[Samba] When accessing the User Properties only SIDs are shown instead of real name

Fri Mar 22 12:09:08 UTC 2024

Hi,

In samba logs I see these entries.

{"timestamp": "2024-03-22T17:00:13.553400+0530", "type": "Authentication",
"Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624,
"logonId": "d42e868adc3300ef", "logonType": 3, "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress": "ipv4:172.16.202.22:41699",
"serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null, "clientAccount":
"servicenow at ktkbankltd", "workstation": null, "becameAccount": "Servicenow",
"becameDomain": "KTKBANKLTD", "becameSid":
"S-1-5-21-2327230821-3654296898-2374465889-86939", "mappedAccount":
"Servicenow", "mappedDomain": "KTKBANKLTD", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "aes256-cts-hmac-sha1-96", "duration": 61502}}

We are actually trying to add the user "ServiceNow" to Local 
Administrators Group. Before adding while selecting, it properly shows 
name and SID in (). However, the moment we apply, only SID is shown, not 
the friendly name.

Thanks & Regards,

Anantha Raghava H A

DISCLAIMER:
This e-mail communication and any attachments may be privileged and 
confidential to Exza Technology Consulting & Services, Bangalore, and 
are intended only for the use of the recipients named above If you are 
not the addressee you may not copy, forward, disclose or use any part of 
it. If you have received this message in error, please delete it and all 
copies from your system and notify the sender immediately by return 
e-mail. Internet communications cannot be guaranteed to be timely, 
secure, error or virus-free. The sender does not accept liability for 
any errors or omissions.

Do not print this e-mail unless required. Save Paper & trees.

On 22/03/24 3:42 pm, Anantha Raghava via samba wrote:
> Hello Rowland,
>
> 1. We always have been using self compiled samba not the binaries. In 
> fact, when we started we started on CentOS and then when CentOS became 
> an upstream edition, we moved to RHEL, but continued with self 
> compiled samba, never moved to prebuilt binaries.
>
> 2. SSSD - We are not using sssd anywhere. We have many Linux Servers 
> but those are not members of AD domain. Only the web applications 
> running from Linux Servers are integrated with AD and other SSO layers 
> for authentication. Whereas all Windows PCs and Windows Servers are 
> members of AD Domain.
>
> 3. We discovered this issue when we started evaluation of "Service 
> Now" for our asset management needs. Initially we were using PDQ 
> Inventory which we had to discard since our security team disabled the 
> ADMIN$ share. PDQ depended on ADMIN$ share for asset discovery. 
> Service Now is able to discover most of the assets, but on Windows 
> members we are observing the above issue, that particular member is 
> not getting discovered and even the network shares are not working.
>
> 4. We are using samba internal DNS and all name resolutions are 
> working properly - Forward and reverse both are working properly. No 
> Issues.
>
> Do think enabling TCP IP NetBIOS Helper Service on Windows members 
> will help? I have not really checked this.
>
> Thanks & Regards,
>
> Anantha Raghava H A
>
>
> DISCLAIMER:
> This e-mail communication and any attachments may be privileged and 
> confidential to Exza Technology Consulting & Services, Bangalore, and 
> are intended only for the use of the recipients named above If you are 
> not the addressee you may not copy, forward, disclose or use any part 
> of it. If you have received this message in error, please delete it 
> and all copies from your system and notify the sender immediately by 
> return e-mail. Internet communications cannot be guaranteed to be 
> timely, secure, error or virus-free. The sender does not accept 
> liability for any errors or omissions.
>
> Do not print this e-mail unless required. Save Paper & trees.
>
>
> On 22/03/24 3:14 pm, Rowland Penny via samba wrote:
>> On Thu, 21 Mar 2024 22:10:20 +0530
>> Anantha Raghava via samba<samba at lists.samba.org>  wrote:
>>
>>> Hello Rowland
>>>
>>> Samba is running on RHEL 8.9 (subscribed edition)
>> Then why are you not asking redhat ?
>> I am not saying I will not try to help you, but I would have thought
>> that redhat would have been your first port of call.
>>
>>> Domain is ktkbankltd.com and the work group is ktkbankltd. This is
>>> the AD domain, not reachable from internet.
>> fair enough
>>
>>> We have 5 servers named pdc.ktkbankltd.com, dc1.ktkbankltd.com,
>>> dc2.ktkbankltd.com, dc3.ktkbankltd.com and dc4.ktkbankltd.com The
>>> name PDC is just the name, unlike NT4 domain. These servers were
>>> initially installed during 2016 and we started with Samba-AD 4.8, we
>>> are upgrading the versions over a period and currently we are using
>>> 4.18.1.
>> Ah, light dawns, you are running RHEL in an unsupported (by redhat)
>> way, which is why you are running a self compiled version of Samba.
>>
>>> WORKGROUP entered twice - Thanks for notifying.
>> Are you also running sssd anywhere ?
>>
>>> Pattern for non-mapped SIDs - There is no specific pattern. It may be
>>> user, or a group or a computer object. Interesting thing is, in most
>>> of the members it appears properly, However, we cannot say which
>>> member we face this problem. It appears randomly. Another important
>>> point to note
>>> - From the member which has this problem, when we try to access the
>>> shares using <ip-address>/share, it fails to open. However, when we
>>> access the same share using <hostname>/share, it works fine.
>> Now that is strange, using the ipaddress means using rpc and using the
>> hostname usually means using kerberos and rpc is usually the most
>> reliable.
>>
>>> I confirm that we have not deleted any user or group or computer
>>> object from AD which may result in this particular problem. To think
>>> that this could be a DNS issue, it randomly appears in different
>>> clients and not all.
>> I take it that you are using the AD DCs as the dns servers for the AD
>> domain.
>>
>> Rowland
>>
>>
>>