Kees van Vloten
2024-Nov-12 14:13 UTC
[Samba] Very strange: Samba is unable to access one of its own files
Op 12-11-2024 om 15:06 schreef John R. Graham:> > On 11/12/24 08:00, Kees van Vloten via samba wrote: >> >> Op 12-11-2024 om 10:52 schreef Rowland Penny via samba: >>> It looks like nss isn't set up on the DC, so '3000000' isn't being >>> mapped to 'BUILTIN\administrators' >> That is easy enough, just run: >> >> ldbsearch -H /var/lib/samba/private/idmap.ldb >> >> If you have multiple DCs, you have to sync this file manually between >> them, check https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) >> >> - Kees >> >>> >>> It would be interesting to know who ID '3000021' is, because that is >>> the user being denied access to sysvol. >>> >>> Rowland >>> >> > With $(ldbsearch -H /var/lib/samba/private/idmap.ldb > xidNumber=3000021), I get: > > # record 1 > dn: CN=S-1-5-21-1539267136-1287424283-733021607-1108 > cn: S-1-5-21-1539267136-1287424283-733021607-1108 > objectClass: sidMap > objectSid: S-1-5-21-1539267136-1287424283-733021607-1108 > type: ID_TYPE_BOTH > xidNumber: 3000021 > distinguishedName: CN=S-1-5-21-1539267136-1287424283-733021607-1108 > > but I don't know how to map that to a machine. Meanwhile, I'm reading > up on the idmap_nss plugin.This will do the mapping: ldbsearch -H /var/lib/samba/private/sam.ldb '(objectSid=S-1-5-21-1539267136-1287424283-733021607-1108)' samaccountname - Kees.> > - John > >
Rowland Penny
2024-Nov-12 14:31 UTC
[Samba] Very strange: Samba is unable to access one of its own files
On Tue, 12 Nov 2024 15:13:26 +0100 Kees van Vloten via samba <samba at lists.samba.org> wrote:> > Op 12-11-2024 om 15:06 schreef John R. Graham: > > > > On 11/12/24 08:00, Kees van Vloten via samba wrote: > >> > >> Op 12-11-2024 om 10:52 schreef Rowland Penny via samba: > >>> It looks like nss isn't set up on the DC, so '3000000' isn't being > >>> mapped to 'BUILTIN\administrators' > >> That is easy enough, just run: > >> > >> ldbsearch -H /var/lib/samba/private/idmap.ldb > >> > >> If you have multiple DCs, you have to sync this file manually > >> between them, check > >> https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) > >> > >> - Kees > >> > >>> > >>> It would be interesting to know who ID '3000021' is, because that > >>> is the user being denied access to sysvol. > >>> > >>> Rowland > >>> > >> > > With $(ldbsearch -H /var/lib/samba/private/idmap.ldb > > xidNumber=3000021), I get: > > > > # record 1 > > dn: CN=S-1-5-21-1539267136-1287424283-733021607-1108 > > cn: S-1-5-21-1539267136-1287424283-733021607-1108 > > objectClass: sidMap > > objectSid: S-1-5-21-1539267136-1287424283-733021607-1108 > > type: ID_TYPE_BOTH > > xidNumber: 3000021 > > distinguishedName: CN=S-1-5-21-1539267136-1287424283-733021607-1108 > > > > but I don't know how to map that to a machine. Meanwhile, I'm > > reading up on the idmap_nss plugin. > > This will do the mapping: > > ldbsearch -H /var/lib/samba/private/sam.ldb > '(objectSid=S-1-5-21-1539267136-1287424283-733021607-1108)' > samaccountname >Even easier: wbinfo -s S-1-5-21-1539267136-1287424283-733021607-1108 Also can you ensure that you post to the list, it appears you sent your last post to Kees. Rowland
Rowland Penny
2024-Nov-12 14:35 UTC
[Samba] Very strange: Samba is unable to access one of its own files
Op 12-11-2024 om 15:06 schreef John R. Graham:> > but I don't know how to map that to a machine. Meanwhile, I'm > > reading up on the idmap_nss plugin.If you are using Debian, just install the libpam-winbind and libnss-winbind packages, open /etc/nsswitch.conf in your favourite editor and ensure that the passwd & group lines contain 'winbind'. Rowland