Inconsistency between groupmap "Domain Admins" and
_lsa_add_acct_rights() checking
Nik Conwell
nik at bu.edu
Wed May 2 12:19:38 GMT 2007
(I guess this could be a HOWTO bug as well.)
I'm part of an AD domain.
To be considered an admin on the samba box, the howto
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/
groupmapping.html
says:
net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512
type=d
When I do that net groupmap list shows:
Domain Admins ([LOCALSID]-512) -> domadm
But, when assigning privs by a member of the unix group domadm via:
net -Unik rpc rights grant joe SePrintOperatorPrivilege
it ends up checking Domain Admins with the [DOMAINSID]-512.
In _lsa_add_acct_rights() if you're not root it calls
nt_token_check_domain_rid(), which ends up using the domain_sid.
But, since my account sid includes [LOCALSID]-512 and not
[DOMAINSID]-512 I never get a good sid match and so get denied.
Certainly, adding my groupmap "Domain Admins" with sid
[DOMAINSID]-512 is enough to get the net rpc rights grant working.
I don't know enough to stipulate that groupmap add type=d should use
the DOMAINSID, but it seems that way. Or, should _lsa_add_acct_rights
() but updated to also check the [LOCALSID]-512 sid as well as the
[DOMAINSID]-512 sid?
-nik
Nik Conwell Boston University
nik at bu.edu
More information about the samba-technical
mailing list