thr3ads.net - samba - [Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid [May 2018]

If this information is useful, please help other people find it:
Share via:

Henry Jensen

2018-May-25 13:37 UTC

[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid

Hello,

this is a Samba AD Domain upgraded from Samba 3.x with classicupgrade. 

Debian 9.4
Samba: 4.7.6 (packages from tranquil.it)

# cat /etc/samba/smb.conf

[global]
        netbios name = DC1
        realm = IWW.LAN
        server role = active directory domain controller
        workgroup = IWW
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 172.16.1.12
        dsdb:schema update allowed=true

[netlogon]
        path = /var/lib/samba/sysvol/iww.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/iww.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
270, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1723, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not
    match expected value %s from GPO object' %
    (acl_type(direct_db_access), path, fsacl_sddl, acl))


running "samba-tool ntacl sysvolcheck" doesn't fix this. 

In my investigation for this I tried to use the script from
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh.

This lead to another error:

root at dc1:~# wbinfo -S S-1-5-32-544
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

However, other SID's do work:

root at dc1:~# wbinfo -S S-1-5-32-543
3000023
root at dc1:~# wbinfo -S S-1-5-32-545
3000007


S-1-5-32-544 is the Administrator group, which is a builtin group. I
noticed, that this group already existed in the Samba 3 OpenLDAP DIT
with gidNumber 514. 

There are other builtin groups which pre-existed in OpenLDAP. All this
pre-existing
groups have Posix attributes (gidNumber, objectClass posixGroup) set
and raises the same error. Other well-known SIDs which have not
pre-existed can be converted to UIDs

So my first idea was to remove those Posix attributes from the
problematic groups (I tried it on Backup Operators S-1-5-32-551), but to no
avail.

Is it possible, that sysvolcheck error is related to this?

Any suggestions on how to proceed?

Kind Regards,

Henry

Rowland Penny

2018-May-25 14:07 UTC

head link

[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid

On Fri, 25 May 2018 15:37:10 +0200
Henry Jensen via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> this is a Samba AD Domain upgraded from Samba 3.x with
> classicupgrade. 
> 
> Debian 9.4
> Samba: 4.7.6 (packages from tranquil.it)
> 
> # samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: DB ACL on GPO
> directory
/var/lib/samba/sysvol/iww.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
>
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object File
If you look closely (very closely), you will see that there is only one
letter different, it is at the very start:

O:LAG:DAD:P(

O:DAG:DAD:P(

LA = Local Administrator
DA = Domain Admins
> 
> running "samba-tool ntacl sysvolcheck" doesn't fix this.
Well it wouldn't, they are both borked.

Just do administration from Windows 
 > 
> S-1-5-32-544 is the Administrator group, which is a builtin group. I
No, it is the 'Administrators' group
> noticed, that this group already existed in the Samba 3 OpenLDAP DIT
> with gidNumber 514. 
If we take it that '514' is actually a windows RID, then the group
should be Domain Guests.
> 
> There are other builtin groups which pre-existed in OpenLDAP. All
> this pre-existing groups have Posix attributes (gidNumber,
> objectClass posixGroup) set and raises the same error. Other
> well-known SIDs which have not pre-existed can be converted to UIDs
> 
From my experience, the only AD user/group in AD with a RID less than
1000 that should have a uidNumber or gidNumber is Domain Users.
> So my first idea was to remove those Posix attributes from the
> problematic groups (I tried it on Backup Operators S-1-5-32-551), but
> to no avail.
Ah, you probably missed the magic incantation 'net cache flush' ;-)
> 
> Is it possible, that sysvolcheck error is related to this?
No.

Rowland

Henry Jensen

2018-May-25 14:39 UTC

head link

[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid

On Fri, 25 May 2018 15:07:57 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> > running "samba-tool ntacl sysvolcheck" doesn't fix this.
> 
> Well it wouldn't, they are both borked.
> 
> Just do administration from Windows 

OK, maybe this is something which should be mentioned in the wiki. The
reason I got to this was that I wanted to try sysvol replication. The wiki
mentions at
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
you should i.e. copy idmap.ldb from the first DC to the new DC and then run 
"samba-tool ntacl sysvolreset".

Is this instruction still valid?
> > S-1-5-32-544 is the Administrator group, which is a builtin group. I  
> 
> No, it is the 'Administrators' group
Yes, of course
> > noticed, that this group already existed in the Samba 3 OpenLDAP DIT
> > with gidNumber 514.   
> 
> If we take it that '514' is actually a windows RID, then the group
> should be Domain Guests.
Yeah, it was 544. It is Friday afternoon - maybe not the best time to
write technical mails;)
> From my experience, the only AD user/group in AD with a RID less than
> 1000 that should have a uidNumber or gidNumber is Domain Users.
> 
> > So my first idea was to remove those Posix attributes from the
> > problematic groups (I tried it on Backup Operators S-1-5-32-551), but
> > to no avail.  
> 
> Ah, you probably missed the magic incantation 'net cache flush' ;-)
That was it. Thank you.

Kind regards,

Henry

Maybe Matching Threads

Search for more possibly parallel threads

samba - May 2018 - syscolcheck error / Could not convert sid S-1-5-32-544 to uid

[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid

[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid

[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid

Maybe Matching Threads