samba - Sep 2017 - Domain member server: user access

Hai Rowland, 
> 
> No, you haven't done anything wrong and yes the provision 
> does set Domain Users to '100' in idmap.ldb.
> 
Ow..
This i did not know, only wondering why its not BUILTIN\users ( how it is in
windows ).
Do you know as of which version this is? Of as of start, i really never noticed
this.
> 
> Do not remove Domain Users, but you are correct, there is no 
> way to modify a user or group with samba-tool (you can do 
> this for a user with 4.7.0), but you can use ldbedit.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
Ok, i did read somewhere that 
Samba uses S-1-22-1 for users and S1-22-2 for groups. 

wbinfo -G 100
S-1-5-21-3821322978-3959480180-962995944-513

wbinfo -G 10000
S-1-22-2-10000

S1-22-2-10000 Is the unix group with uid 10000
( with is also in my case "Domain Users" ) 
But how this maps again in samba, that i really dont know. 

Arg, very confusion all.. 
Well, at least we now know this by design. Pfew.. 

Thanks for all the info guys. 


Greetz, 

Louis

On Tue, 26 Sep 2017 13:54:22 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Rowland, 
> 
> > 
> > No, you haven't done anything wrong and yes the provision 
> > does set Domain Users to '100' in idmap.ldb.
> > 
> 
> Ow..
> This i did not know, only wondering why its not BUILTIN\users ( how
> it is in windows ). Do you know as of which version this is? Of as of
> start, i really never noticed this. 
I think you are misunderstanding what I wrote ;-)

If you open 'idmap.ldb' and search for 513 (Domain Users RID), you will
find:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
cn: S-1-5-21-1768301897-3342589593-1064908849-513
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513
 
As you can see 'Domain Users' is mapped to the Unix group '100'
and if
you look in /etc/group and search for '100', you will find this:

users:x:100:

This means that the Windows group is mapped to the Unix group 'users'
on a DC, up until you give Domain Users a gidNumber, then the ID will
change to the one you placed in the gidNumber attribute in Domain Users.

> Ok, i did read somewhere that 
> Samba uses S-1-22-1 for users and S1-22-2 for groups. 
Any idea where ?
> 
> wbinfo -G 100
> S-1-5-21-3821322978-3959480180-962995944-513
> 
> wbinfo -G 10000
> S-1-22-2-10000
> 
> S1-22-2-10000 Is the unix group with uid 10000
> ( with is also in my case "Domain Users" ) 
> But how this maps again in samba, that i really dont know. 
> 
> Arg, very confusion all.. 
Even more confusion:

On my DC:

wbinfo -G 100
S-1-5-21-1768301897-3342589593-1064908849-513

wbinfo -G 10000
S-1-5-21-1768301897-3342589593-1064908849-513

I have also compiled 4.7.0 and set it up as a test and I cannot see any
difference between the way 4.6.7 and 4.7.0 works on a DC i.e. '100'
becomes '10000' after I run 'net cache flush'

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> This means that the Windows group is mapped to the Unix group
'users'
> on a DC, up until you give Domain Users a gidNumber, then the ID will
> change to the one you placed in the gidNumber attribute in Domain Users.
I can confirm that.

Using ADUC i've noted that 'Domain Users' have no GID assigned, so
seems that some samba ''internal'' logic assign GID 100 'by
default'.

After assigning GID 10513:

 root at vdcsv1:~# net cache flush
 root at vdcsv1:~# getent group "Domain Users"
 LNFFVG\domain users:x:10513:
 root at vdcsv1:~# wbinfo -G 10513
 S-1-5-21-160080369-3601385002-3131615632-513

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Hai, 
> 
> I think you are misunderstanding what I wrote ;-)
Thats possible yes..  Lucky you better in explaining then me in english.  ;-) 
> 
> If you open 'idmap.ldb' and search for 513 (Domain Users 
> RID), you will
> find:
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
> cn: S-1-5-21-1768301897-3342589593-1064908849-513
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513
>  
> As you can see 'Domain Users' is mapped to the Unix group 
> '100' and if you look in /etc/group and search for '100',
you
> will find this:
> 
> users:x:100:
> 
> This means that the Windows group is mapped to the Unix group
'users'
> on a DC, up until you give Domain Users a gidNumber, then the 
> ID will change to the one you placed in the gidNumber 
> attribute in Domain Users.
Aahhh.. Ok, it changes after you set gid.. Thats a good one to remember. 
> 
> > Ok, i did read somewhere that
> > Samba uses S-1-22-1 for users and S1-22-2 for groups. 
> 
> Any idea where ?
Yes, 
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html
(Unmapped users are now assigned a SID in the S-1-22-1 domain and unmapped
groups are assigned a SID in the S-1-22-2 domain)
https://www.samba.org/samba/history/samba-3.0.23c.html

This was one that lead me to the 2 above links. 
https://stackoverflow.com/questions/31109871/mapping-sambas-s-1-22-12-sid-into-names
> 
> > 
> > wbinfo -G 100
> > S-1-5-21-3821322978-3959480180-962995944-513
> > 
> > wbinfo -G 10000
> > S-1-22-2-10000
> > 
> > S1-22-2-10000 Is the unix group with uid 10000 ( with is also in my 
> > case "Domain Users" ) But how this maps again in samba, 
> that i really 
> > dont know.
> > 
> > Arg, very confusion all.. 
> 
> Even more confusion:
> 
> On my DC:
> 
> wbinfo -G 100
> S-1-5-21-1768301897-3342589593-1064908849-513
> 
> wbinfo -G 10000
> S-1-5-21-1768301897-3342589593-1064908849-513
> 
> I have also compiled 4.7.0 and set it up as a test and I 
> cannot see any difference between the way 4.6.7 and 4.7.0 
> works on a DC i.e. '100'
> becomes '10000' after I run 'net cache flush'
> 
> Rowland
> 
And... To make it even more confusion.. 

Now.. I have the same results again. 
So,.. Domain users is mapped to GID 100, if you set GID yourself (my setup
backend AD),
and it uses the default 10000 from start of my setup. ( about 2-3 years ago ) 

wbinfo -G 100
S-1-5-21-2934682428-2610421433-476865461-513

wbinfo -G 10000
S-1-5-21-2934682428-2610421433-476865461-513

wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

So why am i seeing 100 here and not 10000.
I know for 100% sure this was 10000
So i did run : net cache flush again. 

wbinfo --group-info="Domain Users"
NTDOM\domain users:x:10000

And its back to normal again. Wowhoo. 

Maybe its wize to always run : net cache flush 
After a samba upgrade, Thoughts ? 

... Ok, now i ssh just to my DC2. 
To make it even strangere, on exact same server as DC1. 

And the commands run. ( exactly ) 

ssh dc2

wbinfo --group-info="Domain Users"
NTDOM\domain users:x:10000  

So looks good...  ( you think ) 

wbinfo -G 100  Still ok..
S-1-5-21-2934682428-2610421433-476865461-513

wbinfo -G 10000  Still ok..
S-1-5-21-2934682428-2610421433-476865461-513

Now the wbinfo again ....  

wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

And HUH... 100 ??  But it was 10000. 
Now, if this isnt a bug i dont know. 

And now : 
net cache flush
wbinfo --group-info="Domain Users"
NTDOM\domain users:x:10000  

And its bad to normal, but im questioning ... For how long....  

So IMHO, very inconistant results. 

So any more thoughts about this? 



Greetz, 

Louis

Small update. 

And changed the subject, was : [Samba] Domain member server: user access . 

My last test was done with 4.6.7.
Now upgraded a DC to 4.6.8 ( and last result in 4.6.7 was 10000 ) 

root at rtd-dc1:~# wbinfo -G 100
S-1-5-21-2934682428-2610421433-476865461-513

root at rtd-dc1:~# wbinfo -G 10000
S-1-5-21-2934682428-2610421433-476865461-513

root at rtd-dc1:~# wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

net cache flush
NTDOM\domain users:x:10000

Repeat above step. 
wbinfo -G 100
S-1-5-21-2934682428-2610421433-476865461-513
 wbinfo -G 10000
S-1-5-21-2934682428-2610421433-476865461-513

 wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

And wrong again..

net cache flush
wbinfo --group-info="Domain Users"
NTDOM\domain users:x:10000

Lets repeat it again. 
Well, you can repeat this endless..  

Now what i found here is. 
If you run : 
1) wbinfo -G 100 
Results in 

wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

2) wbinfo -G 10000
wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

After 1 and 2 you must use net cache flush. 

3) I you dont run : wbinfo -G 100 
( and start with net cache flush ) 
The wbinfo -G 10000 and wbinfo --group-info="Domain Users" stay the
same and correct.

If you run once : wbinfo -G 100 
Its incorrect again and you need net cache flush again. 

So 4.6.7 and 4.6.8 show same results and reproducable. 

If this is not by design, then its a bug and we should report it. 
Thoughts? 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: dinsdag 26 september 2017 15:32
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member server: user access
> 
> Hai, 
> > 
> 
> > I think you are misunderstanding what I wrote ;-)
> Thats possible yes..  Lucky you better in explaining then me 
> in english.  ;-) 
> 
> > 
> > If you open 'idmap.ldb' and search for 513 (Domain Users RID),
you
> > will
> > find:
> > 
> > dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
> > cn: S-1-5-21-1768301897-3342589593-1064908849-513
> > objectClass: sidMap
> > objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
> > type: ID_TYPE_GID
> > xidNumber: 100
> > distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513
> >  
> > As you can see 'Domain Users' is mapped to the Unix group 
> '100' and if 
> > you look in /etc/group and search for '100', you will find
this:
> > 
> > users:x:100:
> > 
> > This means that the Windows group is mapped to the Unix 
> group 'users'
> > on a DC, up until you give Domain Users a gidNumber, then 
> the ID will 
> > change to the one you placed in the gidNumber attribute in Domain 
> > Users.
> 
> Aahhh.. Ok, it changes after you set gid.. Thats a good one 
> to remember. 
> 
> > 
> > > Ok, i did read somewhere that
> > > Samba uses S-1-22-1 for users and S1-22-2 for groups. 
> > 
> > Any idea where ?
> Yes,
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/Ch
> angeNotes.html
> (Unmapped users are now assigned a SID in the S-1-22-1 domain 
> and unmapped groups are assigned a SID in the S-1-22-2 
> domain) https://www.samba.org/samba/history/samba-3.0.23c.html
> 
> This was one that lead me to the 2 above links. 
> https://stackoverflow.com/questions/31109871/mapping-sambas-s-
> 1-22-12-sid-into-names
> 
> > 
> > > 
> > > wbinfo -G 100
> > > S-1-5-21-3821322978-3959480180-962995944-513
> > > 
> > > wbinfo -G 10000
> > > S-1-22-2-10000
> > > 
> > > S1-22-2-10000 Is the unix group with uid 10000 ( with is 
> also in my 
> > > case "Domain Users" ) But how this maps again in samba,
> > that i really
> > > dont know.
> > > 
> > > Arg, very confusion all.. 
> > 
> > Even more confusion:
> > 
> > On my DC:
> > 
> > wbinfo -G 100
> > S-1-5-21-1768301897-3342589593-1064908849-513
> > 
> > wbinfo -G 10000
> > S-1-5-21-1768301897-3342589593-1064908849-513
> > 
> > I have also compiled 4.7.0 and set it up as a test and I cannot see 
> > any difference between the way 4.6.7 and 4.7.0 works on a DC i.e. 
> > '100'
> > becomes '10000' after I run 'net cache flush'
> > 
> > Rowland
> > 
> 
> And... To make it even more confusion.. 
> 
> Now.. I have the same results again. 
> So,.. Domain users is mapped to GID 100, if you set GID 
> yourself (my setup backend AD), and it uses the default 10000 
> from start of my setup. ( about 2-3 years ago ) 
> 
> wbinfo -G 100
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo -G 10000
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
> 
> So why am i seeing 100 here and not 10000.
> I know for 100% sure this was 10000
> So i did run : net cache flush again. 
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000
> 
> And its back to normal again. Wowhoo. 
> 
> Maybe its wize to always run : net cache flush After a samba 
> upgrade, Thoughts ? 
> 
> ... Ok, now i ssh just to my DC2. 
> To make it even strangere, on exact same server as DC1. 
> 
> And the commands run. ( exactly ) 
> 
> ssh dc2
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000  
> 
> So looks good...  ( you think ) 
> 
> wbinfo -G 100  Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo -G 10000  Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> Now the wbinfo again ....  
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
> 
> And HUH... 100 ??  But it was 10000. 
> Now, if this isnt a bug i dont know. 
> 
> And now : 
> net cache flush
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000  
> 
> And its bad to normal, but im questioning ... For how long....  
> 
> So IMHO, very inconistant results. 
> 
> So any more thoughts about this? 
> 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Am 2017-09-26 um 15:32 schrieb L.P.H. van Belle via samba:
> So IMHO, very inconistant results. 
> 
> So any more thoughts about this? 
I can't follow that anymore and don't know if and what to fix/change/set
...

No complaining, just no idea.

On Tue, 26 Sep 2017 15:32:13 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> > 
> 
> > 
> > > Ok, i did read somewhere that
> > > Samba uses S-1-22-1 for users and S1-22-2 for groups. 
> > 
> > Any idea where ?
> Yes, 
>
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html
> (Unmapped users are now assigned a SID in the S-1-22-1 domain and
> unmapped groups are assigned a SID in the S-1-22-2 domain)
> https://www.samba.org/samba/history/samba-3.0.23c.html
I feel I am going to have to ask some questions about this, because
clearly neither 'S-1-22-1' or 'S-1-22-2' is a domain. Unless the
'*'
domains SID is '1-2-22' ??
> 
> And... To make it even more confusion.. 
> 
> Now.. I have the same results again. 
> So,.. Domain users is mapped to GID 100, if you set GID yourself (my
> setup backend AD), and it uses the default 10000 from start of my
> setup. ( about 2-3 years ago ) 
> 
> wbinfo -G 100
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo -G 10000
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
> 
> So why am i seeing 100 here and not 10000.
> I know for 100% sure this was 10000
> So i did run : net cache flush again. 
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000
> 
> And its back to normal again. Wowhoo. 
> 
> Maybe its wize to always run : net cache flush 
> After a samba upgrade, Thoughts ? 
> 
> ... Ok, now i ssh just to my DC2. 
> To make it even strangere, on exact same server as DC1. 
> 
> And the commands run. ( exactly ) 
> 
> ssh dc2
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000  
> 
> So looks good...  ( you think ) 
> 
> wbinfo -G 100  Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo -G 10000  Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> Now the wbinfo again ....  
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
> 
> And HUH... 100 ??  But it was 10000. 
> Now, if this isnt a bug i dont know. 
> 
> And now : 
> net cache flush
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000  
> 
> And its bad to normal, but im questioning ... For how long....  
> 
> So IMHO, very inconistant results. 
> 
> So any more thoughts about this? 
Yes, if I run the commands on my 2nd DC, I get this:

root at dc3:~# wbinfo -G 100
S-1-5-21-1768301897-3342589593-1064908849-513
root at dc3:~# wbinfo -G 10000
S-1-5-21-1768301897-3342589593-1064908849-513
root at dc3:~# wbinfo --group-info="Domain Users"
SAMDOM\domain users:x:100:
root at dc3:~# getent group Domain\ Users
SAMDOM\domain users:x:100:
root at dc3:~# net cache flush
root at dc3:~# wbinfo --group-info="Domain Users"
SAMDOM\domain users:x:10000:
root at dc3:~# getent group Domain\ Users
SAMDOM\domain users:x:10000:

AGGGHHHH, why does it do this ????
It wasn't a bug introduced with 4.7.0, the 2nd DC is running 4.6.2

Is anybody running an earlier version that exhibits this problem ??
 
Rowland

Well, what i can say is.

The Resolving inconsistant on DC with AD backend. GID 100 and 10000 is only on
the DC's.
My member servers are all checked now, ( 4.5.8 4.5.14 4.6.5 4.6.7 4.6.8 ) these
are consistant.

The sort solution is, run on the DC: 
net cache flush

And check again for example with getent passwd username or id username 
And dont touch the DC, after an upgrade, again run : net cache flush

And besides that, keep an eye on the list. 
The members are safe, ive checked 4.5.8 4.5.12 4.5.14 4.6.5 4.6.7 4.6.8 
( original debian and my packages ) 

So back to your problem, user access. 

Are you still getting/seeing these :  
  Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL) 
Or   Failed to generate session_info (user and group token) for session
setup: NT_STATUS_ACCESS_DENIED 



Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: dinsdag 26 september 2017 16:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member server: user access
> 
> Am 2017-09-26 um 15:32 schrieb L.P.H. van Belle via samba:
> 
> > So IMHO, very inconistant results. 
> > 
> > So any more thoughts about this? 
> 
> I can't follow that anymore and don't know if and what to 
> fix/change/set ...
> 
> No complaining, just no idea.
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 26 Sep 2017 16:22:12 +0200
L.P.H. van Belle <belle at bazuin.nl> wrote:
> Read this and add it to the bug list. 
> 
> ( as of the part "I can confirm that" ) 
> > Using ADUC i've noted that 'Domain Users' have no GID 
> > assigned, so seems that some samba ''internal'' logic
assign
> > GID 100 'by default'.
> 
> This might be a clue to the fix. 
> 
Don't think so ;-)

There are 'uidNumber' & 'gidNumber' attributes, Windows
knows about
these, what it doesn't know about are 'xidNumber' attributes. You
will
only find these in idmap.ldb on a Samba AD DC. By default Domain Users
is given the 'xidNumber' 100 in idmap.ldb, hence why Windows knows
nothing about it and why should Windows know about it, it is a Samba AD
DC Unix ID.

What I think is happening is this:

'wbinfo -G 100' is run, The '100' is mapped to the SID-RID of
Domain
Users by idmap from idmap.ldb
The result is placed into the winbind cache, replacing anything for
Domain Users that is already there.
The command 'getent group Domain\ Users' is run and the cache is
consulted, returning the '100' found there.
'net cache flush' is run and the command 'getent group Domain\
Users'
is run again, there is nothing in the cache, so AD is consulted and the
correct result is returned.

Remember that the cache has a limited lifetime and as long as 'wbinfo
-G 100' isn't run, the 100 should never get into the cache.

Rowland