samba 4 - 'domain admin' accounts behaving like normal users; inexplicable errors

Ben Hodgens ben at hodgens.net
Sun Aug 29 17:46:45 MDT 2010 

I'm running Samba 4.0.0alpha12-GIT-UNKNOWN; I checked it out on 8-11-2010. This 
is on an up-to-date Debian 5.0.5 (lenny) 32 bit x86 machine.

I'm having an odd scenario where any users I add to the default "Domain Admins" 
group within AD are only receiving something equating "User" or "Domain User" 
privileges on the Windows systems.

For instance, I've got to explicitly specify the domain\administrator account to 
modify any machine settings or manipulate services. It doesn't matter if the 
user is a Domain Admin; dialogs with those credentials in use are identical to 
"User" accounts.

I followed the official samba4 howto 
(http://wiki.samba.org/index.php/Samba4/HOWTO) and I've added 3 machines to the 
domain thus far - two Windows 7 Ultimate machines and a single XP Pro machine, 
all 'up to date' as of last week or so. One of the W7 machines was an older 
install, while the other two are clean/new for the express purpose of testing.

The first machine, the W7 'old' install, worked fine for about a week. I was 
able to perform escelation to administrator to perform what I needed, and did 
not notice one way or the other if the account I'd greated was 'working' 
properly; I'm not 100% sure if I even added the account to domain admins at first.

I then had a power company invoked 'outage' and things started to not work quite 
right (ok, at all). On that physical machine I couldn't run explorer.exe at all 
without raising errors (as either a 'domain user', 'domain admin' or 
'domain\administrator').

One symptom is, right click on 'windows explorer' and click 'run as admin...' 
and log in as rc1\administrator and I get "Windows cannot access the specified 
device, path, or file. You may not have the appropriate permissions to access 
the item."

Another, the security event log says "event viewer cannot open the event log or 
custom view. verify that event log service is running or query is too long. 
Access denied (5)" - while event viewer is indeed running.

Another is when I try to run (for example) mbam setup, 'windows cannot access 
c:\users\caimlas\downloads\mbam-setup-1.46.exe <cf> Check the spelling, problem 
might be with our network, etc." with details being "error code 0x80070043 The 
network name cannot be found".

I got all these errors, but most user-level applications (Chrome, Firefox, 
pidgin, etc.) all appeared to be working properly. I fiddled a bit with 
ownership of c:\ and the like (noticing that c:\ wasn't owned by 
domain\administrator like i'd expect - but that may have been an incorrect 
assumption).

Some of these changes helped matters (creating a new user account and adding it 
explicitly to the local administrators group) the situation was still not good - 
I could run explorer.exe locally as the user, but did not have domain admin 
privileges on the system, and attempting to run explorer.exe (and any other 
'admin' type process/task) resulted in an error similar to the above.

Suspecting it might actually be malware, I hoped on a VM machine and tried doing 
the same with an XP and W7 VM. These behave closer to what I'd expect, but still 
(as a 'domain admin') have to escalate to domain\administrator to do anything I 
would normally be able to do as a domain administrator on a Windows based domain 
(or a local administrator).

Unfortunately, I'm not seeing anything in the samba.log file which might 
indicate the cause of this problem, one way or the other. (The only thing in 
there is relating to samba_dnsupdate, which I wouldn't expect to work - I'm 
using dnsmasq not bind; might this be the fault?).

I was able to join the original 'old' W7 machine to a Windows based 2003 Native 
domain over a VPN without any problems with similar use cases (eg. domain admin 
able to operate the machine as a local administrator).

Part of me suspects it's a missing GPO which would, on a Windows based AD 
domain, result in *Admin users getting added to local administrators group. 
Unfortunately, I'm not knowledgeable enough about AD to know this, and I can't 
seem to find anything while browsing with RSAT.

In all scenarios, the systems in question were successfully joined to the samba 
4 domain. There are no other AD domains (or samba3/NT4) domains on this subnet 
(and only accessible over ipsec).

If need be, I can rebuild with debugging symbols, but I have not yet done so due 
to the (clock) time commitment on that system; this is a significantly older 
test machine.

Any help and/or direction would be greatly appreciated. Below is an excerpt of 
my samba.log:

samba version 4.0.0alpha12-GIT-UNKNOWN started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
[Sun Aug 29 17:03:53 2010 MDT, 0 ../smbd/server.c:471:binary_smbd_main()]
samba: using 'standard' process model
[Sun Aug 29 17:03:53 2010 MDT, 0 ../kdc/hdb-samba4.c:184:hdb_samba4_create_kdc()]
FIXME: Using new system session for hdb
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/sbin/samba_dnsupdate", line 275, in <module>
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     if not check_dns_name(d):
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/sbin/samba_dnsupdate", line 160, in check_dns_name
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     ans = resolver.query(normalised_name, 
d.type)
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 732, in query
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     return 
get_default_resolver().query(qname, rdtype, rdclass, tcp, source)
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 672, in query
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     answer = Answer(qname, rdtype, 
rdclass, response)
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 121, in __init__
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     raise NoAnswer
[Sun Aug 29 17:03:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate: dns.resolver.NoAnswer
[Sun Aug 29 17:04:08 2010 MDT, 0 ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
Testing kcctpl_create_intersite_connections
[Sun Aug 29 17:09:08 2010 MDT, 0 ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
Testing kcctpl_create_intersite_connections
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/sbin/samba_dnsupdate", line 275, in <module>
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     if not check_dns_name(d):
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/sbin/samba_dnsupdate", line 160, in check_dns_name
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     ans = resolver.query(normalised_name, 
d.type)
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 732, in query
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     return 
get_default_resolver().query(qname, rdtype, rdclass, tcp, source)
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 672, in query
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     answer = Answer(qname, rdtype, 
rdclass, response)
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 121, in __init__
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     raise NoAnswer
[Sun Aug 29 17:13:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate: dns.resolver.NoAnswer
[Sun Aug 29 17:14:08 2010 MDT, 0 ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
Testing kcctpl_create_intersite_connections
[Sun Aug 29 17:19:08 2010 MDT, 0 ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
Testing kcctpl_create_intersite_connections
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/sbin/samba_dnsupdate", line 275, in <module>
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     if not check_dns_name(d):
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/sbin/samba_dnsupdate", line 160, in check_dns_name
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     ans = resolver.query(normalised_name, 
d.type)
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 732, in query
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     return 
get_default_resolver().query(qname, rdtype, rdclass, tcp, source)
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 672, in query
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     answer = Answer(qname, rdtype, 
rdclass, response)
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 121, in __init__
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     raise NoAnswer
[Sun Aug 29 17:23:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate: dns.resolver.NoAnswer
[Sun Aug 29 17:24:08 2010 MDT, 0 ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
Testing kcctpl_create_intersite_connections
[Sun Aug 29 17:29:08 2010 MDT, 0 ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
Testing kcctpl_create_intersite_connections
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/sbin/samba_dnsupdate", line 275, in <module>
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     if not check_dns_name(d):
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/sbin/samba_dnsupdate", line 160, in check_dns_name
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     ans = resolver.query(normalised_name, 
d.type)
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 732, in query
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     return 
get_default_resolver().query(qname, rdtype, rdclass, tcp, source)
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 672, in query
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     answer = Answer(qname, rdtype, 
rdclass, response)
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:   File 
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py", 
line 121, in __init__
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate:     raise NoAnswer
[Sun Aug 29 17:33:57 2010 MDT, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate: dns.resolver.NoAnswer
[Sun Aug 29 17:34:08 2010 MDT, 0 ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
Testing kcctpl_create_intersite_connections

-- 
Benjamin Hodgens
ben at hodgens.net

More information about the samba-technical mailing list