Stefan G. Weichinger
2018-Sep-07 13:36 UTC
[Samba] "missing security tab" and related ACL issues
Am 07.09.18 um 15:25 schrieb Rowland Penny via samba:> From what you have posted it doesn't, but when you do get then working, > you need to understand that EA's and ACL's can work together or > independently. > If 'acl_xattr:ignore system acls = yes' is set, they work > independently, if it isn't, they work together, see 'man > vfs_acl_xattr' for more info.Ok, I will try to remember, so far I have other non-samba issues, see below.>> ?? no "domänen-admins" in here> We need to find if the group has actually disappeared. > > Run this on a DC: > > ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)' -UAdministrator > > Replace 'dc3' with the DC's name. > > It should display the Domain Admins objectThe DC there is a windows server ... I think: no -> # ldbsearch -H ldap://dc1 '(samaccountname=Domain Admins)' -UAdministrator [..] # returned 3 records # 0 entries # 3 referrals> See here: https://wiki.samba.org/index.php/File_System_Support > > If it passes the tests there, you should be good to go.yes, I know, ext4 -> ok I had to return to the former kernel because my newer kernel with its lpfc module could not talk correctly to the SAN. Booted older kernel and have to research that first. Sure I could enable the 2 parameters for the old kernel as well, but I avoided doing that right now ... I have to make sure that I always keep a valid kernel etc and want to plan things without a hurry / the server is a few 100 km away ... so ... next week ;-)
On Fri, 7 Sep 2018 15:36:15 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 07.09.18 um 15:25 schrieb Rowland Penny via samba: > > > From what you have posted it doesn't, but when you do get then > > working, you need to understand that EA's and ACL's can work > > together or independently. > > If 'acl_xattr:ignore system acls = yes' is set, they work > > independently, if it isn't, they work together, see 'man > > vfs_acl_xattr' for more info. > > Ok, I will try to remember, so far I have other non-samba issues, see > below. > > >> ?? no "domänen-admins" in here > > > We need to find if the group has actually disappeared. > > > > Run this on a DC: > > > > ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)' > > -UAdministrator > > > > Replace 'dc3' with the DC's name. > > > > It should display the Domain Admins object > > The DC there is a windows server ... > > I think: no -> > > # ldbsearch -H ldap://dc1 '(samaccountname=Domain Admins)' > -UAdministrator > > [..] > > # returned 3 records > # 0 entries > # 3 referrals >I wonder if someone (for whatever reason) has renamed Domain Admins ? Create a script 'get_admins.sh' Containing this: #!/bin/bash DC=$1 PASS=$2 DOM=$3 DOMSID=$(ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \ "(&(objectclass=domain)(name=$DOM))" objectSid | grep objectSid | \ awk '{print $NF}') ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \ "(objectSid=${DOMSID}-512)" exit 0 Run it like this: bash ./get_admins.sh DC PASSWORD WORKGROUP Replace: DC with your DC's hostname PASSWORD with your Administrator password WORKGROUP with your lowercase workgroup name If the SID-512 exists, it will display the object for that objectSid. Rowland
Stefan G. Weichinger
2018-Sep-07 17:09 UTC
[Samba] "missing security tab" and related ACL issues
Am 07.09.18 um 16:20 schrieb Rowland Penny via samba:> On Fri, 7 Sep 2018 15:36:15 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> Am 07.09.18 um 15:25 schrieb Rowland Penny via samba: >> >>> From what you have posted it doesn't, but when you do get then >>> working, you need to understand that EA's and ACL's can work >>> together or independently. >>> If 'acl_xattr:ignore system acls = yes' is set, they work >>> independently, if it isn't, they work together, see 'man >>> vfs_acl_xattr' for more info. >> >> Ok, I will try to remember, so far I have other non-samba issues, see >> below. >> >>>> ?? no "domänen-admins" in here >> >>> We need to find if the group has actually disappeared. >>> >>> Run this on a DC: >>> >>> ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)' >>> -UAdministrator >>> >>> Replace 'dc3' with the DC's name. >>> >>> It should display the Domain Admins object >> >> The DC there is a windows server ... >> >> I think: no -> >> >> # ldbsearch -H ldap://dc1 '(samaccountname=Domain Admins)' >> -UAdministrator >> >> [..] >> >> # returned 3 records >> # 0 entries >> # 3 referrals >> > > I wonder if someone (for whatever reason) has renamed Domain Admins ? > > Create a script 'get_admins.sh' > > Containing this: > > #!/bin/bash > > DC=$1 > PASS=$2 > DOM=$3 > > DOMSID=$(ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \ > "(&(objectclass=domain)(name=$DOM))" objectSid | grep objectSid | \ > awk '{print $NF}') > > ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \ > "(objectSid=${DOMSID}-512)" > > exit 0 > > Run it like this: > > bash ./get_admins.sh DC PASSWORD WORKGROUP > > Replace: > DC with your DC's hostname > > PASSWORD with your Administrator password > > WORKGROUP with your lowercase workgroup name > > If the SID-512 exists, it will display the object for that objectSid.yep, thanks. I get # record 1 dn: CN=Domänen-Admins,CN=Users,DC=mydomain,DC=intra objectClass: top objectClass: group cn:: RG9tw6RuZW4tQWRtaW5z description:: QWRtaW5pc3RyYXRvcmVuIGRlciBEb23DpG5l member: CN=MI,CN=Users,DC=mydomain,DC=intra member: CN=Administrator,CN=Users,DC=mydomain,DC=intra distinguishedName:: Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPW5vcmFzLERDPWludH Jh instanceType: 4 whenCreated: 20130218123437.0Z whenChanged: 20180507150906.0Z uSNCreated: 12345 memberOf: CN=Abgelehnte RODC-Kennwortreplikationsgruppe,CN=Users,DC=mydomain,DC=i ntra memberOf: CN=Administratoren,CN=Builtin,DC=mydomain,DC=intra uSNChanged: 55909177 name:: RG9tw6RuZW4tQWRtaW5z objectGUID: 7e533ce7-d6e6-47c4-baf2-0730b2e6f580 objectSid: S-1-5-21-2034248556-467506829-2175355384-512 adminCount: 1 sAMAccountName:: RG9tw6RuZW4tQWRtaW5z sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=intra isCriticalSystemObject: TRUE dSCorePropagationData: 20171116130219.0Z dSCorePropagationData: 20130516110155.0Z dSCorePropagationData: 20130516103841.0Z dSCorePropagationData: 20130218133156.0Z dSCorePropagationData: 16010101000000.0Z But # net rpc rights grant "Domänen-Admins" SeDiskOperatorPrivilege -U "mydomain\administrator" fails also for "mydomain\Domänen-Admins"