samba - Dec 2017 - MMC issue

Samba - General mailing list wrote
> On Tue, 5 Dec 2017 13:15:53 -0700 (MST)
> Mariusz80 via samba <
> samba at .samba
> > wrote:
> 
>> Samba - General mailing list wrote
>> > On Tue, 5 Dec 2017 12:27:24 -0700 (MST)
>> > Mariusz80 via samba <
>> 
>> > samba at .samba
>> 
>> > > wrote:
>> > 
>> >> Samba - General mailing list wrote
>> >> > On Tue, 5 Dec 2017 12:00:55 -0700 (MST)
>> >> > Mariusz80 via samba <
>> >> 
>> >> > samba at .samba
>> >> 
>> >> > > wrote:
>> >> > 
>> >> >> Samba - General mailing list wrote
>> >> >> > On Tue, 5 Dec 2017 11:11:33 -0700 (MST)
>> >> >> > Mariusz80 via samba <
>> >> >> 
>> >> >> > samba at .samba
>> >> >> 
>> >> >> > > wrote:
>> >> >> > 
>> >> >> >> Samba - General mailing list wrote
>> >> >> >> > On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
>> >> >> >> > Mariusz80 via samba <
>> >> >> >> 
>> >> >> >> > samba at .samba
>> >> >> >> 
>> >> >> >> > > wrote:
>> >> >> >> > 
>> >> >> >> >> Hi
>> >> >> >> >> I have a strange problem with
Shared folders in MMC.
>> >> >> >> >> While I try to connect to linux
machine and list Open
>> >> >> >> >> files or Sessions I got a message
"You do not have
>> >> >> >> >> permission to view the list of
sessions from Windows
>> >> >> >> >> clients". The problem exists
only if I try to connect to
>> >> >> >> >> linux machines (Windows Server is
ok), and only for
>> >> >> >> >> Administrator account. From other
accounts with
>> >> >> >> >> Administrator priviliges there is
no problem at all.
>> >> >> >> >> 
>> >> >> >> >> In the logs there is:
>> >> >> >> >>
>> >> >>
>> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
>> >> >> >> >>   Enumerating files only allowed
for administrators
>> >> >> >> >> 
>> >> >> >> >> Any advice?
>> >> >> >> >> 
>> >> >> >> >> Thanks
>> >> >> >> >> Mariusz
>> >> >> >> >> 
>> >> >> >> >> 
>> >> >> >> >> 
>> >> >> >> >> --
>> >> >> >> >> Sent from:
>> >> >> >> >>
>> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
>> >> >> >> >> 
>> >> >> >> > 
>> >> >> >> > How is Samba set up on the Linux
machine ?
>> >> >> >> > 
>> >> >> >> > Rowland
>> >> >> >> > 
>> >> >> >> > -- 
>> >> >> >> > To unsubscribe from this list go to the
following URL and
>> >> >> >> > read the instructions:
>> >> >> >> >
https://lists.samba.org/mailman/options/samba
>> >> >> >> 
>> >> >> >> I did it according to:
>> >> >> >>
>> >>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>> >> >> >> My smb.conf:
>> >> >> >> [global]
>> >> >> >>        security = ADS
>> >> >> >>        workgroup = some
>> >> >> >>        realm = some.domain.pl
>> >> >> >> 	   
>> >> >> >> 		allow trusted domains = Yes
>> >> >> >> 		winbind use default domain = Yes
>> >> >> >>         winbind nss info = rfc2307
>> >> >> >>         winbind refresh tickets = Yes
>> >> >> >> 
>> >> >> >>        log file = /var/log/samba/%m.log
>> >> >> >>        log level = 1
>> >> >> >> 	
>> >> >> >>        idmap config * : backend = tdb
>> >> >> >>        idmap config * : range = 3000-7999
>> >> >> >> 	
>> >> >> >> 	idmap config some : backend = rid
>> >> >> >> 	idmap config some: range = 10000-999999
>> >> >> >> 
>> >> >> >> 	winbind nss info = template
>> >> >> >> 	template shell = /bin/bash
>> >> >> >> 	template homedir = /home/%U
>> >> >> >> 	username map = /etc/samba/user.map
>> >> >> >> 	
>> >> >> >> 	winbind enum users = yes
>> >> >> >> 	winbind enum groups = yes
>> >> >> >> 
>> >> >> >> 	vfs objects = acl_xattr
>> >> >> >>        map acl inherit = yes
>> >> >> >>        store dos attributes = yes
>> >> >> >> 
>> >> >> > 
>> >> >> > Does 'getent passwd Administrator' give
any output ?
>> >> >> > 
>> >> >> > If it does, try adding this line to smb.conf:
>> >> >> > 
>> >> >> > username map = /etc/samba/user.map
>> >> >> > 
>> >> >> > Create the user.map:
>> >> >> > 
>> >> >> > nano /etc/samba/user.map
>> >> >> > 
>> >> >> > it should contain only:
>> >> >> > 
>> >> >> > !root = SAMDOM\Administrator
SAMDOM\administrator
>> >> >> > Administrator administrator
>> >> >> > 
>> >> >> > That is all on one line, replace
'SAMDOM' with your workgroup
>> >> >> > name and, if required, change the
'/etc/samba' path to the
>> >> >> > path to your smb.conf.
>> >> >> > 
>> >> >> > Rowland
>> >> >> > 
>> >> >> > -- 
>> >> >> > To unsubscribe from this list go to the
following URL and read
>> >> >> > the instructions:
>> >> >> > https://lists.samba.org/mailman/options/samba
>> >> >> 
>> >> >> getent passwd Administrator
>> >> >>
administrator:*:10500:10513::/home/administrator:/bin/bash
>> >> >> 
>> >> >> smb.conf already contains user.map
>> >> >> 
>> >> > 
>> >> > 
>> >> > The fact that 'Administrator' has an ID that
isn't '0' means
>> >> > that, to Linux, Administrator is just another user and
can only
>> >> > do what any normal user can do.
>> >> 
>> >> In fact on my dc Administrator has an id=0 and mmc is working
>> >> correctly. How can I solve that ? 
>> > 
>> > This is because on a DC, the mapping is done in idmap.ldb, so you
>> > don't need the user.map on a DC
>> >> 
>> >> 
>> >> > You could try running 'net cache flush'
>> >> 
>> >> net chache flush  doesn't give any output and nothing
change.
>> > 
>> > If 'doesn't give any output' means that 'getent
passwd
>> > Administrator' doesn't show what it did before, then try
again from
>> > windows, it should now work.
>> > 
>> > If you are still getting output from 'getent passwd
Administrator',
>> > please post your smb.conf
>> > 
>> > Rowland
>> > 
>> > -- 
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> getent passwd Administrator still shows:
>> administrator:*:10500:10513::/home/administrator:/bin/bash
>> 
>> smb.conf:
>> [global]
>>        security = ADS
>>        workgroup = some
>>        realm = some.domain.pl
>> 	   
>> 		allow trusted domains = Yes
>> 		winbind use default domain = Yes
>>         winbind nss info = rfc2307
>>         winbind refresh tickets = Yes
>> 
>>        log file = /var/log/samba/%m.log
>>        log level = 1
>> 	
>>        idmap config * : backend = tdb
>>        idmap config * : range = 3000-7999
>> 	
>> 	idmap config some : backend = rid
>> 	idmap config some: range = 10000-999999
>> 
>> 	winbind nss info = template
>> 	template shell = /bin/bash
>> 	template homedir = /home/%U
>> 
>> 
>> 	username map = /etc/samba/user.map
>> 	
>> 	winbind enum users = yes
>> 	winbind enum groups = yes
>> 
>> 	vfs objects = acl_xattr
>>        map acl inherit = yes
>>        store dos attributes = yes
> 
> OK, I started a VM running a Unix domain member that uses the 'rid'
> backend and it does work in the same way as yours, I get the same
> result for 'getent passwd Administrator'.
> 
> I then started another VM running Windows 7, logged in as
> Administrator, connected to a share on the Unix domain member and via
> the security tab for the share, added permissions for another user.
> 
> So, whilst I didn't expect it to work, it did.
> 
> Rowland
>  
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Well permisions are working fine but, if i create for example "new
folder"
then the owner is root and what about the main problem with mmc.

Mariusz



--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

On Tue, 5 Dec 2017 15:39:25 -0700 (MST)
Mariusz80 via samba <samba at lists.samba.org> wrote:
> Well permisions are working fine but, if i create for example "new
> folder" then the owner is root and what about the main problem with
> mmc.
> 
New files/directories will be created with 'root' as the owner because
'Administrator' is mapped to 'root'.

If I run mmc.dsc on the win7 PC and connect to the share, everything
works for me.

Rowland

Am 06.12.2017 um 10:14 schrieb Rowland Penny via samba:
> On Tue, 5 Dec 2017 15:39:25 -0700 (MST)
> Mariusz80 via samba <samba at lists.samba.org> wrote:
> 
>> Well permisions are working fine but, if i create for example "new
>> folder" then the owner is root and what about the main problem
with
>> mmc.
>>
> 
> New files/directories will be created with 'root' as the owner
because
> 'Administrator' is mapped to 'root'.
> 
> If I run mmc.dsc on the win7 PC and connect to the share, everything
> works for me.
I actually have the same problem. The Security tab works as expected.
Only "Sessions" and "Open Files" do not work. On an DM but
work on a DC.

This is with the idamp AD backend not rid and Administrator does not
have an uid assigned.

In the logs I see this:


Successful AuthZ: [srvsvc,ncacn_np] user [BRAIN-02]\[Administrator]
[S-1-22-1-0] at [Mi, 06 Dez 2017 10:00:22.032080 CET] Remote host
[ipv4:x.x.x.x:35170] local host [NULL]
Dec  6 10:00:22 lx-sv-03 smbd_audit: [2017/12/06 10:00:22.035679,  1]
../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1468(_srvsvc_NetSessEnum)
Dec  6 10:00:22 lx-sv-03 smbd_audit:  Enumerating sessions only allowed
for administrators


Samba Version is 4.7.3 on the DM

wbinfo --sid-to-name=S-1-22-1-0

Unix User\root 1

getent passwd Administrator

returns nothing

wbinfo --uid-to-sid=0
S-1-22-1-0

wbinfo -i Administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user Administrator


On the DC Samba version is 4.6.11

wbinfo --sid-to-name=S-1-22-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-22-1-0

getent passwd Administrator

returns nothing

wbinfo --uid-to-sid=0

S-1-5-21-773202902-494389186-2375354597-500

wbinfo -i Administrator
BRAIN-02\administrator:*:0:10000::/home/BRAIN-02/administrator:/bin/false


Any ideas?
> 
> Rowland
> 
-- 
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller