[Samba] Unable to browse system shares of a newly migrated AD DC
Rowland Penny
rowlandpenny at googlemail.com
Mon Mar 30 02:49:04 MDT 2015
On 30/03/15 00:01, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>> [2015/03/30 01:05:38.096168, 3, effective(0, 0), real(0, 0)]
>> ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
>> auth_check_password_send: Checking password for unmapped user []\[]@[]
>> auth_check_password_send: mapped user is: [CCENTER]\[]@[]
>> [2015/03/30 01:05:38.125440, 2, effective(0, 0), real(0, 0)]
>> ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr)
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service IPC$
>> [2015/03/30 01:05:38.127532, 3, effective(0, 0), real(0, 0)]
>> ../source3/smbd/service.c:856(make_connection_snum)
>> 127.0.0.1 (ipv4:127.0.0.1:45066) connect to service IPC$ initially as
>> user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) (pid 882)
>> [2015/03/30 01:05:38.127627, 3, effective(0, 0), real(0, 0)]
>> ../source3/smbd/reply.c:1024(reply_tcon_and_X)
>> tconX service=IPC$
>> [2015/03/30 01:05:38.128477, 3, effective(0, 0), real(0, 0)]
>> ../source3/smbd/process.c:1802(process_smb)
>> Transaction 3 of length 106 (0 toread)
>> [2015/03/30 01:05:38.128537, 3, effective(0, 0), real(0, 0)]
>> ../source3/smbd/process.c:1405(switch_message)
>> switch message SMBntcreateX (pid 882) conn 0xb893b588
>> [2015/03/29 22:05:38.128622, 3, effective(65534, 3000009), real(65534, 0)]
> By the way, what the group 3000009 is supposed to be? Domain Users? Domain
> Admins?
>
>> ../source3/smbd/service.c:197(set_current_service)
>> chdir (/tmp) failed, reason: Permission denied
>> [2015/03/29 22:05:38.128674, 3, effective(65534, 3000009), real(65534, 0)]
>> ../source3/smbd/error.c:82(error_packet_set)
>> NT error packet at ../source3/smbd/process.c(1524) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
>> [2015/03/29 22:05:38.138398, 3, effective(65534, 3000009), real(65534, 0)]
>> ../source3/smbd/process.c:1802(process_smb)
>> Transaction 4 of length 118 (0 toread)
>> [2015/03/29 22:05:38.138453, 3, effective(65534, 3000009), real(65534, 0)]
>> ../source3/smbd/process.c:1405(switch_message)
>> switch message SMBtrans (pid 882) conn 0xb893b588
>> [2015/03/29 22:05:38.138494, 3, effective(65534, 3000009), real(65534, 0)]
>> ../source3/smbd/service.c:197(set_current_service)
>> chdir (/tmp) failed, reason: Permission denied
>> [2015/03/29 22:05:38.138529, 3, effective(65534, 3000009), real(65534, 0)]
>> ../source3/smbd/error.c:82(error_packet_set)
>> NT error packet at ../source3/smbd/process.c(1524) cmd=37 (SMBtrans) NT_STATUS_ACCESS_DENIED
>> [2015/03/29 22:05:38.139702, 3, effective(65534, 3000009), real(65534, 0)]
>> ../source3/smbd/process.c:1802(process_smb)
>> Transaction 5 of length 39 (0 toread)
>> [2015/03/29 22:05:38.139771, 3, effective(65534, 3000009), real(65534, 0)]
>> ../source3/smbd/process.c:1405(switch_message)
>> switch message SMBtdis (pid 882) conn 0xb893b588
>> [2015/03/30 01:05:38.139897, 3, effective(0, 0), real(0, 0)]
>> ../source3/smbd/service.c:1130(close_cnum)
>> 127.0.0.1 (ipv4:127.0.0.1:45066) closed connection to service IPC$
>> [2015/03/30 01:05:38.141264, 3, effective(0, 0), real(0, 0)]
>> ../source3/smbd/server_exit.c:221(exit_server_common)
>> Server exit (failed to receive smb request)
>
> --
> WBR,
> Andrey Repin, 30.03.2015, <01:54>
>
> Sorry for my terrible english...
>
OK, It would seem that you possibly have a problem with your /tmp
directory, it should be readable and writeable by anybody i.e. on my DC
ls -la / shows:
drwxrwxrwt 14 root root 4096 Mar 30 09:17 tmp
As for who '3000009' is, you can find out this by running (on the DC)
'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb' and searching for
'3000009', on my DC this results in this:
dn: CN=S-1-5-32-545
cn: S-1-5-32-545
objectClass: sidMap
objectSid: S-1-5-32-545
type: ID_TYPE_BOTH
xidNumber: 3000009
distinguishedName: CN=S-1-5-32-545
So '3000009' has the SID 'S-1-5-32-545'
To find out who this is go here:
http://support.microsoft.com/en-us/kb/243330
This reveals that this is the SID of the 'Users' group
This is probably true for your DC, but I would check your DC, as you can
have differences between DCs.
Rowland
More information about the samba
mailing list