Am 25.03.24 um 10:01 schrieb Rowland Penny via samba:> On Mon, 25 Mar 2024 07:39:21 +0100
> Kai via samba<samba at lists.samba.org> wrote:
>
>> Hello everyone,
>>
>> I have a Samba setup with an AD controller (DC01) and set up a second
>> system which should work as file share (filesrv01).
>> I was setting it up using this manual:
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> Somehow, I broke the administrator's account.
> No, I doubt if you have.
>
>> After I set up a test
>> share, I got RPC server unavailable errors. I started investigating
>> and found test commands like this:
>> rpcclient -I 10.18.1.4 -U administrator -c srvinfo atr2
> Hmm, you appear to be trying to connect to a computer called
'atr2',
> yet your DC is called 'DC01' and your Unix domain member is called
> 'filesrv01'
I copied the command from the web page, not the shell and modified only
the IP, my mistake as below.
The shell command is:
root at dc01:~# rpcclient -I 10.18.1.4 -U administrator -c srvinfo dc01
Password for [JUE\administrator]:
Cannot connect to server. ?Error was NT_STATUS_INVALID_SID
The command didn't seem to get that far anyway..
>
>> Password for [JUE\administrator]:
>> Cannot connect to server. ?Error was NT_STATUS_INVALID_SID
>>
>> Here I got this invalid SID error. The log file shows me:
>> [2024/03/24 22:23:53.903483, ?0]
>> ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
>> ?Unable to convert first SID
>> (S-1-5-21-3102633239-3317503863-27722425-500) in user token to a UID.
>> ?Conversion was returned as type 0, full token:
>> [2024/03/24 22:23:53.903588, ?0]
>> ../../libcli/security/security_token.c:51(security_token_debug)
>> ?Security token SIDs (14):
>> ???SID[ ?0]: S-1-5-21-3102633239-3317503863-27722425-500
> '500' is the RID for Administrator, so you do not appear to have
broken
> it.
>
>> ???SID[ ?1]: S-1-5-21-3102633239-3317503863-27722425-513
>> ???SID[ ?2]: S-1-5-21-3102633239-3317503863-27722425-512
>> ???SID[ ?3]: S-1-5-21-3102633239-3317503863-27722425-572
>> ???SID[ ?4]: S-1-5-21-3102633239-3317503863-27722425-519
>> ???SID[ ?5]: S-1-5-21-3102633239-3317503863-27722425-518
>> ???SID[ ?6]: S-1-5-21-3102633239-3317503863-27722425-520
>> ???SID[ ?7]: S-1-1-0
>> ???SID[ ?8]: S-1-5-2
>> ???SID[ ?9]: S-1-5-11
>> ???SID[ 10]: S-1-5-64-10
>> ???SID[ 11]: S-1-5-32-544
>> ???SID[ 12]: S-1-5-32-545
>> ???SID[ 13]: S-1-5-32-554
>> ??Privileges (0x ???????1FFFFF00):
>> ???Privilege[ ?0]: SeTakeOwnershipPrivilege
>> ???Privilege[ ?1]: SeBackupPrivilege
>> ???Privilege[ ?2]: SeRestorePrivilege
>> ???Privilege[ ?3]: SeRemoteShutdownPrivilege
>> ???Privilege[ ?4]: SeSecurityPrivilege
>> ???Privilege[ ?5]: SeSystemtimePrivilege
>> ???Privilege[ ?6]: SeShutdownPrivilege
>> ???Privilege[ ?7]: SeDebugPrivilege
>> ???Privilege[ ?8]: SeSystemEnvironmentPrivilege
>> ???Privilege[ ?9]: SeSystemProfilePrivilege
>> ???Privilege[ 10]: SeProfileSingleProcessPrivilege
>> ???Privilege[ 11]: SeIncreaseBasePriorityPrivilege
>> ???Privilege[ 12]: SeLoadDriverPrivilege
>> ???Privilege[ 13]: SeCreatePagefilePrivilege
>> ???Privilege[ 14]: SeIncreaseQuotaPrivilege
>> ???Privilege[ 15]: SeChangeNotifyPrivilege
>> ???Privilege[ 16]: SeUndockPrivilege
>> ???Privilege[ 17]: SeManageVolumePrivilege
>> ???Privilege[ 18]: SeImpersonatePrivilege
>> ???Privilege[ 19]: SeCreateGlobalPrivilege
>> ???Privilege[ 20]: SeEnableDelegationPrivilege
>> ??Rights (0x ????????????403):
>> ???Right[ ?0]: SeInteractiveLogonRight
>> ???Right[ ?1]: SeNetworkLogonRight
>> ???Right[ ?2]: SeRemoteInteractiveLogonRight
>>
>> It seems as if I've got a problem between Unix and Windows user
IDs,
>> but I don't know how to check without further destruction.
>> Currently my only idea was the command
>> net rpc rights grant "SAMDOM\Domain Admins"
SeDiskOperatorPrivilege
>> -U "JUE\administrator"
> If you entered the command exactly as above, then you have a major
> error. The wiki is written from the perspective of a self compiled
> version of Samba and uses 'SAMDOM' as an example NetBIOS domain
name.
> Anywhere you see 'SAMDOM' on the wiki, you are supposed to replace
it
> with your NetBIOS domain name.
Same mistake, sorry. That was the original command:
JUE\administrator at filesrv01:~$ net rpc rights grant "JUE\Domain
Admins"
SeDiskOperatorPrivilege -U "JUE\administrator"
Password for [JUE\administrator]:
Successfully granted rights.>
>> from the manual which could have caused problems as all other ones
>> should only have local effect on the file server.
>>
>> Could this be? Did I forget some Unix attachment?
>>
>> I don't know if it's helpful, but this is the smb.conf of the
domain
>> controller:
>> [global]
>> ???????netbios name = DC01
>> ???????realm = JUE.BRK
>> ???????server role = active directory domain controller
>> ???????workgroup = JUE
>>
>> ???????dns forwarder = 8.8.8.8
>>
>> ???????idmap_ldb:use rfc2307 = yes
>>
>> ???????tls enabled ?= yes
>> ???????tls keyfile ?= tls/dc01.jue.brk.key
>> ???????tls certfile = tls/dc01.jue.brk.crt
>> ???????tls cafile ??= tls/rootCA.crt
>>
>> ???????template shell = /bin/bash
>> ???????template homedir = /home/%U
>>
>> ??idmap config * : ?????????????backend = tdb
>> ??idmap config * : ?????????????range ??= 3000-7999
>> ??idmap config JUE : backend = ldap
>> ??idmap config JUE : range ??= 100000-999999
> The 'idmap config' lines do NOTHING on a DC, I suggest you remove
them.
Wasn't shure about it, tdb didn't seem right. It was from a previous
test I but in as a whole block.
I'll remove it completely>
>> ??template shell = /bin/bash
> So good that you have it twice.
From the copied block by accident...>
>> ????????winbind nss info = template
> Again, the line above does nothing on a DC.
>
>> ???????include = /etc/samba/shares.conf
> You have a fileserver, yet you are adding shares to a DC ?
That was the first approach before I read the recommendation of using a
seperate file server where I wanted to move over to before I remove
it.>
>> [sysvol]
>> ???????path = /var/lib/samba/sysvol
>> ???????read only = No
>>
>> [netlogon]
>> ???????path = /var/lib/samba/sysvol/jue.brk/scripts
>> ???????read only = No
>>
>> Thank you for any hints!
>> Kai
> Please post the output of 'testparm -s' when ran on your
fileserver.
>
> Rowland
>
Testparm -s of the fileserver:
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
???????log file = /var/log/samba/log.%m
???????logging = file
???????map to guest = Bad User
???????max log size = 1000
???????obey pam restrictions = Yes
???????pam password change = Yes
???????panic action = /usr/share/samba/panic-action %d
???????passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
???????passwd program = /usr/bin/passwd %u
???????realm = JUE.BRK
???????server role = member server
???????server string = %h server (Samba, Ubuntu)
???????template homedir = /home/%U
???????template shell = /bin/bash
???????unix password sync = Yes
???????usershare allow guests = Yes
???????workgroup = JUE
???????idmap config * : range = 10000 - 20000
???????idmap config * : backend = tdb
???????map acl inherit = Yes
???????vfs objects = acl_xattr
[printers]
???????browseable = No
???????comment = All Printers
???????create mask = 0700
???????path = /var/tmp
???????printable = Yes
[print$]
???????comment = Printer Drivers
???????path = /var/lib/samba/printers
[Demo]
???????path = /srv/demo_share
???????read only = No
I can access the Demo share, but the assignment of rights didn't work so
that I started investigating and ran to the RPC unavailable in first place..
Thank you!
Kai