Achim Gottinger
2016-Dec-02 00:47 UTC
[Samba] workaround needed for Security Principals, and SID's mapping bug.
Am 01.12.2016 um 13:35 schrieb L.P.H. van Belle via samba:> Hai Rowland, > > This happens when im creating a "Scheduled task" , > this task needs NT AUTHORITY\System but you need to select the account, > when you select the account a sid/rid mapping is done and this fails. > Resulting in the windows event id and error code. > While searching for that i found that i cant type the username. > You must select it. > > To reproduce. > > Create a GPO : > Computer Configuration> Preferences> Control Panel Settings> Scheduled Tasks. Right click in the blank pane and select New> Scheduled Task (Windows Vista and later). > > Tab General, klik on Change user or Group. > Now go through step 1-5. > > I found some related bug to NT Authority\system mis match. > https://bugzilla.samba.org/show_bug.cgi?id=11677 > https://bugzilla.samba.org/show_bug.cgi?id=11997 > all are : sid s-1-5-18 SID: S-1-5-19 related. > There are more. > > I went through. > https://technet.microsoft.com/en-us/library/dn617202(v=ws.11).aspx > https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx > https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx > > And i also did see that a patch was done, but i cant find/see > if this is the correct fix. ( found here : https://attachments.samba.org/attachment.cgi?id=11781 > > I was waiting for 4.5.2 to update my environment and hoping this is fixed. > It is still expected at 7 dec. > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via >> samba >> Verzonden: donderdag 1 december 2016 12:05 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] workaround needed for Security Principals, and >> SID's mapping bug. >> >> On Thu, 1 Dec 2016 11:10:04 +0100 >> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: >> >>> Hai, >>> >>> >>> >>> Does anyone know if this Security Principals, and SID's mapping bug >>> is resolved or if there is any patch. >>> >>> Rowland? Achim? Any samba dev? >>> >>> >>> >>> I really need it. >>> >>> >>> >>> Im at samba 4.4.5 >>> >>> I cant find if its fixed in 4.4.7 or 4.5.1 >>> >>> >>> >>> To check if you affected with this, follow these steps. >>> >>> >>> >>> 1. Under "When running the task, use the >>> following user account:", click "Change User or Group..." >>> >>> 2. Click "Locations" >>> >>> 3. Expand the [domain FQDN] and select the >>> "Builtin" container, then click OK >>> >>> 4. In the box labelled "Enter the object name >>> to select:" type "system", then click OK >>> >>> 5. You should see "NT AUTHORITY\System" in the >>> box >>> >>> >>> >>> If you affected with this bug, you wil see : DOMAIN\system >>> >>> And not NT AUTHORITY\System or buildin\system >>> >>> >>> >>> Due to the fact that i cant type the username, i need a solution. >>> >>> Typing the username wil result in : >>> >>> Windows (7) event id 4098 error code 0x80041316 >>> >>> >>> >>> I need a way so step 1-5 does result in : NT AUTHORITY\System >>> >>> >>> >>> >>> >>> Greetz, >>> >>> >>> >>> Louis >>> >> For the stupid amongst us i.e. me ;-) >> >> What bug are you referring to ? >> What are the steps before '1.' ? >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/sambaHello Louis, I'd check the mappings for the SID's in idmap.ldb: Are you sure you hit an mapping issue here? These only occure once you hit the filesystem on the linux side. achim~
Achim Gottinger
2016-Dec-02 01:08 UTC
[Samba] workaround needed for Security Principals, and SID's mapping bug.
Am 02.12.2016 um 01:47 schrieb Achim Gottinger via samba:> > > Am 01.12.2016 um 13:35 schrieb L.P.H. van Belle via samba: >> Hai Rowland, >> >> This happens when im creating a "Scheduled task" , >> this task needs NT AUTHORITY\System but you need to select the account, >> when you select the account a sid/rid mapping is done and this fails. >> Resulting in the windows event id and error code. >> While searching for that i found that i cant type the username. >> You must select it. >> >> ToTried this and it behaves the same way here. The builtin\SYSTEM account shows up as DOMAINNAME\SYSTEM. But to run as the lokal SYSTEM account I think you must pick the Server as search base and then choose the system account. Here this leads to an fault and exit of the gpo manangement editor.
Achim Gottinger
2016-Dec-02 02:04 UTC
[Samba] workaround needed for Security Principals, and SID's mapping bug.
Am 02.12.2016 um 02:08 schrieb Achim Gottinger via samba:> > > Am 02.12.2016 um 01:47 schrieb Achim Gottinger via samba: >> >> >> Am 01.12.2016 um 13:35 schrieb L.P.H. van Belle via samba: >>> Hai Rowland, >>> >>> This happens when im creating a "Scheduled task" , >>> this task needs NT AUTHORITY\System but you need to select the account, >>> when you select the account a sid/rid mapping is done and this fails. >>> Resulting in the windows event id and error code. >>> While searching for that i found that i cant type the username. >>> You must select it. >>> >>> To > Tried this and it behaves the same way here. The builtin\SYSTEM > account shows up as DOMAINNAME\SYSTEM. > > But to run as the lokal SYSTEM account I think you must pick the > Server as search base and then choose the system account. Here this > leads to an fault and exit of the gpo manangement editor. >Here i can typ in the username. If that does not work for you you can edit the SchedTask.xml (or similar) file in the gpo folder direct.
L.P.H. van Belle
2016-Dec-02 08:34 UTC
[Samba] workaround needed for Security Principals, and SID's mapping bug.
Exact, and at this point, im at also. Here, typing the username results in the windows event and errors out. Did a lot of research and im 100% this is and missing mapping. Typing does not works, i dont know if this is a windows thing or a samba thing. But i found several reports where in a windows 7+ with Server 2008 also errors if you type the username. And thanks you for having a look.. you too Rowland. Which version samba are you gues running atm?> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Achim Gottinger > via samba > Verzonden: vrijdag 2 december 2016 3:05 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] workaround needed for Security Principals, and > SID's mapping bug. > > > > Am 02.12.2016 um 02:08 schrieb Achim Gottinger via samba: > > > > > > Am 02.12.2016 um 01:47 schrieb Achim Gottinger via samba: > >> > >> > >> Am 01.12.2016 um 13:35 schrieb L.P.H. van Belle via samba: > >>> Hai Rowland, > >>> > >>> This happens when im creating a "Scheduled task" , > >>> this task needs NT AUTHORITY\System but you need to select the > account, > >>> when you select the account a sid/rid mapping is done and this fails. > >>> Resulting in the windows event id and error code. > >>> While searching for that i found that i cant type the username. > >>> You must select it. > >>> > >>> To > > Tried this and it behaves the same way here. The builtin\SYSTEM > > account shows up as DOMAINNAME\SYSTEM. > > > > But to run as the lokal SYSTEM account I think you must pick the > > Server as search base and then choose the system account. Here this > > leads to an fault and exit of the gpo manangement editor. > > > Here i can typ in the username. If that does not work for you you can > edit the SchedTask.xml (or similar) file in the gpo folder direct. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba