samba - Oct 2020 - SID security

After sending the email I realized that I did not mention that while
rebuilding the OS, I kept the "old" /srv/samba files. Which in turn
kept
the old permission settings. I think (could be wrong) that keeping the old
SID are now different from the new SID's created while rebuilding to
v4.12.6.

To answer your DC question:
root at dc1:~#  wbinfo -s S-1-5-21-589789-1426474111-2143966843-500
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-21-589789-1426474111-2143966843-500
root at dc1:~#  wbinfo -s S-1-5-21-589789-1426474111-2143966843-512
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-21-589789-1426474111-2143966843-512
root at dc1:~#  wbinfo -s S-1-5-21-589789-1426474111-2143966843-513
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-21-589789-1426474111-2143966843-513

No firewall (ufw disabled, for the moment.)

On Mon, Oct 5, 2020 at 8:59 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 05/10/2020 14:44, Robert Wooden via samba wrote:
> > As the result of my own actions I have had to rebuild my DC's and
member
> > server Samba version. It's my fault for upgrading to v4.13.0 too
soon.
> >
> > On W10, logged in as administrator, connected to the member server via
> > FileExplorer, the file permissions (via Properties tab) >>
Security (tab
> >>
> > Advanced >> shows the following permissions for the \\mbr04\data
folder:
> >
> > Creator Group
> > S-1-5-21-589789-1426474111-2143966843-500
> > S-1-5-21-589789-1426474111-2143966843-512
> > S-1-5-21-589789-1426474111-2143966843-513
> >
> > Any member of "Domain Users" should be able to access this
folder. The
> > mbr04 server shows this:
> >
> > root at mbr04:~# wbinfo -s S-1-5-21-589789-1426474111-2143966843-500
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-21-589789-1426474111-2143966843-500
>
> Do the commands work on a DC ?
>
> Is something like a firewall getting in the way ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 05/10/2020 15:06, Robert Wooden wrote:
> After sending the email I realized that I did not mention that while 
> rebuilding the OS, I kept the "old" /srv/samba files. Which in
turn
> kept the old permission settings. I think (could be wrong) that 
> keeping the old SID are now different from the new SID's created while 
> rebuilding to v4.12.6.
>
> To answer your DC question:
> root at dc1:~# ?wbinfo -s S-1-5-21-589789-1426474111-2143966843-500
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-21-589789-1426474111-2143966843-500
> root at dc1:~# ?wbinfo -s S-1-5-21-589789-1426474111-2143966843-512
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-21-589789-1426474111-2143966843-512
> root at dc1:~# ?wbinfo -s S-1-5-21-589789-1426474111-2143966843-513
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-21-589789-1426474111-2143966843-513
>
You possibly have major problems

How did you rebuild the OS ?

Did you provision a new domain ?

If so, you will now have a new domain SID and anything from the old 
domain that contains a SID will have a different SID

Rowland

Thanks to data backups I can "whip out" the /srv directory and rebuild
from
scratch to "get permissions correct."

Doing this because, yes, I did provision a new domain.

(Probably faster to wipe, reconfigure dir and restore than correct the SID
mistake.)

Oh well, learning the hard way or as we like to call it around here,
"OJT"
(on the job training.)

On Mon, Oct 5, 2020 at 9:50 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 05/10/2020 15:06, Robert Wooden wrote:
> > After sending the email I realized that I did not mention that while
> > rebuilding the OS, I kept the "old" /srv/samba files. Which
in turn
> > kept the old permission settings. I think (could be wrong) that
> > keeping the old SID are now different from the new SID's created
while
> > rebuilding to v4.12.6.
> >
> > To answer your DC question:
> > root at dc1:~#  wbinfo -s S-1-5-21-589789-1426474111-2143966843-500
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-21-589789-1426474111-2143966843-500
> > root at dc1:~#  wbinfo -s S-1-5-21-589789-1426474111-2143966843-512
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-21-589789-1426474111-2143966843-512
> > root at dc1:~#  wbinfo -s S-1-5-21-589789-1426474111-2143966843-513
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-21-589789-1426474111-2143966843-513
> >
> You possibly have major problems
>
> How did you rebuild the OS ?
>
> Did you provision a new domain ?
>
> If so, you will now have a new domain SID and anything from the old
> domain that contains a SID will have a different SID
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>