search for: sidhistory

We are in an environment where several AD domains are being consolidated into one larger domain using sidhistory. The samba winbind configuration is using 'allow trusted domains = no' as we do not care about what is in the other domains (as well as the problem that many of them are unreachable from other locations meaning winbind will choke completely if we don't disallow them). The symptom I am...

In our native Win2K3 AD domain, several AD accounts have a sIDHistory that carry SIDs from before the AD domain migration in addition to the "primary" objectSID. Samba 3.0.21c winbindd (with idmap OpenLDAP backend) on domain member servers (running SuSE 9.3 Pro) allocates multiple uids for these SIDs with the same (AD) user name: Primary SID: # geten...

Ye ol' sidHistory edit attack in new disguise using samba4. I don't think you can consider it to be a hack but I had a lot of fun playing about with ldbedit. Samba4 is wikked, it really opens up AD, I had a lot of fun setting it up. Check my blogg for my little sidHistory priv escalation tutorial (domain admin t...

...RID in AD), and so a jkelley group with gid 14504 is also created, but the jkelley user is actually a member of a second jkelley group with a different gid. By poking around with wbinfo, I determined that the duplicate groups are being created by SID history; one gid corresponds to the SID in the sIDHistory attribute, while the other corresponds to the current SID in the Active Directory domain. Is there a way to fix this without simply deleting the sIDHistory attributes from Active Directory? Winbind config from smb.conf: idmap backend = rid idmap uid = 10000-30000 idmap gid = 10000-30000 winbind...

Samba version: 4.1.9 Using the idmap_rid backend Case: A Windows AD security group has a historical SID (sidHistory) whose RID matches the RID of a user in the "current domain" For example: (Note the different domain portions of the SID) Current SID of group G: S-1-5-21-1405700021-3363460546-1698178416-30661 Historical SID of group G: S-1-5-21-2389300033-4596500334-340320342...

...unts don't have access to their old folders. I've tried giving the new domain the same SID as the old domain, but in that case, the windows clients refuse to join the domain (they report a 'rpc error'). Is there anything I can do? I think the ideal solution would be to emulate the sidHistory field from the AD, but a message from 2005 (i think) on this list said it was not possible with Samba3. Has that situation changed? I've also tried to use the moveuser.exe command, to no avail. It either claims that cannot find the account, or that the account already exists, and fails in both...

...he group and the third is the start of the ACEs. So the owner (O) is LA which is 'Local Administrator' and the group (G) is DA which is 'Domain Administrators' , as I read it, Domain Administrators doesn't own the files, or am I missing something? > - We don't (eg in sidHistory, or when files are migrated, preserving > permissions, from a workstation or from a domain that is not trusted) > always know if an incoming SID is a user or group. does windows know from the SID what the object is? and if not, what does windows do? > - Working out if an arbitrary SID...

...n Ambach <ambi at samba.org> * BUG 12765: s3:smbcacls add prompt for password. o Ralph Boehme <slow at samba.org> * BUG 12562: vfs_acl_xattr|tdb: Ensure create mask is at least 0666 if ignore_system_acls is set. * BUG 12702: Wrong sid->uid mapping for SIDs residing in sIDHistory. * BUG 12749: vfs_fruit: lp_case_sensitive() does not return a bool. * BUG 12766: s3/smbd: Update exclusive oplock optimisation to the lease area. * BUG 12798: s3/smbd: Fix exclusive lease optimisation. o Alexander Bokovoy <ab at samba.org> * BUG 12751: Allow passing trusted dom...

...n Ambach <ambi at samba.org> * BUG 12765: s3:smbcacls add prompt for password. o Ralph Boehme <slow at samba.org> * BUG 12562: vfs_acl_xattr|tdb: Ensure create mask is at least 0666 if ignore_system_acls is set. * BUG 12702: Wrong sid->uid mapping for SIDs residing in sIDHistory. * BUG 12749: vfs_fruit: lp_case_sensitive() does not return a bool. * BUG 12766: s3/smbd: Update exclusive oplock optimisation to the lease area. * BUG 12798: s3/smbd: Fix exclusive lease optimisation. o Alexander Bokovoy <ab at samba.org> * BUG 12751: Allow passing trusted dom...

...roxyAddresses > @IDXATTR: msPKI-Cert-Template-OID > @IDXATTR: uNCName > @IDXATTR: mS-SQL-Name > @IDXATTR: fSMORoleOwner > @IDXATTR: msSFU30NisDomain > @IDXATTR: otherMailbox > @IDXATTR: location > @IDXATTR: msSFU30NetgroupHostAtDomain > @IDXATTR: uSNChanged > @IDXATTR: sIDHistory > @IDXATTR: birthLocation > @IDXATTR: msDS-SecondaryKrbTgtNumber > @IDXATTR: msTSProperty01 > @IDXATTR: msTSManagingLS4 > @IDXATTR: msSFU30OrderNumber > @IDXATTR: msDS-HABSeniorityIndex > @IDXATTR: primaryGroupID > @IDXATTR: mSMQQueueType > @IDXATTR: msDFSR-ReplicationGro...

Hello all. AIX 4.3.3 / Samba 2.0.6 / Production NT4.0 domain Security = DOMAIN encrypt passwords = yes update encrypted = yes Action: Moving from NT4.0 domain called nt40 to AD 2000 Domain called ad-domain Problem: Users that have been migrated to ad-domain cannot authenticate to AIX SAMBA shares . . . the AIX SAMBA server is still part of the nt40 domain. Explanation: I can however, map /

...Es. So the owner (O) is >> LA which is 'Local Administrator' and the group (G) is DA which is >> 'Domain Administrators' , as I read it, Domain Administrators doesn't >> own the files, or am I missing something? >> >>> - We don't (eg in sidHistory, or when files are migrated, preserving >>> permissions, from a workstation or from a domain that is not trusted) >>> always know if an incoming SID is a user or group. >> does windows know from the SID what the object is? and if not, what >> does windows do? > In W...

...> can > a user also be a group and a group can also be a user and why was it > setup like this in the first place ? , there must be a reason for it. It goes like this: - Groups can own files (there are groups like domain administrators that own files in sysvol) - We don't (eg in sidHistory, or when files are migrated, preserving permissions, from a workstation or from a domain that is not trusted) always know if an incoming SID is a user or group. - Working out if an arbitrary SID is a user or group takes time and network operations, which may fail. ID_TYPE_BOTH is both fast and...

...rights to all domain and local resources with that login. - Turn on auditing in the destination domain. This can be done with the domain group policy editor. - Read the Microsoft Knowledge Base Article 322970 -- http://support.microsoft.com/kb/322970 -- "How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2" Hope this helps. --Jon Johnson jon@sutinen.com www.sutinen.com Arne Roolfs wrote: > Hello Jon, > > you posted a description how to migrate from a Samba 3 domain to a MS > Windows 2003 Server domain at the samba mailing list. > > I try to do, but wh...

...erver to the AD server. The purpose of this is to enable ADMT to migrate the user accounts over to AD. While I have been able to query the ldap backend via ldifde and import the users it is only a last resort measure to do that. My aim is to bring the users over with the SID value stored in the AD SIDHistory attribute. (irrelevant details changed) net rpc trustdom list -S sambasvr -Usuper Password: Trusted domains list: none Trusting domains list: WIN2k8 S-1-5-21-954781686-2318084328-821430687 The issue is, to establish a trust from the samba server to the win2k8 server I end up with: net rpc t...

I've had samba running cleanly on an HP-UX 11.0 system for many months, with "DOMAIN" security and one-to-one account name mapping. A few days ago I started getting password prompts on connection, and messages like this in the log files... [2003/01/02 15:46:36, 0] rpc_parse/parse_prs.c:(316) prs_mem_get: reading data of size 60 would overrun buffer. [2003/01/02 15:46:36, 0]

...s the start of the ACEs. So the owner (O) is > LA which is 'Local Administrator' and the group (G) is DA which is > 'Domain Administrators' , as I read it, Domain Administrators doesn't > own the files, or am I missing something? > > > - We don't (eg in sidHistory, or when files are migrated, preserving > > permissions, from a workstation or from a domain that is not trusted) > > always know if an incoming SID is a user or group. > > does windows know from the SID what the object is? and if not, what > does windows do? In Windows, a SI...

...@IDXATTR: mS-DS-CreatorSID @IDXATTR: proxyAddresses @IDXATTR: msPKI-Cert-Template-OID @IDXATTR: uNCName @IDXATTR: mS-SQL-Name @IDXATTR: fSMORoleOwner @IDXATTR: msSFU30NisDomain @IDXATTR: otherMailbox @IDXATTR: location @IDXATTR: msSFU30NetgroupHostAtDomain @IDXATTR: uSNChanged @IDXATTR: sIDHistory @IDXATTR: birthLocation @IDXATTR: msDS-SecondaryKrbTgtNumber @IDXATTR: msTSProperty01 @IDXATTR: msTSManagingLS4 @IDXATTR: msSFU30OrderNumber @IDXATTR: msDS-HABSeniorityIndex @IDXATTR: primaryGroupID @IDXATTR: mSMQQueueType @IDXATTR: msDFSR-ReplicationGroupGuid @IDXATTR: msDS-PhoneticDepar...

...roxyAddresses > @IDXATTR: msPKI-Cert-Template-OID > @IDXATTR: uNCName > @IDXATTR: mS-SQL-Name > @IDXATTR: fSMORoleOwner > @IDXATTR: msSFU30NisDomain > @IDXATTR: otherMailbox > @IDXATTR: location > @IDXATTR: msSFU30NetgroupHostAtDomain > @IDXATTR: uSNChanged > @IDXATTR: sIDHistory > @IDXATTR: birthLocation > @IDXATTR: msDS-SecondaryKrbTgtNumber > @IDXATTR: msTSProperty01 > @IDXATTR: msTSManagingLS4 > @IDXATTR: msSFU30OrderNumber > @IDXATTR: msDS-HABSeniorityIndex > @IDXATTR: primaryGroupID > @IDXATTR: mSMQQueueType > @IDXATTR: msDFSR-ReplicationGro...

...roxyAddresses > @IDXATTR: msPKI-Cert-Template-OID > @IDXATTR: uNCName > @IDXATTR: mS-SQL-Name > @IDXATTR: fSMORoleOwner > @IDXATTR: msSFU30NisDomain > @IDXATTR: otherMailbox > @IDXATTR: location > @IDXATTR: msSFU30NetgroupHostAtDomain > @IDXATTR: uSNChanged > @IDXATTR: sIDHistory > @IDXATTR: birthLocation > @IDXATTR: msDS-SecondaryKrbTgtNumber > @IDXATTR: msTSProperty01 > @IDXATTR: msTSManagingLS4 > @IDXATTR: msSFU30OrderNumber > @IDXATTR: msDS-HABSeniorityIndex > @IDXATTR: primaryGroupID > @IDXATTR: mSMQQueueType > @IDXATTR: msDFSR-ReplicationGro...