samba - Jan 2017 - Security Principals, and SID's mapping bug

Hai, 

Does anyone know more if this is adressed or point me to the bug report?
There should be one, but i cant find it. 

Im finding the following again, tested with samba 4.4.5, now samba 4.5.3.
These reports go back to the year 2013. 
I searched in my mail samba folder for S-1-5-18 

The problem.

I create a "computer" Scheduled task. 
Now this task MUST run as : SYSTEM 	(S-1-5-18) 
After typing "SYSTEM" the : Change user/group ( at security options )
in the task. It system changes to : NTDOM\SYSTEM

With user : NTDOM\SYSTEM
Resulting in :
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
This exact event. 
And the ScheduledTask is not applied to the computer, even not created in the
computer.

Now when i change it to : NT Authority\SYSTEM
It creates the needed task, but it does not run the error:  
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
again. 

Now when i change it to : SYSTEM
It does not create the needed task, and it does not run, the error:  
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
again. 

I also tested this on several computers outside the domain. 
That works fine with user  "NT Authority\SYSTEM" 
Reproduceable steps: 
create a schedule task in GPO. User or computer that does not matter. 
At security context Set ( try to ) set user SYSTEM

Do read: 
https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
And see here, Security options : 
Computer Configuration , by default the task is run in the security context of
the SYSTEM account.

And in case of a samba AD DC, this wil never work since systems isnt correctly
mapped.


On both DCs:
wbinfo -G 3000002

wbinfo -s S-1-5-18
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-18

Im open for any suggestion EXCEPT changing the user in the schedules task.

This is my complete smb.conf of my samba 4.5.3 ( on debian Jessie ) 
Maybe i missed something here.


[global]
        workgroup = NTDOM
        realm = INTERNAL.DOMAIN.TLD
        netbios name = DC1

        server role = active directory domain controller
        server services = -dns

        interfaces = 192.168.0.1 127.0.0.1
        bind interfaces only = yes
        time server = yes

        idmap_ldb:use rfc2307 = yes

        ## map id's outside to domain to tdb files.
        idmap config * : backend = tdb
        idmap config * : range = 2000-9999

        winbind nss info = rfc2307
        winbind expand groups = 4

        template shell = /bin/bash
        template homedir = /home/users/%U

        ## disable printing completely and no error log messages.
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        # disable usershares creating, when set empty no error log messages.
        usershare path 
        # Add and Update TLS Key
        tls enabled = yes
        tls keyfile = /etc/ssl/local/private/xxxxx.key.pem
        tls certfile = /etc/ssl/local/certs/xxxxx.cert.pem
        tls cafile = /etc/ssl/certs/xxxxx-ca.pem

[sysvol]
        path = /home/samba/sysvol
        read only = No
        acl_xattr:ignore system acls = yes

[netlogon]
        path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
        read only = No
        acl_xattr:ignore system acls = yes



Greetz, 

Louis

On Tue, 24 Jan 2017 15:02:14 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> Does anyone know more if this is adressed or point me to the bug
> report? There should be one, but i cant find it. 
> 
> Im finding the following again, tested with samba 4.4.5, now samba
> 4.5.3. These reports go back to the year 2013. 
> I searched in my mail samba folder for S-1-5-18 
> 
> The problem.
> 
> I create a "computer" Scheduled task. 
> Now this task MUST run as : SYSTEM 	(S-1-5-18) 
> After typing "SYSTEM" the : Change user/group ( at security
options )
> in the task. It system changes to : NTDOM\SYSTEM
> 
> With user : NTDOM\SYSTEM
> Resulting in :
>
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> This exact event. And the ScheduledTask is not applied to the
> computer, even not created in the computer. 
> 
> Now when i change it to : NT Authority\SYSTEM
> It creates the needed task, but it does not run the error:  
>
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> again. 
> 
> Now when i change it to : SYSTEM
> It does not create the needed task, and it does not run, the error:  
>
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> again. 
> 
> I also tested this on several computers outside the domain. 
> That works fine with user  "NT Authority\SYSTEM" 
> Reproduceable steps: 
> create a schedule task in GPO. User or computer that does not matter. 
> At security context Set ( try to ) set user SYSTEM
> 
> Do read: 
> https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
> And see here, Security options : 
> Computer Configuration , by default the task is run in the security
> context of the SYSTEM account.
> 
> And in case of a samba AD DC, this wil never work since systems isnt
> correctly mapped. 
> 
> 
> On both DCs:
> wbinfo -G 3000002
> 
> wbinfo -s S-1-5-18
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-18
Well yes, but:

root at member1:~# wbinfo -S S-1-5-18
3000015
root at member1:~# wbinfo -U 3000015
S-1-5-18

So winbind knows who SYSTEM is
> 
> Im open for any suggestion EXCEPT changing the user in the schedules
> task.
> 
> This is my complete smb.conf of my samba 4.5.3 ( on debian Jessie ) 
> Maybe i missed something here.
> 
> 
> [global]
>         workgroup = NTDOM
>         realm = INTERNAL.DOMAIN.TLD
>         netbios name = DC1
> 
>         server role = active directory domain controller
>         server services = -dns
> 
>         interfaces = 192.168.0.1 127.0.0.1
>         bind interfaces only = yes
>         time server = yes
> 
>         idmap_ldb:use rfc2307 = yes
> 
>         ## map id's outside to domain to tdb files.
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
How many times have I got to tell people that 'idmap config' lines have
no place in a DC smb.conf ?

see:

https://bugzilla.samba.org/show_bug.cgi?id=12155

and:

https://bugzilla.samba.org/show_bug.cgi?id=12410

The lines DO NOTHING on a DC, so why add them ????

Rowland

Arg,, Your totaly right Rowland, 

How stuppid that i missed that id mapping, removed it from my DC2 forgot DC1..
To much phone calls inbetween...
So I removed it now. 

But Nope, samba still gives me NTDOM\system back. 
I go test some more.. 

Gr. 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
via
> samba
> Verzonden: dinsdag 24 januari 2017 20:18
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Security Principals, and SID's mapping bug
> 
> On Tue, 24 Jan 2017 15:02:14 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Hai,
> >
> > Does anyone know more if this is adressed or point me to the bug
> > report? There should be one, but i cant find it.
> >
> > Im finding the following again, tested with samba 4.4.5, now samba
> > 4.5.3. These reports go back to the year 2013.
> > I searched in my mail samba folder for S-1-5-18
> >
> > The problem.
> >
> > I create a "computer" Scheduled task.
> > Now this task MUST run as : SYSTEM 	(S-1-5-18)
> > After typing "SYSTEM" the : Change user/group ( at security
options )
> > in the task. It system changes to : NTDOM\SYSTEM
> >
> > With user : NTDOM\SYSTEM
> > Resulting in :
> > http://www.eventid.net/display-eventid-4098-source-
> Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> > This exact event. And the ScheduledTask is not applied to the
> > computer, even not created in the computer.
> >
> > Now when i change it to : NT Authority\SYSTEM
> > It creates the needed task, but it does not run the error:
> > http://www.eventid.net/display-eventid-4098-source-
> Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> > again.
> >
> > Now when i change it to : SYSTEM
> > It does not create the needed task, and it does not run, the error:
> > http://www.eventid.net/display-eventid-4098-source-
> Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> > again.
> >
> > I also tested this on several computers outside the domain.
> > That works fine with user  "NT Authority\SYSTEM"
> > Reproduceable steps:
> > create a schedule task in GPO. User or computer that does not matter.
> > At security context Set ( try to ) set user SYSTEM
> >
> > Do read:
> > https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
> > And see here, Security options :
> > Computer Configuration , by default the task is run in the security
> > context of the SYSTEM account.
> >
> > And in case of a samba AD DC, this wil never work since systems isnt
> > correctly mapped.
> >
> >
> > On both DCs:
> > wbinfo -G 3000002
> >
> > wbinfo -s S-1-5-18
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-18
> 
> Well yes, but:
> 
> root at member1:~# wbinfo -S S-1-5-18
> 3000015
> root at member1:~# wbinfo -U 3000015
> S-1-5-18
> 
> So winbind knows who SYSTEM is
> 
> >
> > Im open for any suggestion EXCEPT changing the user in the schedules
> > task.
> >
> > This is my complete smb.conf of my samba 4.5.3 ( on debian Jessie )
> > Maybe i missed something here.
> >
> >
> > [global]
> >         workgroup = NTDOM
> >         realm = INTERNAL.DOMAIN.TLD
> >         netbios name = DC1
> >
> >         server role = active directory domain controller
> >         server services = -dns
> >
> >         interfaces = 192.168.0.1 127.0.0.1
> >         bind interfaces only = yes
> >         time server = yes
> >
> >         idmap_ldb:use rfc2307 = yes
> >
> >         ## map id's outside to domain to tdb files.
> >         idmap config * : backend = tdb
> >         idmap config * : range = 2000-9999
> 
> How many times have I got to tell people that 'idmap config' lines
have
> no place in a DC smb.conf ?
> 
> see:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=12155
> 
> and:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=12410
> 
> The lines DO NOTHING on a DC, so why add them ????
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

While searching through the windows GPO editor for the users.
It's now as followed. ( after the smb.conf correction ) 

TEST 1 ( windows 7 ( a domain member, but local search )
Creating a task localy on the computer, Searched SYSTEM, gives back. 
WIN7 : NT AUTHORITY\SYSTEM

TEST 2
 ( Samba AD ) 
Selected a WIN7 PC and search for system    : BUILDIN\SYSTEM
Selected the samba AD and search for system : NTDOM\SYSTEM

The EXACT same steps on my windows 2008R2 server.
TEST 3 ( Windows 2008R2 server ) 
Im getting : NT AUTHORITY\System

Anyhow, samba is consistent in giving back some WRONG user/group info. 
An overview, i have compaired the output of 2 DC's and 1 member. 
All done on samba 4.5.3. 

wbinfo -u -g etc. all work fine. 
wbinfo --all-domains
BUILTIN
NTDOM

DC 1 and DC 2 are exact the same with the output. 
wbinfo --gid-info=3000001
BUILTIN\server operators:x:3000001:
wbinfo --gid-info=3000002
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000002
wbinfo --uid-to-sid=3000001
S-1-5-32-549
wbinfo --uid-to-sid=3000002
S-1-5-18
wbinfo --gid-to-sid=3000001
S-1-5-32-549
wbinfo --gid-to-sid=3000002
S-1-5-18
wbinfo --sid-to-uid=S-1-5-32-549
3000001
wbinfo --sid-to-uid=S-1-5-18
3000002
wbinfo --sid-to-gid=S-1-5-32-549
3000001
wbinfo --sid-to-gid=S-1-5-18
3000002
wbinfo --sid-to-name=S-1-5-32-549
BUILTIN\Server Operators 4
wbinfo --sid-to-name=S-1-5-18
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-18
wbinfo --sid-to-fullname=S-1-5-32-549
BUILTIN\Server Operators 4
wbinfo --sid-to-fullname=S-1-5-18
failed to call wbcGetDisplayName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-18
wbinfo --name-to-sid=BUILTIN\Server Operators
S-1-5-32-549 SID_ALIAS (4)
wbinfo --name-to-sid=NTDOM\Server Operators
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NTDOM\Server Operators
wbinfo --name-to-sid=BUILDIN\SYSTEM
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name BUILDIN\SYSTEM
wbinfo --name-to-sid=NTDOM\SYSTEM
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NTDOM\SYSTEM
wbinfo --lookup-sids=S-1-5-32-549
S-1-5-32-549 -> <none>\Server Operators 4
wbinfo --lookup-sids=S-1-5-18
wbcLookupSids failed: WBC_ERR_INVALID_SID
Could not lookup SIDs S-1-5-18


The member, and yes i know not all info should be here, just for comparison. 
But watch what happens with : S-1-5-18. 

wbinfo --gid-info=3000001
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000001
wbinfo --gid-info=3000002
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000002
wbinfo --uid-to-sid=3000001
failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert uid 3000001 to sid
wbinfo --uid-to-sid=3000002
failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert uid 3000002 to sid
wbinfo --gid-to-sid=3000001
failed to call wbcGidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert gid 3000001 to sid
wbinfo --gid-to-sid=3000002
failed to call wbcGidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert gid 3000002 to sid
wbinfo --sid-to-uid=S-1-5-32-549
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-549 to uid
wbinfo --sid-to-uid=S-1-5-18
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-18 to uid
wbinfo --sid-to-gid=S-1-5-32-549
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-549 to gid
wbinfo --sid-to-gid=S-1-5-18
2000
wbinfo --sid-to-name=S-1-5-32-549
BUILTIN\Server Operators 4
wbinfo --sid-to-name=S-1-5-18
NT AUTHORITY\SYSTEM 5
wbinfo --sid-to-fullname=S-1-5-32-549
BUILTIN\Server Operators 4
wbinfo --sid-to-fullname=S-1-5-18
NT AUTHORITY\SYSTEM 5
wbinfo --name-to-sid=BUILTIN\Server Operators
S-1-5-32-549 SID_ALIAS (4)
wbinfo --name-to-sid=NTDOM\Server Operators
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NTDOM\Server Operators
wbinfo --name-to-sid=BUILDIN\SYSTEM
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name BUILDIN\SYSTEM
wbinfo --name-to-sid=NTDOM\SYSTEM
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NTDOM\SYSTEM
wbinfo --lookup-sids=S-1-5-32-549
S-1-5-32-549 -> <none>\Server Operators 4
wbinfo --lookup-sids=S-1-5-18
wbcLookupSids failed: WBC_ERR_INVALID_SID
Could not lookup SIDs S-1-5-18


To me this confirms this bug, why would the member server give back : 
wbinfo --sid-to-name=S-1-5-18
NT AUTHORITY\SYSTEM 5

But the DC which really needs it :
wbinfo --sid-to-name=S-1-5-18
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-18

Can someone explain this difference? 


And can someone confirm this problem still exists on there system and 
gives the same results as mine so im sure its not something from and older
samba.
My setup runs as of 4.1.x and is upgraded multiple times something like 
to 4.2.3 ( and some others. )
to 4.2.10 => 4.3.x
to 4.3.x  => 4.4.3
to 4.4.5  => 4.5.3



Greetz, 

Louis

Cool, thanks, that was my next question. 
I go test that now, report back in few mins, if it works that would really help
me out here.

And when you look here :
https://technet.microsoft.com/en-us/library/cc778824(v=ws.10).aspx 
look at the example sid S-1-5-32-544
This SID has four components:
• A revision level (1)
• An identifier authority value (5, NT Authority)
• A domain identifier (32, Builtin)
• A relative identifier (544, Administrators)

And here you have the " NT Authority" and "Builtin" in one
line.

;-)

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpenny at samba.org]
> Verzonden: woensdag 25 januari 2017 11:53
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Security Principals, and SID's mapping bug
> 
> On Tue, 24 Jan 2017 15:02:14 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> 
> >
> > wbinfo -s S-1-5-18
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-18
> >
> 
> Hi Louis, I got the same result on a Unix domain member, but after a
> bit of thinking and testing, I now get:
> 
> root at devstation:~# wbinfo --sid-to-name=S-1-5-18
> NT AUTHORITY\SYSTEM 5
> 
> How did I do this ?
> 
> Easy, first create a system group on the Unix machine:
> 
> root at devstation:~# addgroup --system system
> Adding group `system' (GID 125) ...
> Done.
> 
> Then add a line to the user map:
> 
> !system = SYSTEM system
> 
> Restart Samba
> 
> Now I don't know if this will work with your GPOs, but it is worth
> trying (you may have to alter the Unix 'system' groups permissions)
> 
> Rowland