Stefan G. Weichinger
2018-Sep-07 17:09 UTC
[Samba] "missing security tab" and related ACL issues
Am 07.09.18 um 16:20 schrieb Rowland Penny via samba:> On Fri, 7 Sep 2018 15:36:15 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> Am 07.09.18 um 15:25 schrieb Rowland Penny via samba: >> >>> From what you have posted it doesn't, but when you do get then >>> working, you need to understand that EA's and ACL's can work >>> together or independently. >>> If 'acl_xattr:ignore system acls = yes' is set, they work >>> independently, if it isn't, they work together, see 'man >>> vfs_acl_xattr' for more info. >> >> Ok, I will try to remember, so far I have other non-samba issues, see >> below. >> >>>> ?? no "domänen-admins" in here >> >>> We need to find if the group has actually disappeared. >>> >>> Run this on a DC: >>> >>> ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)' >>> -UAdministrator >>> >>> Replace 'dc3' with the DC's name. >>> >>> It should display the Domain Admins object >> >> The DC there is a windows server ... >> >> I think: no -> >> >> # ldbsearch -H ldap://dc1 '(samaccountname=Domain Admins)' >> -UAdministrator >> >> [..] >> >> # returned 3 records >> # 0 entries >> # 3 referrals >> > > I wonder if someone (for whatever reason) has renamed Domain Admins ? > > Create a script 'get_admins.sh' > > Containing this: > > #!/bin/bash > > DC=$1 > PASS=$2 > DOM=$3 > > DOMSID=$(ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \ > "(&(objectclass=domain)(name=$DOM))" objectSid | grep objectSid | \ > awk '{print $NF}') > > ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \ > "(objectSid=${DOMSID}-512)" > > exit 0 > > Run it like this: > > bash ./get_admins.sh DC PASSWORD WORKGROUP > > Replace: > DC with your DC's hostname > > PASSWORD with your Administrator password > > WORKGROUP with your lowercase workgroup name > > If the SID-512 exists, it will display the object for that objectSid.yep, thanks. I get # record 1 dn: CN=Domänen-Admins,CN=Users,DC=mydomain,DC=intra objectClass: top objectClass: group cn:: RG9tw6RuZW4tQWRtaW5z description:: QWRtaW5pc3RyYXRvcmVuIGRlciBEb23DpG5l member: CN=MI,CN=Users,DC=mydomain,DC=intra member: CN=Administrator,CN=Users,DC=mydomain,DC=intra distinguishedName:: Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPW5vcmFzLERDPWludH Jh instanceType: 4 whenCreated: 20130218123437.0Z whenChanged: 20180507150906.0Z uSNCreated: 12345 memberOf: CN=Abgelehnte RODC-Kennwortreplikationsgruppe,CN=Users,DC=mydomain,DC=i ntra memberOf: CN=Administratoren,CN=Builtin,DC=mydomain,DC=intra uSNChanged: 55909177 name:: RG9tw6RuZW4tQWRtaW5z objectGUID: 7e533ce7-d6e6-47c4-baf2-0730b2e6f580 objectSid: S-1-5-21-2034248556-467506829-2175355384-512 adminCount: 1 sAMAccountName:: RG9tw6RuZW4tQWRtaW5z sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=intra isCriticalSystemObject: TRUE dSCorePropagationData: 20171116130219.0Z dSCorePropagationData: 20130516110155.0Z dSCorePropagationData: 20130516103841.0Z dSCorePropagationData: 20130218133156.0Z dSCorePropagationData: 16010101000000.0Z But # net rpc rights grant "Domänen-Admins" SeDiskOperatorPrivilege -U "mydomain\administrator" fails also for "mydomain\Domänen-Admins"
On Fri, 7 Sep 2018 19:09:37 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 07.09.18 um 16:20 schrieb Rowland Penny via samba: > > On Fri, 7 Sep 2018 15:36:15 +0200 > > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > > > >> Am 07.09.18 um 15:25 schrieb Rowland Penny via samba: > >> > >>> From what you have posted it doesn't, but when you do get then > >>> working, you need to understand that EA's and ACL's can work > >>> together or independently. > >>> If 'acl_xattr:ignore system acls = yes' is set, they work > >>> independently, if it isn't, they work together, see 'man > >>> vfs_acl_xattr' for more info. > >> > >> Ok, I will try to remember, so far I have other non-samba issues, > >> see below. > >> > >>>> ?? no "domänen-admins" in here > >> > >>> We need to find if the group has actually disappeared. > >>> > >>> Run this on a DC: > >>> > >>> ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)' > >>> -UAdministrator > >>> > >>> Replace 'dc3' with the DC's name. > >>> > >>> It should display the Domain Admins object > >> > >> The DC there is a windows server ... > >> > >> I think: no -> > >> > >> # ldbsearch -H ldap://dc1 '(samaccountname=Domain Admins)' > >> -UAdministrator > >> > >> [..] > >> > >> # returned 3 records > >> # 0 entries > >> # 3 referrals > >> > > > > I wonder if someone (for whatever reason) has renamed Domain > > Admins ? > > > > Create a script 'get_admins.sh' > > > > Containing this: > > > > #!/bin/bash > > > > DC=$1 > > PASS=$2 > > DOM=$3 > > > > DOMSID=$(ldbsearch -U Administrator --password="$PASS" -H > > ldap://"$DC" \ "(&(objectclass=domain)(name=$DOM))" objectSid | > > grep objectSid | \ awk '{print $NF}') > > > > ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \ > > "(objectSid=${DOMSID}-512)" > > > > exit 0 > > > > Run it like this: > > > > bash ./get_admins.sh DC PASSWORD WORKGROUP > > > > Replace: > > DC with your DC's hostname > > > > PASSWORD with your Administrator password > > > > WORKGROUP with your lowercase workgroup name > > > > If the SID-512 exists, it will display the object for that > > objectSid. > > yep, thanks. > > I get > > > # record 1 > dn: CN=Domänen-Admins,CN=Users,DC=mydomain,DC=intra > objectClass: top > objectClass: group > cn:: RG9tw6RuZW4tQWRtaW5z > description:: QWRtaW5pc3RyYXRvcmVuIGRlciBEb23DpG5l > member: CN=MI,CN=Users,DC=mydomain,DC=intra > member: CN=Administrator,CN=Users,DC=mydomain,DC=intra > distinguishedName:: > Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPW5vcmFzLERDPWludH > Jh > instanceType: 4 > whenCreated: 20130218123437.0Z > whenChanged: 20180507150906.0Z > uSNCreated: 12345 > memberOf: CN=Abgelehnte > RODC-Kennwortreplikationsgruppe,CN=Users,DC=mydomain,DC=i > ntra > memberOf: CN=Administratoren,CN=Builtin,DC=mydomain,DC=intra > uSNChanged: 55909177 > name:: RG9tw6RuZW4tQWRtaW5z > objectGUID: 7e533ce7-d6e6-47c4-baf2-0730b2e6f580 > objectSid: S-1-5-21-2034248556-467506829-2175355384-512 > adminCount: 1 > sAMAccountName:: RG9tw6RuZW4tQWRtaW5z > sAMAccountType: 268435456 > groupType: -2147483646 > objectCategory: > CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=intra > isCriticalSystemObject: TRUE dSCorePropagationData: 20171116130219.0Z > dSCorePropagationData: 20130516110155.0Z > dSCorePropagationData: 20130516103841.0Z > dSCorePropagationData: 20130218133156.0Z > dSCorePropagationData: 16010101000000.0Z > > But > > # net rpc rights grant "Domänen-Admins" SeDiskOperatorPrivilege -U > "mydomain\administrator" > > fails > > also for "mydomain\Domänen-Admins"Why is it 'Domanen-Admins' ? is the dash normal for the German version of Windows ? At least it exists ;-) Is the locale set correctly ? Rowland>
Stefan G. Weichinger
2018-Sep-11 07:54 UTC
[Samba] "missing security tab" and related ACL issues
Am 07.09.18 um 20:07 schrieb Rowland Penny via samba:> On Fri, 7 Sep 2018 19:09:37 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:>> But >> >> # net rpc rights grant "Domänen-Admins" SeDiskOperatorPrivilege -U >> "mydomain\administrator" >> >> fails >> >> also for "mydomain\Domänen-Admins" > > Why is it 'Domanen-Admins' ? is the dash normal for the German version > of Windows ? > At least it exists ;-) > > Is the locale set correctly ?tried to set the locale to a german one ... # wbinfo -g dom�nencomputer dom�nen-benutzer dom�nen-g�ste dom�nen-admins still that special char displayed # wbinfo -g | grep -i adm specops endpoint protection report admins dnsadmins schema-admins organisations-admins Übereinstimmungen in Binärdatei (Standardeingabe) this does NOT contain "domänen-admins" why that? - # smb.conf [global] unix charset = iso8859-15 security = ads realm = MYDOMAIN.INTRA workgroup = MYDOMAIN netbios aliases = u1MYDOMAIN server string = U1MYDOMAIN winbind cache time = 10 winbind use default domain = yes winbind refresh tickets = Yes template homedir = /mnt/MSA2040/smb/Homes/%D/%U restrict anonymous = 2 domain master = no local master = no preferred master = no invalid users = root bin daemon adm sync shutdown halt mail news \ uucp obey pam restrictions = yes interfaces = 192.168.100.4/24 127.0.0.1 bind interfaces only = Yes idmap config * : range = 3000-7999 idmap config * : backend = tdb idmap config MYDOMAIN : range = 10000-20000 idmap config MYDOMAIN : backend = rid # For ACL support on domain member vfs objects = acl_xattr full_audit map acl inherit = Yes store dos attributes = Yes nt acl support = No force unknown acl user = Yes unix extensions = no follow symlinks= yes wide links= yes load printers = no printcap name = /dev/null # exe files acl allow execute always = True # Audit settings full_audit:prefix = %u|%I|%S full_audit:failure = connect full_audit:success = mkdir rmdir write pwrite rename unlink \ chmod fchmod chown fchown ftruncate full_audit:facility = local5 full_audit:priority = notice # /etc/nsswitch.conf: passwd: compat winbind files group: compat winbind files shadow: compat files