samba - Nov 2017 - winbind finds all domain users except Administrator

Hi,

I have a samba 4.7 DC (Red Hat) and a Solaris 10 Member (also 4.7.0). I
started winbindd and can get all users in my domain via "getent
passwd"
except MYDOM\Administrator. I can get it via wbinfo however:

# wbinfo -n "MYDOM\Administrator"

S-1-5-21-.......-500 SID_USER (1)

In the winbind log with log level = 10, when I do getent passwd
"MYDOM\Administrator I always see this:

[2017/11/13 18:27:25.255682,  5]

../source3/winbindd/winbindd_getpwnam.c:136(winbindd_getpwnam_recv)

Could not convert S-1-5-21-.......-500: NT_STATUS_NO_SUCH_USER

I have the idmap configured like this:


idmap config MYDOM : backend = ad

idmap config MYDOM : range = 100 - 60000

idmap config * : backend = tdb

idmap config * : range = 60001 - 61000

I already tried to delete all tdb and ldb but I can't get it working.


This issue seems very much related to this previous thread:
https://lists.samba.org/archive/samba/2015-May/191931.html

So I am suspecting some Solaris-specific problem. Does someone have an idea
what could be the problem?

The counter part to winbindd_getpwnam_recv is winbindd_getpwnam_send,
right? And this is executed on the DC? So do I have to debug there?

Thanks,

Fabian

On Mon, 13 Nov 2017 22:34:16 +0100
Fabian Fritz via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I have a samba 4.7 DC (Red Hat) and a Solaris 10 Member (also 4.7.0).
> I started winbindd and can get all users in my domain via "getent
> passwd" except MYDOM\Administrator. I can get it via wbinfo however:
> 
> # wbinfo -n "MYDOM\Administrator"
> 
> S-1-5-21-.......-500 SID_USER (1)
> 
> In the winbind log with log level = 10, when I do getent passwd
> "MYDOM\Administrator I always see this:
> 
> [2017/11/13 18:27:25.255682,  5]
> 
> ../source3/winbindd/winbindd_getpwnam.c:136(winbindd_getpwnam_recv)
> 
> Could not convert S-1-5-21-.......-500: NT_STATUS_NO_SUCH_USER
> 
> I have the idmap configured like this:
> 
> 
> idmap config MYDOM : backend = ad
> 
> idmap config MYDOM : range = 100 - 60000
This range means you cannot have ANY local Unix users, what happens if
something goes wrong and you need to log in as a local user ??

You also seem to be missing a line:

idmap config MYDOM : schema_mode = rfc2307

None of this has anything to do with your problem, mainly because you
do not have a problem ;-)

You should not be able to log into a Unix domain member as
Administrator, you should map Administrator to 'root' in a user.map and
then log in as root if need be.

Rowland

On Mon, 13 Nov 2017 23:15:15 +0100
Fabian Fritz <fabianfuture at web.de> wrote:
> I see. I know, the range is a bit odd, but I previously used NIS to
> get the Unix users from another machine. Now I'm updating to AD and
> don't use NIS anymore.Since I want to keep all the file ownerships (I
> use this solaris member as a file server), I had to map the domain
> users to that same range.
OK, hindsight is a wonderful thing, but starting the ID range at 100
isn't a good idea (for the reason I gave), but sometimes you have to.
> 
> 
> I used the Administrator to login to some Windows machine in the
> domain and was surprised when I got a ACCESS_DENIED when I tried to
> mount a network share there. So this only happens for Administrator?
> So I have to use one of the users in the domain admins group when I
> need to do administrative stuff on my windows machines and also need
> the shares?
If you use a user.map, Administrator becomes 'root' on Unix domain
members and root can do anything on a Unix domain member.

Try reading this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

If you have any questions after reading that, just ask ;-)

Rowland

I tried mapping to root but I still get an ACCESS_DENIED when I try to
mount a share from the domain member.

I'd be very surprised if the samba admin account is the one and only
account that is intentionally denied from accessing shares on a member.

I'm pretty sure this is a bug. I tried this again with two clean installs
(4.7.1) on Linux, one in a VM. Compare this on the DC:

# ./bin/wbinfo -n'MYDOM\administrator'
S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
# ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
0

to this on the Domain member:

# ./bin/wbinfo -n'MYDOM\Administrator'
S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)

# ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"

failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to uid

With other accounts I don't see that error.

In the log.winbindd (log level = 10) on the member I see this:

[2017/11/14 20:14:36.631151,  1, pid=2654, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
          out: struct wbint_Sids2UnixIDs
              ids                      : *
                  ids: struct wbint_TransIDArray
                      num_ids                  : 0x00000001 (1)
                      ids: ARRAY(1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_UID (1)
                              domain_index             : 0x00000000 (0)
                              rid                      : 0x000001f4 (500)
                              xid: struct unixid
                                  id                       : 0xffffffff
(4294967295)
                                  type                     :
ID_TYPE_NOT_SPECIFIED (0)


So it seems like I get back -1 (0xffffffff) as the uid. Should I file a bug
ticket?


Thanks,
Fabian

2017-11-14 10:35 GMT+01:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Mon, 13 Nov 2017 23:15:15 +0100
> Fabian Fritz <fabianfuture at web.de> wrote:
>
> > I see. I know, the range is a bit odd, but I previously used NIS to
> > get the Unix users from another machine. Now I'm updating to AD
and
> > don't use NIS anymore.Since I want to keep all the file ownerships
(I
> > use this solaris member as a file server), I had to map the domain
> > users to that same range.
>
> OK, hindsight is a wonderful thing, but starting the ID range at 100
> isn't a good idea (for the reason I gave), but sometimes you have to.
>
> >
> >
> > I used the Administrator to login to some Windows machine in the
> > domain and was surprised when I got a ACCESS_DENIED when I tried to
> > mount a network share there. So this only happens for Administrator?
> > So I have to use one of the users in the domain admins group when I
> > need to do administrative stuff on my windows machines and also need
> > the shares?
>
> If you use a user.map, Administrator becomes 'root' on Unix domain
> members and root can do anything on a Unix domain member.
>
> Try reading this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> If you have any questions after reading that, just ask ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>