samba - Sep 2017 - samba 4 ad member - idmap = ad for machine accounts

Hi Rowland,
>> File server config looks exactly like this, except more shares, all
>> with same simple config. I know that "use defualt domain"
isn't
>> necessery, but it's not the issue for me right now.
...

> 'SYSTEM' is a Windows group and is meaningless to Unix, it should
be
> mapped to a Unix ID only on a Samba AD DC and there it is an
> 'xidNumber' not a 'uidNumber or 'gidNumber'. Running
'wbinfo -S
> S-1-5-18' (the SID for 'SYSTEM' is S-1-5-8-18) on a UNIX domain
member,
> returns:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-18 to uid
>
> However "wbinfo -Y  S-1-5-18" returns:
> 2005 (note your ID may be different)
>
> As I said, you could use the kerberos machine account instead, but are
> these scripts being run on the fileserver, Samba DC or windows
> machines ? if the later, then you shouldn't need a Unix IDs.
>
>> 2)'m using some machine autostart scripts, for various tasks, which
>> work again as SYSTEM, so if they have to get anything from network
>> share, they need to have read/write permission. What I'm doing is,
>> for example, as autostart run a batch script, that would check
>> \\fileserver\public\test-file.txt if %COMPTURNAME% exists in this
>> file. if not - run some robocopy script, then >> %COMPUTERNAME%
to
>> the end of the file.
>> or even something simple like this:
>> "if exist \\server\share\%computername%.txt (exit)
>> else robocopy some-files
>> echo . > \\server\share\%computername%.txt
>> exit"
>
> That looks like a Windows script (not that I am an expert on Windows
> script languages) so I presume that it is run a Windows machine and
> 'SYSTEM' should be available on it via its name or SID.
>
>> 3) Some windows applications that I use also run as SYSTEM account
>> and they have built-in backup utilities, and if I want to backup
>> straight to network share - again - machine account needs direct
>> write access to share.
>
> Hmm, I think I am beginning to understand your problem, you are
> confusing 'SYSTEM' with the computers account in AD.
>
> 'SYSTEM' does not exist in AD, so you cannot give it a uidNumber or
> gidNumber attribute.
>
> I think you need to find another way to do what you are doing now.
Kacper way of doing things is completly correct (at least from 
authentication point of view). SYSTEM account on Windows uses the 
machine account for authentication. So for example, using psexec [1], 
you can try (on an elevated command prompt):

  psexec -s -i cmd.exe

Check that you are local system

  whoami

then you connect to a share (sysvol is a good choice here since "domain 
computers" has access)

  net use F: \\domain.lan\sysvol

Then on your DC you can check which account has been used for the connexion:

  smbstatus

You'll see that SYSTEM account uses the Kerberos machine account for 
authentication.

Cheers,

Denis

[1] https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
>
>>
>> I do know that machine accounts are "normal" accounts, and I
tried
>> simply adding them to windows ACL, but it just tidn't work. I had
to
>> go with "idmap = rid", and it did just fine, so the issue
must be
>> iwth idmap backend - ad not supplying valid uid for winbind, right?
>>
>
> You should be able to add a uidNumber to a computer, but to make it
> work as a user on Unix, you will have to give the Domain Computers
> group a gidNumber.
>
> Rowland
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

On Mon, 18 Sep 2017 14:55:04 +0200
Denis Cardon <dcardon at tranquil.it> wrote:
> Hi Rowland,
> 
> >> File server config looks exactly like this, except more shares,
all
> >> with same simple config. I know that "use defualt
domain" isn't
> >> necessery, but it's not the issue for me right now.
> ...
> 
> 
> > 'SYSTEM' is a Windows group and is meaningless to Unix, it
should be
> > mapped to a Unix ID only on a Samba AD DC and there it is an
> > 'xidNumber' not a 'uidNumber or 'gidNumber'.
Running 'wbinfo -S
> > S-1-5-18' (the SID for 'SYSTEM' is S-1-5-8-18) on a UNIX
domain
> > member, returns:
> > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not convert sid S-1-5-18 to uid
> >
> > However "wbinfo -Y  S-1-5-18" returns:
> > 2005 (note your ID may be different)
> >
> > As I said, you could use the kerberos machine account instead, but
> > are these scripts being run on the fileserver, Samba DC or windows
> > machines ? if the later, then you shouldn't need a Unix IDs.
> >
> >> 2)'m using some machine autostart scripts, for various tasks,
which
> >> work again as SYSTEM, so if they have to get anything from network
> >> share, they need to have read/write permission. What I'm doing
is,
> >> for example, as autostart run a batch script, that would check
> >> \\fileserver\public\test-file.txt if %COMPTURNAME% exists in this
> >> file. if not - run some robocopy script, then >>
%COMPUTERNAME% to
> >> the end of the file.
> >> or even something simple like this:
> >> "if exist \\server\share\%computername%.txt (exit)
> >> else robocopy some-files
> >> echo . > \\server\share\%computername%.txt
> >> exit"
> >
> > That looks like a Windows script (not that I am an expert on Windows
> > script languages) so I presume that it is run a Windows machine and
> > 'SYSTEM' should be available on it via its name or SID.
> >
> >> 3) Some windows applications that I use also run as SYSTEM account
> >> and they have built-in backup utilities, and if I want to backup
> >> straight to network share - again - machine account needs direct
> >> write access to share.
> >
> > Hmm, I think I am beginning to understand your problem, you are
> > confusing 'SYSTEM' with the computers account in AD.
> >
> > 'SYSTEM' does not exist in AD, so you cannot give it a
uidNumber or
> > gidNumber attribute.
> >
> > I think you need to find another way to do what you are doing now.
> 
> Kacper way of doing things is completly correct (at least from 
> authentication point of view). SYSTEM account on Windows uses the 
> machine account for authentication. So for example, using psexec [1], 
> you can try (on an elevated command prompt):
> 
>   psexec -s -i cmd.exe
> 
> Check that you are local system
> 
>   whoami
> 
> then you connect to a share (sysvol is a good choice here since
> "domain computers" has access)
> 
>   net use F: \\domain.lan\sysvol
> 
> Then on your DC you can check which account has been used for the
> connexion:
> 
>   smbstatus
> 
> You'll see that SYSTEM account uses the Kerberos machine account for 
> authentication.
> 
Thanks 
Yes that works, but it shows that you don't need the computers to have
uidNumber attributes, which is what I was trying to get across to the
OP.

Rowland

Ps. 

To overcome this problem is very simple ( AD or RID ) 

1) setup the SHARE where you need user NT Authority\SYSTEM with acl_xattr:ignore
system acls = yes

2) setup you share with Everyone full access.. ( If you dont like everyone, you
need domain users/computers/guest and maybe even more )
	1! You must do this from within windows. ( message access denies when
connection, you forgot something, see 2!)
	2! Check your SePrivileges setup. (script: 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh
)

3) setup the FOLDER security.
	Make sure you add "Creator Owner/Creator Group" one or both, you
setup is your guide. I cant tell that.
	Verified Users, Read 
	System Full Controll
	Any other group you want, but at least "Domain Admins" FULL control. 

4) Try to avoid chmod/chown use getfacl setfacl in scripts. 


Give it a try, this works fine here. (as of Debian jessie and up, with samba
4.4+ up to 4.6.7 tested/in production)


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: maandag 18 september 2017 15:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba 4 ad member - idmap = ad for 
> machine accounts
> 
> On Mon, 18 Sep 2017 14:55:04 +0200
> Denis Cardon <dcardon at tranquil.it> wrote:
> 
> > Hi Rowland,
> > 
> > >> File server config looks exactly like this, except more 
> shares, all 
> > >> with same simple config. I know that "use defualt
domain" isn't
> > >> necessery, but it's not the issue for me right now.
> > ...
> > 
> > 
> > > 'SYSTEM' is a Windows group and is meaningless to Unix, 
> it should be 
> > > mapped to a Unix ID only on a Samba AD DC and there it is an 
> > > 'xidNumber' not a 'uidNumber or 'gidNumber'.
Running 'wbinfo -S
> > > S-1-5-18' (the SID for 'SYSTEM' is S-1-5-8-18) on a
UNIX domain
> > > member, returns:
> > > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not 
> > > convert sid S-1-5-18 to uid
> > >
> > > However "wbinfo -Y  S-1-5-18" returns:
> > > 2005 (note your ID may be different)
> > >
> > > As I said, you could use the kerberos machine account 
> instead, but 
> > > are these scripts being run on the fileserver, Samba DC 
> or windows 
> > > machines ? if the later, then you shouldn't need a Unix IDs.
> > >
> > >> 2)'m using some machine autostart scripts, for various 
> tasks, which 
> > >> work again as SYSTEM, so if they have to get anything 
> from network 
> > >> share, they need to have read/write permission. What I'm 
> doing is, 
> > >> for example, as autostart run a batch script, that would
check
> > >> \\fileserver\public\test-file.txt if %COMPTURNAME% 
> exists in this 
> > >> file. if not - run some robocopy script, then >> 
> %COMPUTERNAME% to 
> > >> the end of the file.
> > >> or even something simple like this:
> > >> "if exist \\server\share\%computername%.txt (exit) else
robocopy
> > >> some-files echo . > \\server\share\%computername%.txt
exit"
> > >
> > > That looks like a Windows script (not that I am an expert 
> on Windows 
> > > script languages) so I presume that it is run a Windows 
> machine and 
> > > 'SYSTEM' should be available on it via its name or SID.
> > >
> > >> 3) Some windows applications that I use also run as 
> SYSTEM account 
> > >> and they have built-in backup utilities, and if I want to
backup
> > >> straight to network share - again - machine account needs
direct
> > >> write access to share.
> > >
> > > Hmm, I think I am beginning to understand your problem, you are 
> > > confusing 'SYSTEM' with the computers account in AD.
> > >
> > > 'SYSTEM' does not exist in AD, so you cannot give it a 
> uidNumber or 
> > > gidNumber attribute.
> > >
> > > I think you need to find another way to do what you are doing
now.
> > 
> > Kacper way of doing things is completly correct (at least from 
> > authentication point of view). SYSTEM account on Windows uses the 
> > machine account for authentication. So for example, using 
> psexec [1], 
> > you can try (on an elevated command prompt):
> > 
> >   psexec -s -i cmd.exe
> > 
> > Check that you are local system
> > 
> >   whoami
> > 
> > then you connect to a share (sysvol is a good choice here since 
> > "domain computers" has access)
> > 
> >   net use F: \\domain.lan\sysvol
> > 
> > Then on your DC you can check which account has been used for the
> > connexion:
> > 
> >   smbstatus
> > 
> > You'll see that SYSTEM account uses the Kerberos machine 
> account for 
> > authentication.
> > 
> 
> Thanks
> Yes that works, but it shows that you don't need the 
> computers to have uidNumber attributes, which is what I was 
> trying to get across to the OP.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

The op tells us : 
        idmap config *:backend = tdb
        idmap config *:range = 100-2000
        # idmap config for domain MYDOMAIN
        idmap config MYDOMAIN:backend = ad
        idmap config MYDOMAIN:schema_mode = rfc2307
        idmap config MYDOMAIN:range = 4000-99999

I dont know the OS here, but what happens if uid 100 is a linux system users.
Then it also maps into BUILTIN\username 

You might check need to check this out also. 

Greetz, 

Louis


 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: maandag 18 september 2017 15:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba 4 ad member - idmap = ad for 
> machine accounts
> 
> On Mon, 18 Sep 2017 14:55:04 +0200
> Denis Cardon <dcardon at tranquil.it> wrote:
> 
> > Hi Rowland,
> > 
> > >> File server config looks exactly like this, except more 
> shares, all 
> > >> with same simple config. I know that "use defualt
domain" isn't
> > >> necessery, but it's not the issue for me right now.
> > ...
> > 
> > 
> > > 'SYSTEM' is a Windows group and is meaningless to Unix, 
> it should be 
> > > mapped to a Unix ID only on a Samba AD DC and there it is an 
> > > 'xidNumber' not a 'uidNumber or 'gidNumber'.
Running 'wbinfo -S
> > > S-1-5-18' (the SID for 'SYSTEM' is S-1-5-8-18) on a
UNIX domain
> > > member, returns:
> > > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not 
> > > convert sid S-1-5-18 to uid
> > >
> > > However "wbinfo -Y  S-1-5-18" returns:
> > > 2005 (note your ID may be different)
> > >
> > > As I said, you could use the kerberos machine account 
> instead, but 
> > > are these scripts being run on the fileserver, Samba DC 
> or windows 
> > > machines ? if the later, then you shouldn't need a Unix IDs.
> > >
> > >> 2)'m using some machine autostart scripts, for various 
> tasks, which 
> > >> work again as SYSTEM, so if they have to get anything 
> from network 
> > >> share, they need to have read/write permission. What I'm 
> doing is, 
> > >> for example, as autostart run a batch script, that would
check
> > >> \\fileserver\public\test-file.txt if %COMPTURNAME% 
> exists in this 
> > >> file. if not - run some robocopy script, then >> 
> %COMPUTERNAME% to 
> > >> the end of the file.
> > >> or even something simple like this:
> > >> "if exist \\server\share\%computername%.txt (exit) else
robocopy
> > >> some-files echo . > \\server\share\%computername%.txt
exit"
> > >
> > > That looks like a Windows script (not that I am an expert 
> on Windows 
> > > script languages) so I presume that it is run a Windows 
> machine and 
> > > 'SYSTEM' should be available on it via its name or SID.
> > >
> > >> 3) Some windows applications that I use also run as 
> SYSTEM account 
> > >> and they have built-in backup utilities, and if I want to
backup
> > >> straight to network share - again - machine account needs
direct
> > >> write access to share.
> > >
> > > Hmm, I think I am beginning to understand your problem, you are 
> > > confusing 'SYSTEM' with the computers account in AD.
> > >
> > > 'SYSTEM' does not exist in AD, so you cannot give it a 
> uidNumber or 
> > > gidNumber attribute.
> > >
> > > I think you need to find another way to do what you are doing
now.
> > 
> > Kacper way of doing things is completly correct (at least from 
> > authentication point of view). SYSTEM account on Windows uses the 
> > machine account for authentication. So for example, using 
> psexec [1], 
> > you can try (on an elevated command prompt):
> > 
> >   psexec -s -i cmd.exe
> > 
> > Check that you are local system
> > 
> >   whoami
> > 
> > then you connect to a share (sysvol is a good choice here since 
> > "domain computers" has access)
> > 
> >   net use F: \\domain.lan\sysvol
> > 
> > Then on your DC you can check which account has been used for the
> > connexion:
> > 
> >   smbstatus
> > 
> > You'll see that SYSTEM account uses the Kerberos machine 
> account for 
> > authentication.
> > 
> 
> Thanks
> Yes that works, but it shows that you don't need the 
> computers to have uidNumber attributes, which is what I was 
> trying to get across to the OP.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Mon, 18 Sep 2017 16:24:23 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> The op tells us : 
>         idmap config *:backend = tdb
>         idmap config *:range = 100-2000
>         # idmap config for domain MYDOMAIN
>         idmap config MYDOMAIN:backend = ad
>         idmap config MYDOMAIN:schema_mode = rfc2307
>         idmap config MYDOMAIN:range = 4000-99999
> 
> I dont know the OS here, but what happens if uid 100 is a linux
> system users. Then it also maps into BUILTIN\username 
> 
> You might check need to check this out also. 
> 
I have already told him these aren't recommended ranges, all I got was
'they work for me' or words to that affect.

I don't think I have seen what OS he is using.

Rowland

Hi all,

I have exactly the same problem as the OP and tried the solution below, but
I still  get the error:
'Username IUCNNL\PC050$ is invalid on this system'. Should I map
useraccount, enable Guest account, chang eunix directory permissions or
things like that?

Problem:
My Windows 10 computers' machine accounts cannot acces shares on a domain
member (samba 4.6 ,  id map = ad, centos 7).

more detailed:
Startup script in windows 10 runs under the system account and accesses
shares on the network with the machine account. My samba domain member
(fileserver FS1) is not happy with the useraccount of the machine. The log
file says: "Username SAMDOM\PC050$ is invalid on this system".
However, the
machine is joined to the domain. Normal user accounts can access shares
without problems, machine accounts cannot.


Samba - General mailing list wrote
> Ps. 
> 
> To overcome this problem is very simple ( AD or RID ) 
> 
> 1) setup the SHARE where you need user NT Authority\SYSTEM with
> acl_xattr:ignore system acls = yes
> 
> 2) setup you share with Everyone full access.. ( If you dont like
> everyone, you need domain users/computers/guest and maybe even more ) 
> 	1! You must do this from within windows. ( message access denies when
> connection, you forgot something, see 2!) 
> 	2! Check your SePrivileges setup. (script: 
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh
> ) 
> 
> 3) setup the FOLDER security.
> 	Make sure you add "Creator Owner/Creator Group" one or both, you
setup is
> your guide. I cant tell that. 
> 	Verified Users, Read 
> 	System Full Controll
> 	Any other group you want, but at least "Domain Admins" FULL
control.
> 
> 4) Try to avoid chmod/chown use getfacl setfacl in scripts. 
> 
> 
> Give it a try, this works fine here. (as of Debian jessie and up, with
> samba 4.4+ up to 4.6.7 tested/in production) 
> 
> 
> Greetz, 
> 
> Louis

Below is relevant info (I think) for my case

What I did/tried: 
-With ADUC (WS 2012) I added NIS domain 'samdom' to the Unix attributes
of
users, groups, and also to computers (is the latter nesecary?)
-I test the connection to the shares as system user on the win10  machine by
using "psexec.exe -s cmd.exe", and then "dir \\fs1\datasys"
(see smb.conf
below) or any other share name. Access is denied. The startup script has the
same problem.
-I can get AD groups and users on FS1 with getent group and getent passwd.
-The windows 10 machine account can succesfully access the the sysvol share
on the domain controller DC ("dir \\dc1\sysvol")
-The three shares in the conf file below are inaccessible to the machine
account. The third share is the one I am testing with. I tried the suggesion
above to add "acl_xattr:ignore system acls = yes" to the share. This
did not
solve the problem, so I probably missed something.
-I do not want to make an other fileserver with backend = rid if I can avoid
it.
-If i map the PC050$ name to root i can access the shares, but i don not
want that permanently (security). I think I could add another user and map
computers to that name but that still seems awkward to me.


Configuration info: 
-The DC and the fileserver (FS1, the domain member) run centos 7, samba
4.6.10. 

smb.conf on FS1:
[global]
       security = ADS
       workgroup = SAMDOM
       realm = AD.EXAMPLE.NL 
	ntlm auth = yes
#       log file = /var/log/samba/%m.log
#       log level = 2
	log level = 3 passdb:5 auth:5

       	idmap config * : backend = tdb
       	idmap config * : range = 3000-9999
	idmap config SAMDOM : backend = ad
	idmap config SAMDOM : schema_mode = rfc2307
	idmap config SAMDOM : range = 10000-999999
	idmap config SAMDOM : default = yes
	winbind nss info = template
	template shell = /bin/bash
	template homedir = /data/home/%U
	winbind use default domain = yes
	allow dns updates = nonsecure
	username map = /etc/samba/user.map
	spoolss: architecture = Windows x64
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	winbind refresh tickets = Yes

	# shares
	[datatest]
	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes
     		path = /data/datatest
    		read only = no

	[datasys]
	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes
     		path = /data/datasys
    		read only = no

	# testfolder
	[testfolfder]
	vfs objects = acl_xattr
	acl_xattr:ignore system acls = yes
		# I used: mkdir /data/testfolder ; chmod 0770 /data/testfolder ; chown
root."domain admins" /data/testfolder
     		path = /data/testfolder
    		read only = no


smb.conf on DC1
[global]
	workgroup = SAMDOM
	realm = AD.EXAMPLE.NL
	netbios name = DC1
	server role = active directory domain controller
	dns forwarder = 192.168.3.2
	idmap_ldb:use rfc2307 = yes
	allow dns updates = nonsecure
	winbind enum users = yes
	winbind enum groups = yes
	ldap server require strong auth = no
        username map = /etc/samba/user.map
	log level = 3 

[netlogon]
	path = /var/lib/samba/sysvol/ad.example.nl/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No




--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html