Am 06.12.2017 um 10:14 schrieb Rowland Penny via samba:> On Tue, 5 Dec 2017 15:39:25 -0700 (MST) > Mariusz80 via samba <samba at lists.samba.org> wrote: > >> Well permisions are working fine but, if i create for example "new >> folder" then the owner is root and what about the main problem with >> mmc. >> > > New files/directories will be created with 'root' as the owner because > 'Administrator' is mapped to 'root'. > > If I run mmc.dsc on the win7 PC and connect to the share, everything > works for me.I actually have the same problem. The Security tab works as expected. Only "Sessions" and "Open Files" do not work. On an DM but work on a DC. This is with the idamp AD backend not rid and Administrator does not have an uid assigned. In the logs I see this: Successful AuthZ: [srvsvc,ncacn_np] user [BRAIN-02]\[Administrator] [S-1-22-1-0] at [Mi, 06 Dez 2017 10:00:22.032080 CET] Remote host [ipv4:x.x.x.x:35170] local host [NULL] Dec 6 10:00:22 lx-sv-03 smbd_audit: [2017/12/06 10:00:22.035679, 1] ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1468(_srvsvc_NetSessEnum) Dec 6 10:00:22 lx-sv-03 smbd_audit: Enumerating sessions only allowed for administrators Samba Version is 4.7.3 on the DM wbinfo --sid-to-name=S-1-22-1-0 Unix User\root 1 getent passwd Administrator returns nothing wbinfo --uid-to-sid=0 S-1-22-1-0 wbinfo -i Administrator failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user Administrator On the DC Samba version is 4.6.11 wbinfo --sid-to-name=S-1-22-1-0 failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid S-1-22-1-0 getent passwd Administrator returns nothing wbinfo --uid-to-sid=0 S-1-5-21-773202902-494389186-2375354597-500 wbinfo -i Administrator BRAIN-02\administrator:*:0:10000::/home/BRAIN-02/administrator:/bin/false Any ideas?> > Rowland >-- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller
On Wed, 6 Dec 2017 10:40:14 +0100 Christian Naumer via samba <samba at lists.samba.org> wrote:> Am 06.12.2017 um 10:14 schrieb Rowland Penny via samba: > > On Tue, 5 Dec 2017 15:39:25 -0700 (MST) > > Mariusz80 via samba <samba at lists.samba.org> wrote: > > > >> Well permisions are working fine but, if i create for example "new > >> folder" then the owner is root and what about the main problem with > >> mmc. > >> > > > > New files/directories will be created with 'root' as the owner > > because 'Administrator' is mapped to 'root'. > > > > If I run mmc.dsc on the win7 PC and connect to the share, everything > > works for me. > I actually have the same problem. The Security tab works as expected. > Only "Sessions" and "Open Files" do not work. On an DM but work on a > DC. > > This is with the idamp AD backend not rid and Administrator does not > have an uid assigned. > > In the logs I see this: > > > Successful AuthZ: [srvsvc,ncacn_np] user [BRAIN-02]\[Administrator] > [S-1-22-1-0] at [Mi, 06 Dez 2017 10:00:22.032080 CET] Remote host > [ipv4:x.x.x.x:35170] local host [NULL] > Dec 6 10:00:22 lx-sv-03 smbd_audit: [2017/12/06 10:00:22.035679, 1] > ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1468(_srvsvc_NetSessEnum) > Dec 6 10:00:22 lx-sv-03 smbd_audit: Enumerating sessions only > allowed for administrators > > > Samba Version is 4.7.3 on the DM > > wbinfo --sid-to-name=S-1-22-1-0 > > Unix User\root 1 > > getent passwd Administrator > > returns nothing > > wbinfo --uid-to-sid=0 > S-1-22-1-0I get: failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert uid 0 to sid> > wbinfo -i Administrator > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user Administrator > > > On the DC Samba version is 4.6.11 > > wbinfo --sid-to-name=S-1-22-1-0 > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-22-1-0 > > getent passwd Administrator > > returns nothingI get: SAMDOM\administrator:*:0:10000::/home/SAMDOM/administrator:/bin/bash I have libnss_winbind set up on the DC, do you ? My only thought at this time is, do you have a user in AD called 'root' ? Rowland
On Wed, 6 Dec 2017 11:59:44 +0100 Christian Naumer <cn at brain-biotech.de> wrote:> Am 06.12.2017 um 11:22 schrieb Rowland Penny via samba: > > > I have libnss_winbind set up on the DC, do you ? > > > > not on the DCs only on the DMs > > > > My only thought at this time is, do you have a user in AD called > > 'root' ? > > no. definitely not. > > > Is it normal that Administrator maps to different SIDs on DCs and DMs? >No, the SID-RID for 'Administrator' should be in the form: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-500 Where 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx' is the domain SID and '500' is the RID. The SID should be the same on all domain computers: DCs, windows PCs or Unix domain members, if you are getting different SIDs on some machines then that machine doesn't seem to be a member of the AD domain. Rowland
Am 06.12.2017 um 12:17 schrieb Rowland Penny via samba:> > Where 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx' is the domain SID > and '500' is the RID. The SID should be the same on all domain > computers: DCs, windows PCs or Unix domain members, if you are getting > different SIDs on some machines then that machine doesn't seem to be a > member of the AD domain.one of those problems again...The DMs were "normally" joined to the domain. And two of them serve about 100 clients without problems. As we don't use the mmc for much I'll just leave it that way. Regards Christian> > Rowland >-- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller