Fabian Fritz
2017-Nov-14 20:36 UTC
[Samba] winbind finds all domain users except Administrator
I tried mapping to root but I still get an ACCESS_DENIED when I try to
mount a share from the domain member.
I'd be very surprised if the samba admin account is the one and only
account that is intentionally denied from accessing shares on a member.
I'm pretty sure this is a bug. I tried this again with two clean installs
(4.7.1) on Linux, one in a VM. Compare this on the DC:
# ./bin/wbinfo -n'MYDOM\administrator'
S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
# ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
0
to this on the Domain member:
# ./bin/wbinfo -n'MYDOM\Administrator'
S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
# ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to uid
With other accounts I don't see that error.
In the log.winbindd (log level = 10) on the member I see this:
[2017/11/14 20:14:36.631151, 1, pid=2654, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
out: struct wbint_Sids2UnixIDs
ids : *
ids: struct wbint_TransIDArray
num_ids : 0x00000001 (1)
ids: ARRAY(1)
ids: struct wbint_TransID
type : ID_TYPE_UID (1)
domain_index : 0x00000000 (0)
rid : 0x000001f4 (500)
xid: struct unixid
id : 0xffffffff
(4294967295)
type :
ID_TYPE_NOT_SPECIFIED (0)
So it seems like I get back -1 (0xffffffff) as the uid. Should I file a bug
ticket?
Thanks,
Fabian
2017-11-14 10:35 GMT+01:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Mon, 13 Nov 2017 23:15:15 +0100
> Fabian Fritz <fabianfuture at web.de> wrote:
>
> > I see. I know, the range is a bit odd, but I previously used NIS to
> > get the Unix users from another machine. Now I'm updating to AD
and
> > don't use NIS anymore.Since I want to keep all the file ownerships
(I
> > use this solaris member as a file server), I had to map the domain
> > users to that same range.
>
> OK, hindsight is a wonderful thing, but starting the ID range at 100
> isn't a good idea (for the reason I gave), but sometimes you have to.
>
> >
> >
> > I used the Administrator to login to some Windows machine in the
> > domain and was surprised when I got a ACCESS_DENIED when I tried to
> > mount a network share there. So this only happens for Administrator?
> > So I have to use one of the users in the domain admins group when I
> > need to do administrative stuff on my windows machines and also need
> > the shares?
>
> If you use a user.map, Administrator becomes 'root' on Unix domain
> members and root can do anything on a Unix domain member.
>
> Try reading this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> If you have any questions after reading that, just ask ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland Penny
2017-Nov-14 21:00 UTC
[Samba] winbind finds all domain users except Administrator
On Tue, 14 Nov 2017 21:36:49 +0100 Fabian Fritz <fabianfuture at web.de> wrote:> I tried mapping to root but I still get an ACCESS_DENIED when I try to > mount a share from the domain member. > > I'd be very surprised if the samba admin account is the one and only > account that is intentionally denied from accessing shares on a > member. > > I'm pretty sure this is a bug. I tried this again with two clean > installs (4.7.1) on Linux, one in a VM. Compare this on the DC: > > # ./bin/wbinfo -n'MYDOM\administrator' > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1) > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500" > 0 > > to this on the Domain member: > > # ./bin/wbinfo -n'MYDOM\Administrator' > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1) > > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500" > > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to > uid > > With other accounts I don't see that error. > > In the log.winbindd (log level = 10) on the member I see this: > > [2017/11/14 20:14:36.631151, 1, pid=2654, effective(0, 0), real(0, > 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug) > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs > out: struct wbint_Sids2UnixIDs > ids : * > ids: struct wbint_TransIDArray > num_ids : 0x00000001 (1) > ids: ARRAY(1) > ids: struct wbint_TransID > type : ID_TYPE_UID > (1) domain_index : 0x00000000 (0) > rid : 0x000001f4 > (500) xid: struct unixid > id : > 0xffffffff (4294967295) > type : > ID_TYPE_NOT_SPECIFIED (0) > > > So it seems like I get back -1 (0xffffffff) as the uid. Should I file > a bug ticket?NO You do not use Administrator as a normal user on Unix, you wouldn't use Administrator like this on Windows. Using wbinfo just shows that winbind can connect to AD, it doesn't show that the Unix OS knows who the AD users are, you need to use 'getent' for this. You are using the winbind 'ad' backend with the range '100-60000' Does 'Domain Users' have a gidNumber attribute containing a number inside this range ? Even if it does, you will not get the Unix OS to recognise Administrator, because Administrator is mapped to 'root' and the Unix ID for 'root' is '0' and '0' is outside the '100-60000' range. I know what your next thought will be, give Administrator a uidNumber inside the range, well, yes you could, but this would turn Administrator into a normal user as far as the Unix OS is concerned and isn't recommended. Just use another user to mount the share ;-) Rowland
Fabian Fritz
2017-Nov-14 21:27 UTC
[Samba] winbind finds all domain users except Administrator
Okay, right. Is there anything that the Samba admininistrator account can do that the users in the group domain admins can't (other than direct configurations on the samba server)? Also on a kind of unrelated note: I have several Unix servers that used NIS up until now to get the users. I would prefer if they could get the username like right now, without the MYDOM\ prefix. Is it possible to configure winbind to leave out the domain or strip it? Or could I have them use LDAP to get the username from my DC without the domain? user map isn't an option, as then they'd have to have the accounts locally as well and I'd have to keep track of updates. Thank you, Fabian 2017-11-14 22:00 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 14 Nov 2017 21:36:49 +0100 > Fabian Fritz <fabianfuture at web.de> wrote: > > > I tried mapping to root but I still get an ACCESS_DENIED when I try to > > mount a share from the domain member. > > > > I'd be very surprised if the samba admin account is the one and only > > account that is intentionally denied from accessing shares on a > > member. > > > > I'm pretty sure this is a bug. I tried this again with two clean > > installs (4.7.1) on Linux, one in a VM. Compare this on the DC: > > > > # ./bin/wbinfo -n'MYDOM\administrator' > > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1) > > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500" > > 0 > > > > to this on the Domain member: > > > > # ./bin/wbinfo -n'MYDOM\Administrator' > > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1) > > > > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500" > > > > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > > Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to > > uid > > > > With other accounts I don't see that error. > > > > In the log.winbindd (log level = 10) on the member I see this: > > > > [2017/11/14 20:14:36.631151, 1, pid=2654, effective(0, 0), real(0, > > 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug) > > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs > > out: struct wbint_Sids2UnixIDs > > ids : * > > ids: struct wbint_TransIDArray > > num_ids : 0x00000001 (1) > > ids: ARRAY(1) > > ids: struct wbint_TransID > > type : ID_TYPE_UID > > (1) domain_index : 0x00000000 (0) > > rid : 0x000001f4 > > (500) xid: struct unixid > > id : > > 0xffffffff (4294967295) > > type : > > ID_TYPE_NOT_SPECIFIED (0) > > > > > > So it seems like I get back -1 (0xffffffff) as the uid. Should I file > > a bug ticket? > > NO > > You do not use Administrator as a normal user on Unix, you wouldn't use > Administrator like this on Windows. > > Using wbinfo just shows that winbind can connect to AD, it doesn't show > that the Unix OS knows who the AD users are, you need to use 'getent' > for this. > > You are using the winbind 'ad' backend with the range '100-60000' > Does 'Domain Users' have a gidNumber attribute containing a number > inside this range ? > Even if it does, you will not get the Unix OS to recognise > Administrator, because Administrator is mapped to 'root' and the Unix > ID for 'root' is '0' and '0' is outside the '100-60000' range. > I know what your next thought will be, give Administrator a uidNumber > inside the range, well, yes you could, but this would turn > Administrator into a normal user as far as the Unix OS is concerned > and isn't recommended. > > Just use another user to mount the share ;-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >