samba 4 - 'domain admin' accounts behaving like normal users; inexplicable errors
Matthias Dieter Wallnöfer
mdw at samba.org
Sat Sep 11 07:24:10 MDT 2010
Hi Ben,
Ben Hodgens wrote:
> I'm running Samba 4.0.0alpha12-GIT-UNKNOWN; I checked it out on
> 8-11-2010. This is on an up-to-date Debian 5.0.5 (lenny) 32 bit x86
> machine.
>
> I'm having an odd scenario where any users I add to the default
> "Domain Admins" group within AD are only receiving something equating
> "User" or "Domain User" privileges on the Windows systems.
>
> For instance, I've got to explicitly specify the domain\administrator
> account to modify any machine settings or manipulate services. It
> doesn't matter if the user is a Domain Admin; dialogs with those
> credentials in use are identical to "User" accounts.
>
> I followed the official samba4 howto
> (http://wiki.samba.org/index.php/Samba4/HOWTO) and I've added 3
> machines to the domain thus far - two Windows 7 Ultimate machines and
> a single XP Pro machine, all 'up to date' as of last week or so. One
> of the W7 machines was an older install, while the other two are
> clean/new for the express purpose of testing.
>
> The first machine, the W7 'old' install, worked fine for about a week.
> I was able to perform escelation to administrator to perform what I
> needed, and did not notice one way or the other if the account I'd
> greated was 'working' properly; I'm not 100% sure if I even added the
> account to domain admins at first.
>
> I then had a power company invoked 'outage' and things started to not
> work quite right (ok, at all). On that physical machine I couldn't run
> explorer.exe at all without raising errors (as either a 'domain user',
> 'domain admin' or 'domain\administrator').
>
> One symptom is, right click on 'windows explorer' and click 'run as
> admin...' and log in as rc1\administrator and I get "Windows cannot
> access the specified device, path, or file. You may not have the
> appropriate permissions to access the item."
>
> Another, the security event log says "event viewer cannot open the
> event log or custom view. verify that event log service is running or
> query is too long. Access denied (5)" - while event viewer is indeed
> running.
>
> Another is when I try to run (for example) mbam setup, 'windows cannot
> access c:\users\caimlas\downloads\mbam-setup-1.46.exe <cf> Check the
> spelling, problem might be with our network, etc." with details being
> "error code 0x80070043 The network name cannot be found".
>
> I got all these errors, but most user-level applications (Chrome,
> Firefox, pidgin, etc.) all appeared to be working properly. I fiddled
> a bit with ownership of c:\ and the like (noticing that c:\ wasn't
> owned by domain\administrator like i'd expect - but that may have been
> an incorrect assumption).
>
> Some of these changes helped matters (creating a new user account and
> adding it explicitly to the local administrators group) the situation
> was still not good - I could run explorer.exe locally as the user, but
> did not have domain admin privileges on the system, and attempting to
> run explorer.exe (and any other 'admin' type process/task) resulted in
> an error similar to the above.
>
> Suspecting it might actually be malware, I hoped on a VM machine and
> tried doing the same with an XP and W7 VM. These behave closer to what
> I'd expect, but still (as a 'domain admin') have to escalate to
> domain\administrator to do anything I would normally be able to do as
> a domain administrator on a Windows based domain (or a local
> administrator).
>
> Unfortunately, I'm not seeing anything in the samba.log file which
> might indicate the cause of this problem, one way or the other. (The
> only thing in there is relating to samba_dnsupdate, which I wouldn't
> expect to work - I'm using dnsmasq not bind; might this be the fault?).
You can ignore dnsupdate errors for the moment - they are not
essentially important.
But also with "dnsmasq" you make use of our provision-generated zone
files or create the entries requested by AD, I imagine?
> I was able to join the original 'old' W7 machine to a Windows based
> 2003 Native domain over a VPN without any problems with similar use
> cases (eg. domain admin able to operate the machine as a local
> administrator).
>
> Part of me suspects it's a missing GPO which would, on a Windows based
> AD domain, result in *Admin users getting added to local
> administrators group. Unfortunately, I'm not knowledgeable enough
> about AD to know this, and I can't seem to find anything while
> browsing with RSAT.
No. On a domain join the domain admins group is always added to the
local administrators group. Therefore domain admins should immediately
gain local admin permissions.
> In all scenarios, the systems in question were successfully joined to
> the samba 4 domain. There are no other AD domains (or samba3/NT4)
> domains on this subnet (and only accessible over ipsec).
>
> If need be, I can rebuild with debugging symbols, but I have not yet
> done so due to the (clock) time commitment on that system; this is a
> significantly older test machine.
>
> Any help and/or direction would be greatly appreciated. Below is an
> excerpt of my samba.log:
>
> samba version 4.0.0alpha12-GIT-UNKNOWN started.
> Copyright Andrew Tridgell and the Samba Team 1992-2010
> [Sun Aug 29 17:03:53 2010 MDT, 0 ../smbd/server.c:471:binary_smbd_main()]
> samba: using 'standard' process model
> [Sun Aug 29 17:03:53 2010 MDT, 0
> ../kdc/hdb-samba4.c:184:hdb_samba4_create_kdc()]
> FIXME: Using new system session for hdb
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/sbin/samba_dnsupdate", line 275, in <module>
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: if not check_dns_name(d):
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/sbin/samba_dnsupdate", line 160, in check_dns_name
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: ans =
> resolver.query(normalised_name, d.type)
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 732, in query
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: return
> get_default_resolver().query(qname, rdtype, rdclass, tcp, source)
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 672, in query
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: answer = Answer(qname,
> rdtype, rdclass, response)
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 121, in __init__
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: raise NoAnswer
> [Sun Aug 29 17:03:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: dns.resolver.NoAnswer
> [Sun Aug 29 17:04:08 2010 MDT, 0
> ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
> Testing kcctpl_create_intersite_connections
> [Sun Aug 29 17:09:08 2010 MDT, 0
> ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
> Testing kcctpl_create_intersite_connections
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/sbin/samba_dnsupdate", line 275, in <module>
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: if not check_dns_name(d):
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/sbin/samba_dnsupdate", line 160, in check_dns_name
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: ans =
> resolver.query(normalised_name, d.type)
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 732, in query
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: return
> get_default_resolver().query(qname, rdtype, rdclass, tcp, source)
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 672, in query
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: answer = Answer(qname,
> rdtype, rdclass, response)
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 121, in __init__
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: raise NoAnswer
> [Sun Aug 29 17:13:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: dns.resolver.NoAnswer
> [Sun Aug 29 17:14:08 2010 MDT, 0
> ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
> Testing kcctpl_create_intersite_connections
> [Sun Aug 29 17:19:08 2010 MDT, 0
> ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
> Testing kcctpl_create_intersite_connections
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/sbin/samba_dnsupdate", line 275, in <module>
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: if not check_dns_name(d):
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/sbin/samba_dnsupdate", line 160, in check_dns_name
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: ans =
> resolver.query(normalised_name, d.type)
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 732, in query
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: return
> get_default_resolver().query(qname, rdtype, rdclass, tcp, source)
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 672, in query
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: answer = Answer(qname,
> rdtype, rdclass, response)
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 121, in __init__
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: raise NoAnswer
> [Sun Aug 29 17:23:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: dns.resolver.NoAnswer
> [Sun Aug 29 17:24:08 2010 MDT, 0
> ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
> Testing kcctpl_create_intersite_connections
> [Sun Aug 29 17:29:08 2010 MDT, 0
> ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
> Testing kcctpl_create_intersite_connections
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/sbin/samba_dnsupdate", line 275, in <module>
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: if not check_dns_name(d):
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/sbin/samba_dnsupdate", line 160, in check_dns_name
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: ans =
> resolver.query(normalised_name, d.type)
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 732, in query
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: return
> get_default_resolver().query(qname, rdtype, rdclass, tcp, source)
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 672, in query
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: answer = Answer(qname,
> rdtype, rdclass, response)
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
> line 121, in __init__
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: raise NoAnswer
> [Sun Aug 29 17:33:57 2010 MDT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: dns.resolver.NoAnswer
> [Sun Aug 29 17:34:08 2010 MDT, 0
> ../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()]
> Testing kcctpl_create_intersite_connections
>
More information about the samba-technical
mailing list