> > 
> > No, nothing, hm....
> > master:~ # getent passwd administrator
> > master:~ # getent passwd Administrator
> 
This doesn`t show anything yet...
> This is probably because you are messing with Administrator.
> 
> Rowland
Thank you very much!

Markus