samba - Dec 2016 - workaround needed for Security Principals, and SID's mapping bug.

Editing the xml..  results in same error. ( which is logical ) 

The exact event from windows. 

Eventlog info: 
Source	: Group Policy Scheduled Tasks. 
ID		: 4098
USER		: SYSTEM

Error code : Group Policy object did not apply because it failed with error code
'0x80070534 No mapping between account names and security IDs was done.'
This error was suppressed.

So I'll wait until this bug is fixed. 

I tried to read the code but thats way more difficult then what i can program.
:-((

I'll put this on hold for now, and do it the ugly way, 
bit anoying for my users but its what it is. 

Thanks for all the support.

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
Belle
> via samba
> Verzonden: vrijdag 2 december 2016 11:01
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] workaround needed for Security Principals, and
> SID's mapping bug.
> 
> > Have you tried editing the runAs tag in the corresponding xml file
> > SchedTask.xml or similar in the sysvol policy folder?
> Hmm, no, not yet, i'll go test now.
> I'll report later the result.
> 
> And yes, i can create a local also, that how i detected the sid/rid/id
> mapping problems.
> But i cant go create 100 task localy, thats why i have GPO.
> 
> Greet,
> 
> Louis
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Achim
Gottinger
> > via samba
> > Verzonden: vrijdag 2 december 2016 10:54
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] workaround needed for Security Principals, and
> > SID's mapping bug.
> >
> >
> >
> > Am 02.12.2016 um 09:34 schrieb L.P.H. van Belle via samba:
> > > Exact, and at this point, im at also.
> > >
> > > Here, typing the username results in the windows event and errors
out.
> > > Did a lot of research and im 100% this is and missing mapping.
> > > Typing does not works, i dont know if this is a windows thing or
a
> samba
> > thing. But i found several reports where in a windows 7+ with Server
> 2008
> > also errors if you type the username.
> > >
> > > And thanks you for having a look..
> > > you too Rowland.
> > >
> > > Which version samba are you gues running atm?
> > >
> > >
> > >
> > >
> > >
> > >> -----Oorspronkelijk bericht-----
> > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Achim
> > Gottinger
> > >> via samba
> > >> Verzonden: vrijdag 2 december 2016 3:05
> > >> Aan: samba at lists.samba.org
> > >> Onderwerp: Re: [Samba] workaround needed for Security
Principals, and
> > >> SID's mapping bug.
> > >>
> > >>
> > >>
> > >> Am 02.12.2016 um 02:08 schrieb Achim Gottinger via samba:
> > >>>
> > >>> Am 02.12.2016 um 01:47 schrieb Achim Gottinger via samba:
> > >>>>
> > >>>> Am 01.12.2016 um 13:35 schrieb L.P.H. van Belle via
samba:
> > >>>>> Hai Rowland,
> > >>>>>
> > >>>>> This happens when im creating a "Scheduled
task" ,
> > >>>>> this task needs NT AUTHORITY\System but you need
to select the
> > >> account,
> > >>>>> when you select the account a sid/rid mapping is
done and this
> > fails.
> > >>>>> Resulting in the windows event id and error code.
> > >>>>> While searching for that i found that i cant type
the username.
> > >>>>> You must select it.
> > >>>>>
> > >>>>> To
> > >>> Tried this and it behaves the same way here. The
builtin\SYSTEM
> > >>> account shows up as DOMAINNAME\SYSTEM.
> > >>>
> > >>> But to run as the lokal SYSTEM account I think you must
pick the
> > >>> Server as search base and then choose the system account.
Here this
> > >>> leads to an fault and exit of the gpo manangement editor.
> > >>>
> > >> Here i can typ in the username. If that does not work for you
you can
> > >> edit the SchedTask.xml (or similar) file in the gpo folder
direct.
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL and
read the
> > >> instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > I tested against a server running debian wheezy with sernet's
samba
> > package version 4.2.
> > Using Windows 7 as an client I can edit the username field.
> > Have you tried editing the runAs tag in the corresponding xml file
> > SchedTask.xml or similar in the sysvol policy folder?
> > On a sidenote if i create an task direct (not via gpo) i can select
> > local system account and the builtin\system account. Both show up as
> > nt-authority\system (localized).
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Am 02.12.2016 um 11:35 schrieb L.P.H. van Belle via
samba:
> Editing the xml..  results in same error. ( which is logical )
>
> The exact event from windows.
>
> Eventlog info:
> Source	: Group Policy Scheduled Tasks.
> ID		: 4098
> USER		: SYSTEM
>
> Error code : Group Policy object did not apply because it failed with error
code '0x80070534 No mapping between account names and security IDs was
done.' This error was suppressed.
>
> So I'll wait until this bug is fixed.
>
> I tried to read the code but thats way more difficult then what i can
program. :-((
>
> I'll put this on hold for now, and do it the ugly way,
> bit anoying for my users but its what it is.
>
> Thanks for all the support.
>
> Greetz,
>
> Louis
>
>
What did you use as runAs?

Found this similar issue 
http://www.rozmazat.cz/articles/2015/05/07/no-mapping-between-account-names-and-security-ids-was-done.html
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
Belle
>> via samba
>> Verzonden: vrijdag 2 december 2016 11:01
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] workaround needed for Security Principals, and
>> SID's mapping bug.
>>
>>> Have you tried editing the runAs tag in the corresponding xml file
>>> SchedTask.xml or similar in the sysvol policy folder?
>> Hmm, no, not yet, i'll go test now.
>> I'll report later the result.
>>
>> And yes, i can create a local also, that how i detected the sid/rid/id
>> mapping problems.
>> But i cant go create 100 task localy, thats why i have GPO.
>>
>> Greet,
>>
>> Louis
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Achim
Gottinger
>>> via samba
>>> Verzonden: vrijdag 2 december 2016 10:54
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] workaround needed for Security Principals,
and
>>> SID's mapping bug.
>>>
>>>
>>>
>>> Am 02.12.2016 um 09:34 schrieb L.P.H. van Belle via samba:
>>>> Exact, and at this point, im at also.
>>>>
>>>> Here, typing the username results in the windows event and
errors out.
>>>> Did a lot of research and im 100% this is and missing mapping.
>>>> Typing does not works, i dont know if this is a windows thing
or a
>> samba
>>> thing. But i found several reports where in a windows 7+ with
Server
>> 2008
>>> also errors if you type the username.
>>>> And thanks you for having a look..
>>>> you too Rowland.
>>>>
>>>> Which version samba are you gues running atm?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Achim
>>> Gottinger
>>>>> via samba
>>>>> Verzonden: vrijdag 2 december 2016 3:05
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] workaround needed for Security
Principals, and
>>>>> SID's mapping bug.
>>>>>
>>>>>
>>>>>
>>>>> Am 02.12.2016 um 02:08 schrieb Achim Gottinger via samba:
>>>>>> Am 02.12.2016 um 01:47 schrieb Achim Gottinger via
samba:
>>>>>>> Am 01.12.2016 um 13:35 schrieb L.P.H. van Belle via
samba:
>>>>>>>> Hai Rowland,
>>>>>>>>
>>>>>>>> This happens when im creating a "Scheduled
task" ,
>>>>>>>> this task needs NT AUTHORITY\System but you
need to select the
>>>>> account,
>>>>>>>> when you select the account a sid/rid mapping
is done and this
>>> fails.
>>>>>>>> Resulting in the windows event id and error
code.
>>>>>>>> While searching for that i found that i cant
type the username.
>>>>>>>> You must select it.
>>>>>>>>
>>>>>>>> To
>>>>>> Tried this and it behaves the same way here. The
builtin\SYSTEM
>>>>>> account shows up as DOMAINNAME\SYSTEM.
>>>>>>
>>>>>> But to run as the lokal SYSTEM account I think you must
pick the
>>>>>> Server as search base and then choose the system
account. Here this
>>>>>> leads to an fault and exit of the gpo manangement
editor.
>>>>>>
>>>>> Here i can typ in the username. If that does not work for
you you can
>>>>> edit the SchedTask.xml (or similar) file in the gpo folder
direct.
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>> I tested against a server running debian wheezy with sernet's
samba
>>> package version 4.2.
>>> Using Windows 7 as an client I can edit the username field.
>>> Have you tried editing the runAs tag in the corresponding xml file
>>> SchedTask.xml or similar in the sysvol policy folder?
>>> On a sidenote if i create an task direct (not via gpo) i can select
>>> local system account and the builtin\system account. Both show up
as
>>> nt-authority\system (localized).
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>

Another page with your issue: 
http://trentent.blogspot.de/2014/10/group-policy-preferences-scheduled-task.html
This seems to be an windows bug.

Am 02.12.2016 um 11:35 schrieb L.P.H. van Belle via
samba:
> Editing the xml..  results in same error. ( which is logical )
>
> The exact event from windows.
>
> Eventlog info:
> Source	: Group Policy Scheduled Tasks.
> ID		: 4098
> USER		: SYSTEM
>
> Error code : Group Policy object did not apply because it failed with error
code '0x80070534 No mapping between account names and security IDs was
done.' This error was suppressed.
>
> So I'll wait until this bug is fixed.
>
> I tried to read the code but thats way more difficult then what i can
program. :-((
>
> I'll put this on hold for now, and do it the ugly way,
> bit anoying for my users but its what it is.
>
> Thanks for all the support.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
Belle
>> via samba
>> Verzonden: vrijdag 2 december 2016 11:01
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] workaround needed for Security Principals, and
>> SID's mapping bug.
>>
>>> Have you tried editing the runAs tag in the corresponding xml file
>>> SchedTask.xml or similar in the sysvol policy folder?
>> Hmm, no, not yet, i'll go test now.
>> I'll report later the result.
>>
>> And yes, i can create a local also, that how i detected the sid/rid/id
>> mapping problems.
>> But i cant go create 100 task localy, thats why i have GPO.
>>
>> Greet,
>>
>> Louis
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Achim
Gottinger
>>> via samba
>>> Verzonden: vrijdag 2 december 2016 10:54
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] workaround needed for Security Principals,
and
>>> SID's mapping bug.
>>>
>>>
>>>
>>> Am 02.12.2016 um 09:34 schrieb L.P.H. van Belle via samba:
>>>> Exact, and at this point, im at also.
>>>>
>>>> Here, typing the username results in the windows event and
errors out.
>>>> Did a lot of research and im 100% this is and missing mapping.
>>>> Typing does not works, i dont know if this is a windows thing
or a
>> samba
>>> thing. But i found several reports where in a windows 7+ with
Server
>> 2008
>>> also errors if you type the username.
>>>> And thanks you for having a look..
>>>> you too Rowland.
>>>>
>>>> Which version samba are you gues running atm?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Achim
>>> Gottinger
>>>>> via samba
>>>>> Verzonden: vrijdag 2 december 2016 3:05
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] workaround needed for Security
Principals, and
>>>>> SID's mapping bug.
>>>>>
>>>>>
>>>>>
>>>>> Am 02.12.2016 um 02:08 schrieb Achim Gottinger via samba:
>>>>>> Am 02.12.2016 um 01:47 schrieb Achim Gottinger via
samba:
>>>>>>> Am 01.12.2016 um 13:35 schrieb L.P.H. van Belle via
samba:
>>>>>>>> Hai Rowland,
>>>>>>>>
>>>>>>>> This happens when im creating a "Scheduled
task" ,
>>>>>>>> this task needs NT AUTHORITY\System but you
need to select the
>>>>> account,
>>>>>>>> when you select the account a sid/rid mapping
is done and this
>>> fails.
>>>>>>>> Resulting in the windows event id and error
code.
>>>>>>>> While searching for that i found that i cant
type the username.
>>>>>>>> You must select it.
>>>>>>>>
>>>>>>>> To
>>>>>> Tried this and it behaves the same way here. The
builtin\SYSTEM
>>>>>> account shows up as DOMAINNAME\SYSTEM.
>>>>>>
>>>>>> But to run as the lokal SYSTEM account I think you must
pick the
>>>>>> Server as search base and then choose the system
account. Here this
>>>>>> leads to an fault and exit of the gpo manangement
editor.
>>>>>>
>>>>> Here i can typ in the username. If that does not work for
you you can
>>>>> edit the SchedTask.xml (or similar) file in the gpo folder
direct.
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>> I tested against a server running debian wheezy with sernet's
samba
>>> package version 4.2.
>>> Using Windows 7 as an client I can edit the username field.
>>> Have you tried editing the runAs tag in the corresponding xml file
>>> SchedTask.xml or similar in the sysvol policy folder?
>>> On a sidenote if i create an task direct (not via gpo) i can select
>>> local system account and the builtin\system account. Both show up
as
>>> nt-authority\system (localized).
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>

I tried both and more. 
Tried : 

BUILTIN\SYSTEM 
NT AUTORITY\SYSTEM 
.\SYSTEM
SYSTEM

This policy must run as "computer" not user.

So i've set :
 Run whether user is logged on or not. 
(x) do not store password. 

But for now, im leaving it. 

I'll think over it this weekend. 
Maybe i'll create a new system like user for it. 

May thanks for thinking with me. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Achim Gottinger
> via samba
> Verzonden: vrijdag 2 december 2016 15:36
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] workaround needed for Security Principals, and
> SID's mapping bug.
> 
> 
> 
> Am 02.12.2016 um 11:35 schrieb L.P.H. van Belle via samba:
> > Editing the xml..  results in same error. ( which is logical )
> >
> > The exact event from windows.
> >
> > Eventlog info:
> > Source	: Group Policy Scheduled Tasks.
> > ID		: 4098
> > USER		: SYSTEM
> >
> > Error code : Group Policy object did not apply because it failed with
> error code '0x80070534 No mapping between account names and security
IDs
> was done.' This error was suppressed.
> >
> > So I'll wait until this bug is fixed.
> >
> > I tried to read the code but thats way more difficult then what i can
> program. :-((
> >
> > I'll put this on hold for now, and do it the ugly way,
> > bit anoying for my users but its what it is.
> >
> > Thanks for all the support.
> >
> > Greetz,
> >
> > Louis
> >
> >
> What did you use as runAs?
> 
> Found this similar issue
> http://www.rozmazat.cz/articles/2015/05/07/no-mapping-between-account-
> names-and-security-ids-was-done.html
> 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H.
van
> Belle
> >> via samba
> >> Verzonden: vrijdag 2 december 2016 11:01
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] workaround needed for Security Principals,
and
> >> SID's mapping bug.
> >>
> >>> Have you tried editing the runAs tag in the corresponding xml
file
> >>> SchedTask.xml or similar in the sysvol policy folder?
> >> Hmm, no, not yet, i'll go test now.
> >> I'll report later the result.
> >>
> >> And yes, i can create a local also, that how i detected the
sid/rid/id
> >> mapping problems.
> >> But i cant go create 100 task localy, thats why i have GPO.
> >>
> >> Greet,
> >>
> >> Louis
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Achim
> Gottinger
> >>> via samba
> >>> Verzonden: vrijdag 2 december 2016 10:54
> >>> Aan: samba at lists.samba.org
> >>> Onderwerp: Re: [Samba] workaround needed for Security
Principals, and
> >>> SID's mapping bug.
> >>>
> >>>
> >>>
> >>> Am 02.12.2016 um 09:34 schrieb L.P.H. van Belle via samba:
> >>>> Exact, and at this point, im at also.
> >>>>
> >>>> Here, typing the username results in the windows event and
errors
> out.
> >>>> Did a lot of research and im 100% this is and missing
mapping.
> >>>> Typing does not works, i dont know if this is a windows
thing or a
> >> samba
> >>> thing. But i found several reports where in a windows 7+ with
Server
> >> 2008
> >>> also errors if you type the username.
> >>>> And thanks you for having a look..
> >>>> you too Rowland.
> >>>>
> >>>> Which version samba are you gues running atm?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> -----Oorspronkelijk bericht-----
> >>>>> Van: samba [mailto:samba-bounces at lists.samba.org]
Namens Achim
> >>> Gottinger
> >>>>> via samba
> >>>>> Verzonden: vrijdag 2 december 2016 3:05
> >>>>> Aan: samba at lists.samba.org
> >>>>> Onderwerp: Re: [Samba] workaround needed for Security
Principals,
> and
> >>>>> SID's mapping bug.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Am 02.12.2016 um 02:08 schrieb Achim Gottinger via
samba:
> >>>>>> Am 02.12.2016 um 01:47 schrieb Achim Gottinger via
samba:
> >>>>>>> Am 01.12.2016 um 13:35 schrieb L.P.H. van
Belle via samba:
> >>>>>>>> Hai Rowland,
> >>>>>>>>
> >>>>>>>> This happens when im creating a
"Scheduled task" ,
> >>>>>>>> this task needs NT AUTHORITY\System but
you need to select the
> >>>>> account,
> >>>>>>>> when you select the account a sid/rid
mapping is done and this
> >>> fails.
> >>>>>>>> Resulting in the windows event id and
error code.
> >>>>>>>> While searching for that i found that i
cant type the username.
> >>>>>>>> You must select it.
> >>>>>>>>
> >>>>>>>> To
> >>>>>> Tried this and it behaves the same way here. The
builtin\SYSTEM
> >>>>>> account shows up as DOMAINNAME\SYSTEM.
> >>>>>>
> >>>>>> But to run as the lokal SYSTEM account I think you
must pick the
> >>>>>> Server as search base and then choose the system
account. Here this
> >>>>>> leads to an fault and exit of the gpo manangement
editor.
> >>>>>>
> >>>>> Here i can typ in the username. If that does not work
for you you
> can
> >>>>> edit the SchedTask.xml (or similar) file in the gpo
folder direct.
> >>>>>
> >>>>> --
> >>>>> To unsubscribe from this list go to the following URL
and read the
> >>>>> instructions: 
https://lists.samba.org/mailman/options/samba
> >>> I tested against a server running debian wheezy with
sernet's samba
> >>> package version 4.2.
> >>> Using Windows 7 as an client I can edit the username field.
> >>> Have you tried editing the runAs tag in the corresponding xml
file
> >>> SchedTask.xml or similar in the sysvol policy folder?
> >>> On a sidenote if i create an task direct (not via gpo) i can
select
> >>> local system account and the builtin\system account. Both show
up as
> >>> nt-authority\system (localized).
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read
the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

No, i believe that guy is wrong.

MS-DTYP 
https://msdn.microsoft.com/en-us/library/cc980032.aspx 

NT AUTHORITY\SYSTEM S-1-5-18
NT AUTHORITY\authenticated users S-1-5-11 
Etc etc. 

Monday i'll have a look again. 

Have a nice weeken everybody. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Achim Gottinger
> via samba
> Verzonden: vrijdag 2 december 2016 15:42
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] workaround needed for Security Principals, and
> SID's mapping bug.
> 
> Another page with your issue:
> http://trentent.blogspot.de/2014/10/group-policy-preferences-scheduled-
> task.html
> This seems to be an windows bug.
> 
> Am 02.12.2016 um 11:35 schrieb L.P.H. van Belle via samba:
> > Editing the xml..  results in same error. ( which is logical )
> >
> > The exact event from windows.
> >
> > Eventlog info:
> > Source	: Group Policy Scheduled Tasks.
> > ID		: 4098
> > USER		: SYSTEM
> >
> > Error code : Group Policy object did not apply because it failed with
> error code '0x80070534 No mapping between account names and security
IDs
> was done.' This error was suppressed.
> >
> > So I'll wait until this bug is fixed.
> >
> > I tried to read the code but thats way more difficult then what i can
> program. :-((
> >
> > I'll put this on hold for now, and do it the ugly way,
> > bit anoying for my users but its what it is.
> >
> > Thanks for all the support.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H.
van
> Belle
> >> via samba
> >> Verzonden: vrijdag 2 december 2016 11:01
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] workaround needed for Security Principals,
and
> >> SID's mapping bug.
> >>
> >>> Have you tried editing the runAs tag in the corresponding xml
file
> >>> SchedTask.xml or similar in the sysvol policy folder?
> >> Hmm, no, not yet, i'll go test now.
> >> I'll report later the result.
> >>
> >> And yes, i can create a local also, that how i detected the
sid/rid/id
> >> mapping problems.
> >> But i cant go create 100 task localy, thats why i have GPO.
> >>
> >> Greet,
> >>
> >> Louis
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Achim
> Gottinger
> >>> via samba
> >>> Verzonden: vrijdag 2 december 2016 10:54
> >>> Aan: samba at lists.samba.org
> >>> Onderwerp: Re: [Samba] workaround needed for Security
Principals, and
> >>> SID's mapping bug.
> >>>
> >>>
> >>>
> >>> Am 02.12.2016 um 09:34 schrieb L.P.H. van Belle via samba:
> >>>> Exact, and at this point, im at also.
> >>>>
> >>>> Here, typing the username results in the windows event and
errors
> out.
> >>>> Did a lot of research and im 100% this is and missing
mapping.
> >>>> Typing does not works, i dont know if this is a windows
thing or a
> >> samba
> >>> thing. But i found several reports where in a windows 7+ with
Server
> >> 2008
> >>> also errors if you type the username.
> >>>> And thanks you for having a look..
> >>>> you too Rowland.
> >>>>
> >>>> Which version samba are you gues running atm?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> -----Oorspronkelijk bericht-----
> >>>>> Van: samba [mailto:samba-bounces at lists.samba.org]
Namens Achim
> >>> Gottinger
> >>>>> via samba
> >>>>> Verzonden: vrijdag 2 december 2016 3:05
> >>>>> Aan: samba at lists.samba.org
> >>>>> Onderwerp: Re: [Samba] workaround needed for Security
Principals,
> and
> >>>>> SID's mapping bug.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Am 02.12.2016 um 02:08 schrieb Achim Gottinger via
samba:
> >>>>>> Am 02.12.2016 um 01:47 schrieb Achim Gottinger via
samba:
> >>>>>>> Am 01.12.2016 um 13:35 schrieb L.P.H. van
Belle via samba:
> >>>>>>>> Hai Rowland,
> >>>>>>>>
> >>>>>>>> This happens when im creating a
"Scheduled task" ,
> >>>>>>>> this task needs NT AUTHORITY\System but
you need to select the
> >>>>> account,
> >>>>>>>> when you select the account a sid/rid
mapping is done and this
> >>> fails.
> >>>>>>>> Resulting in the windows event id and
error code.
> >>>>>>>> While searching for that i found that i
cant type the username.
> >>>>>>>> You must select it.
> >>>>>>>>
> >>>>>>>> To
> >>>>>> Tried this and it behaves the same way here. The
builtin\SYSTEM
> >>>>>> account shows up as DOMAINNAME\SYSTEM.
> >>>>>>
> >>>>>> But to run as the lokal SYSTEM account I think you
must pick the
> >>>>>> Server as search base and then choose the system
account. Here this
> >>>>>> leads to an fault and exit of the gpo manangement
editor.
> >>>>>>
> >>>>> Here i can typ in the username. If that does not work
for you you
> can
> >>>>> edit the SchedTask.xml (or similar) file in the gpo
folder direct.
> >>>>>
> >>>>> --
> >>>>> To unsubscribe from this list go to the following URL
and read the
> >>>>> instructions: 
https://lists.samba.org/mailman/options/samba
> >>> I tested against a server running debian wheezy with
sernet's samba
> >>> package version 4.2.
> >>> Using Windows 7 as an client I can edit the username field.
> >>> Have you tried editing the runAs tag in the corresponding xml
file
> >>> SchedTask.xml or similar in the sysvol policy folder?
> >>> On a sidenote if i create an task direct (not via gpo) i can
select
> >>> local system account and the builtin\system account. Both show
up as
> >>> nt-authority\system (localized).
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read
the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 2 Dec 2016 17:10:06 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> No, i believe that guy is wrong.
> 
> MS-DTYP 
> https://msdn.microsoft.com/en-us/library/cc980032.aspx 
> 
> NT AUTHORITY\SYSTEM S-1-5-18
> NT AUTHORITY\authenticated users S-1-5-11 
> Etc etc. 
> 
> Monday i'll have a look again. 
> 
> Have a nice weeken everybody. 
> 
> Greetz, 
> 
> Louis
> 
> 
 There may be something in what the guy is saying, he is saying that
 'SYSTEM' was being treated as a group and if you check in idmap.ldb
 'S-1-5-18' is 'ID_TYPE_BOTH'. I wonder if changing this to
 'ID_TYPE_UID' would have any affect ?

Rowland

Hai, 

Does anyone know more if this is adressed or point me to the bug report?
There should be one, but i cant find it. 

Im finding the following again, tested with samba 4.4.5, now samba 4.5.3.
These reports go back to the year 2013. 
I searched in my mail samba folder for S-1-5-18 

The problem.

I create a "computer" Scheduled task. 
Now this task MUST run as : SYSTEM 	(S-1-5-18) 
After typing "SYSTEM" the : Change user/group ( at security options )
in the task. It system changes to : NTDOM\SYSTEM

With user : NTDOM\SYSTEM
Resulting in :
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
This exact event. 
And the ScheduledTask is not applied to the computer, even not created in the
computer.

Now when i change it to : NT Authority\SYSTEM
It creates the needed task, but it does not run the error:  
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
again. 

Now when i change it to : SYSTEM
It does not create the needed task, and it does not run, the error:  
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
again. 

I also tested this on several computers outside the domain. 
That works fine with user  "NT Authority\SYSTEM" 
Reproduceable steps: 
create a schedule task in GPO. User or computer that does not matter. 
At security context Set ( try to ) set user SYSTEM

Do read: 
https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
And see here, Security options : 
Computer Configuration , by default the task is run in the security context of
the SYSTEM account.

And in case of a samba AD DC, this wil never work since systems isnt correctly
mapped.


On both DCs:
wbinfo -G 3000002

wbinfo -s S-1-5-18
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-18

Im open for any suggestion EXCEPT changing the user in the schedules task.

This is my complete smb.conf of my samba 4.5.3 ( on debian Jessie ) 
Maybe i missed something here.


[global]
        workgroup = NTDOM
        realm = INTERNAL.DOMAIN.TLD
        netbios name = DC1

        server role = active directory domain controller
        server services = -dns

        interfaces = 192.168.0.1 127.0.0.1
        bind interfaces only = yes
        time server = yes

        idmap_ldb:use rfc2307 = yes

        ## map id's outside to domain to tdb files.
        idmap config * : backend = tdb
        idmap config * : range = 2000-9999

        winbind nss info = rfc2307
        winbind expand groups = 4

        template shell = /bin/bash
        template homedir = /home/users/%U

        ## disable printing completely and no error log messages.
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        # disable usershares creating, when set empty no error log messages.
        usershare path 
        # Add and Update TLS Key
        tls enabled = yes
        tls keyfile = /etc/ssl/local/private/xxxxx.key.pem
        tls certfile = /etc/ssl/local/certs/xxxxx.cert.pem
        tls cafile = /etc/ssl/certs/xxxxx-ca.pem

[sysvol]
        path = /home/samba/sysvol
        read only = No
        acl_xattr:ignore system acls = yes

[netlogon]
        path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
        read only = No
        acl_xattr:ignore system acls = yes



Greetz, 

Louis