samba - May 2018 - RSAT Hang

RPvs> On Mon, 21 May 2018 17:15:21 -0700
RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:
>> See Inline
>> LPHvBvs> Hi Gregory, 
>> LPHvBvs> On the questions.
>> >> Is there a good reason to avoid Samba internal DNS?
>> LPHvBvs> No, imo not, but i only use bind9_dlz because i need bind
in
>> LPHvBvs> my lan for other setups also.
>> LPHvBvs> I just used my RSAT on my win7 64b, but at my point it
works
>> LPHvBvs> fine. 
>> LPHvBvs> I do have questions to get a better impression of the
setup.
>> LPHvBvs> Whats the os your using with RSAT and did u use
>> LPHvBvs> DOM\Administrator or an other account? 
>> LPHvBvs> Check if Adminsitrator has id 0. (root)
>> W7P, on a station not joined to the domain. But using this kind of
>> launch. runas /netonly /user:someco-adc1\administrator
>> "mmc /server=someco-adc1.ad.sncc.local." [The names are
defined in
>> the hosts file, on the W7 box.]
>> LPHvBvs> Is there anything showing up in the windows event logs? 
>> No.
>> LPHvBvs> Are the SePrivileges checked if the needed groups/users
>> [But mine don't appear to have "NTDOM\Domain Admins" -
which seems
>> odd.]
>> SeRemoteShutdownPrivilege:
>>   BUILTIN\Administrators
>>   BUILTIN\Server Operators
>> SePrintOperatorPrivilege:
>> SeAddUsersPrivilege:
>> SeDiskOperatorPrivilege:
>> SeSecurityPrivilege:
>>   BUILTIN\Administrators
RPvs> The important one is 'SeDiskOperatorPrivilege' and, as you can
see,
RPvs> nothing has this privilege.

RPvs> I would expect something like this:

RPvs> SeDiskOperatorPrivilege:
RPvs>   SAMDOM\Administrator
RPvs>   BUILTIN\Administrators
RPvs>   SAMDOM\Unix Admins

RPvs> NOTE: I use the 'Unix Admins' group instead of 'Domain
Admins', this
RPvs> way I can give 'Unix Admins' a gidNumber and 'Domain
Admins' can be
RPvs> both a group and a user on a DC.

I was under the impression that during provision that the Administrator account
got all the domain [and other] "root" privs by default. If that's
the case, why doesn't Administrator have the privs we'd expect? [Perhaps
I misunderstand what Administrator starts with after an initial provision.]

As to your prior message - the FreeNAS box isn't part of the setup yet.
I'm just trying to get the user and computer accounts I'll need to join
the NAS to AD ready.

TIA
-Greg

On Tue, 22 May 2018 09:08:31 -0700
Gregory Sloop via samba <samba at lists.samba.org> wrote:
> I was under the impression that during provision that the
> Administrator account got all the domain [and other] "root" privs
by
> default. If that's the case, why doesn't Administrator have the
privs
> we'd expect? [Perhaps I misunderstand what Administrator starts with
> after an initial provision.]
Administrator  doesn't get any privileges normally, but it does
inherit all the 'Administrators' group privileges, but even this
group doesn't get them all AND they only apply to the DC.
You need to create them on each Unix machine.
 
> 
> As to your prior message - the FreeNAS box isn't part of the setup
> yet. I'm just trying to get the user and computer accounts I'll
need
> to join the NAS to AD ready.
If the NAS isn't part of a domain, it isn't like to know who a domain
user or group is, is it ;-)

Rowland

RPvs> On Tue, 22 May 2018 09:08:31 -0700
RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:
>> I was under the impression that during provision that the
>> Administrator account got all the domain [and other] "root"
privs by
>> default. If that's the case, why doesn't Administrator have the
privs
>> we'd expect? [Perhaps I misunderstand what Administrator starts
with
>> after an initial provision.]
RPvs> Administrator  doesn't get any privileges normally, but it does
RPvs> inherit all the 'Administrators' group privileges, but even
this
RPvs> group doesn't get them all AND they only apply to the DC.
RPvs> You need to create them on each Unix machine.
RPvs>  

Yeah, I get that too. But since I'm simply doing user/computer maintenance
in RSAT [in the AD], then Administrator _should_ have the correct privs to do
what's required, right?

Obviously, the "Administrator" account won't have any file-system
privs etc, unless properly granted. But I'm not [at least as far as I know]
doing any changes to the filesystem or files. I'm simply trying to
add/veiw/change AD attributes. [i.e. Create/View/Change attributes in a
user/computer in Active Directory]
>> As to your prior message - the FreeNAS box isn't part of the setup
>> yet. I'm just trying to get the user and computer accounts I'll
need
>> to join the NAS to AD ready.
RPvs> If the NAS isn't part of a domain, it isn't like to know who a
domain
RPvs> user or group is, is it ;-)

Correct. But I'm simply trying to view a RSAT created user and/or computer
account and view the "security" tab when RSAT hangs. [I can't
begin to handle joining the NAS until I have a properly configured user and
computer account in AD. And these RSAT steps are pre-reqs for that.]

Are we on the same page now? :)
---

If not, let me go back and restate, briefly, the root problem.
Provisioned a *new* AD domain using Ubuntu 18.04 packaged Samba. [Not an AD
join.]
Took a Win7 machine, installed RSAT on it [but didn't join it to the
domain.]
Pointed MSC at the domain.
Add in the user/computer RSAT tool.

At this point I can view the AD tree [for users/computers]. 
I can see in the Samba logs, the RSAT tool querying AD, and getting answers.
I can create users and computers fine. [And see that happen in Samba logging.]

In the setup steps for the NAS, I'm instructed to modify a setting on the
"security" tab in RSAT for the computer account [which I created
above]
When I try to view the "security" tab of a user or computer object,
RSAT hangs.

This is a Log 5 of the relevant logs, when that happens.
---
[2018/05/21 19:03:39.828780,  4]
../auth/auth_log.c:860(log_successful_authz_event_human_readable)
  Successful AuthZ: [DCE/RPC,ncacn_np] user [AD]\[Administrator]
[S-1-5-21-787471243-3174888660-1208226227-500] at [Mon, 21 May 2018
19:03:39.828768 PDT] Remote host [ipv4:10.115.1.154:49441] local host
[ipv4:10.115.1.231:445]
[2018/05/21 19:03:39.828973,  4] ../auth/auth_log.c:220(log_json)
  JSON Authorization: {"timestamp":
"2018-05-21T19:03:39.828933-0700", "type":
"Authorization", "Authorization": {"version":
{"major": 1, "minor": 0}, "localAddress":
"ipv4:10.115.1.231:445", "remoteAddress":
"ipv4:10.115.1.154:49441", "serviceDescription":
"DCE/RPC", "authType": "ncacn_np",
"domain": "AD", "account":
"Administrator", "sid":
"S-1-5-21-787471243-3174888660-1208226227-500",
"logonServer": "SNCC-ADC1", "transportProtection":
"SMB", "accountFlags": "0x00000010"}}
[2018/05/21 19:03:39.829092,  3] ../auth/auth_log.c:139(get_auth_event_server)
  get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2018/05/21 19:03:39.835556,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
  Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2018/05/21 19:03:39.835706,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2018/05/21 19:04:07.594760,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
[2018/05/21 19:04:07.595045,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
[2018/05/21 19:04:07.595251,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
[2018/05/21 19:04:07.595416,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_RESET'
[2018/05/21 19:04:07.595741,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_RESET'
[2018/05/21 19:04:07.596010,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_RESET'
[2018/05/21 19:04:07.596253,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_RESET'
[2018/05/21 19:04:07.596487,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
  standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_RESET]
  standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_RESET]
  standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_RESET]
  standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_RESET]
[2018/05/21 19:04:07.611197,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 28639 () exited with status 0
[2018/05/21 19:04:07.611422,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 28630 () exited with status 0
[2018/05/21 19:04:07.611573,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 28602 () exited with status 0
[2018/05/21 19:04:07.611724,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 28609 () exited with status 0

---

Again - much thanks for the help so far. Hopefully I can nail this down.
-Greg