[Samba] Unable to browse system shares of a newly migrated AD DC

Rowland Penny rowlandpenny at googlemail.com
Mon Mar 30 09:09:24 MDT 2015 

On 30/03/15 15:07, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
> <Trying to resend, sorry for possible duplicates.>
>
>> On 30/03/15 10:06, L.P.H. van Belle wrote:
> Please don't top-post. It make messages very hard to read.
>
>>> I think this wont work since the user connectig isnt known in the AD,
>>> since the user connecting is mapped to user nobody.
> I'm doing s simple check (anonymous listing of DC shares) as per instructions.
>
>>> auth_check_password_send: Checking password for unmapped user []\[]@[]
>>> auth_check_password_send: mapped user is: [CCENTER]\[]@[]
>>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009)
>>> and 'force unknown acl user = true' for service IPC$
>>>
>>> cat /etc/passwd | grep nobody
>>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>>>
>>> and by default "Guest" (nobody) is disabled in the AD.
>>>
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>> Hi Louis, It works for me
>> This appears in log.smbd on my DC when I run the same command:
>> [2015/03/30 10:15:42.442881,  3]
>> ../source3/smbd/service.c:856(make_connection_snum)
>>     dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>> So the questions are, what are the permissions on /tmp and is user
>> '3000009' on the DC 'Everyone'
> Permissions are fine, but migration did not create "Users" group in AD.
> How can I resolve it?
>
> # wbinfo -g
> Enterprise Read-Only Domain Controllers
> Domain Admins
> Domain Users
> Domain Guests
> Domain Computers
> Domain Controllers
> Schema Admins
> Enterprise Admins
> Group Policy Creator Owners
> Read-Only Domain Controllers
> DnsUpdateProxy
>
> # getent group
> ...
> CCENTER\Enterprise Read-Only Domain Controllers:*:3000012:
> CCENTER\Domain Admins:*:512:
> CCENTER\Domain Users:*:513:
> CCENTER\Domain Guests:*:514:
> CCENTER\Domain Computers:*:515:
> CCENTER\Domain Controllers:*:3000013:
> CCENTER\Schema Admins:*:3000006:
> CCENTER\Enterprise Admins:*:3000005:
> CCENTER\Group Policy Creator Owners:*:3000003:
> CCENTER\Read-Only Domain Controllers:*:3000014:
> CCENTER\DnsUpdateProxy:*:3000015:
>
>

I would be very very surprised if it hasn't been created, 'wbinfo -g' 
will not show it though, try this:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb 
'(&(objectclass=group)(cn=users))'

and the same command will show who '3000009' is:

ldbedit -e nano -H /var/lib/samba/private/idmap.ldb 
'(&(objectClass=sidMap)(xidNumber=3000009))'

If you haven't get 'ldbedit', install ldb-tools

When you run the second command, what does the line that starts 'cn:' show ?

Rowland

More information about the samba mailing list