samba 4 - 'domain admin' accounts behaving like normal users; inexplicable errors

Ben Hodgens ben at hodgens.net
Sat Sep 18 14:24:27 MDT 2010


Thanks for the response, Matthias.

On 09/11/2010 07:24 AM, Matthias Dieter Wallnöfer wrote:
> Hi Ben,
>
> Ben Hodgens wrote:
>> I'm running Samba 4.0.0alpha12-GIT-UNKNOWN; I checked it out on
>> 8-11-2010. This is on an up-to-date Debian 5.0.5 (lenny) 32 bit x86
>> machine.
>>
>> I'm having an odd scenario where any users I add to the default
>> "Domain Admins" group within AD are only receiving something equating
>> "User" or "Domain User" privileges on the Windows systems.
>>
>> For instance, I've got to explicitly specify the domain\administrator
>> account to modify any machine settings or manipulate services. It
>> doesn't matter if the user is a Domain Admin; dialogs with those
>> credentials in use are identical to "User" accounts.
>>
>> I followed the official samba4 howto
>> (http://wiki.samba.org/index.php/Samba4/HOWTO) and I've added 3
>> machines to the domain thus far - two Windows 7 Ultimate machines and
>> a single XP Pro machine, all 'up to date' as of last week or so. One
>> of the W7 machines was an older install, while the other two are
>> clean/new for the express purpose of testing.
>>
>> The first machine, the W7 'old' install, worked fine for about a week.
>> I was able to perform escelation to administrator to perform what I
>> needed, and did not notice one way or the other if the account I'd
>> greated was 'working' properly; I'm not 100% sure if I even added the
>> account to domain admins at first.
>>
>> I then had a power company invoked 'outage' and things started to not
>> work quite right (ok, at all). On that physical machine I couldn't run
>> explorer.exe at all without raising errors (as either a 'domain user',
>> 'domain admin' or 'domain\administrator').
>>
>> One symptom is, right click on 'windows explorer' and click 'run as
>> admin...' and log in as rc1\administrator and I get "Windows cannot
>> access the specified device, path, or file. You may not have the
>> appropriate permissions to access the item."
>>
>> Another, the security event log says "event viewer cannot open the
>> event log or custom view. verify that event log service is running or
>> query is too long. Access denied (5)" - while event viewer is indeed
>> running.
>>
>> Another is when I try to run (for example) mbam setup, 'windows cannot
>> access c:\users\caimlas\downloads\mbam-setup-1.46.exe <cf> Check the
>> spelling, problem might be with our network, etc." with details being
>> "error code 0x80070043 The network name cannot be found".
>>
>> I got all these errors, but most user-level applications (Chrome,
>> Firefox, pidgin, etc.) all appeared to be working properly. I fiddled
>> a bit with ownership of c:\ and the like (noticing that c:\ wasn't
>> owned by domain\administrator like i'd expect - but that may have been
>> an incorrect assumption).
>>
>> Some of these changes helped matters (creating a new user account and
>> adding it explicitly to the local administrators group) the situation
>> was still not good - I could run explorer.exe locally as the user, but
>> did not have domain admin privileges on the system, and attempting to
>> run explorer.exe (and any other 'admin' type process/task) resulted in
>> an error similar to the above.
>>
>> Suspecting it might actually be malware, I hoped on a VM machine and
>> tried doing the same with an XP and W7 VM. These behave closer to what
>> I'd expect, but still (as a 'domain admin') have to escalate to
>> domain\administrator to do anything I would normally be able to do as
>> a domain administrator on a Windows based domain (or a local
>> administrator).
>>
>> Unfortunately, I'm not seeing anything in the samba.log file which
>> might indicate the cause of this problem, one way or the other. (The
>> only thing in there is relating to samba_dnsupdate, which I wouldn't
>> expect to work - I'm using dnsmasq not bind; might this be the fault?).
> You can ignore dnsupdate errors for the moment - they are not
> essentially important.
> But also with "dnsmasq" you make use of our provision-generated zone
> files or create the entries requested by AD, I imagine?

Here is what I'm using in my (dnsmasq) hosts file, which I duplicated from the 
zone files, more or less (not 100% sure it's perfectly congruent):

10.9.8.3        gc._msdcs.rc1.mydomain.com      gc._msdcs
10.9.8.3        _gc._tcp.rc1.mydomain.com       _gc._tcp
10.9.8.3        _gc._tcp.Default-First-Site-Name._sites.rc1.mydomain.com 
_gc._tcp.Default-First-Site-Name._sites
10.9.8.3 
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.rc1.mydomain.com 
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs
10.9.8.3        _gc._tcp.gc._msdcs.rc1.mydomain.com     _gc._tcp.gc._msdcs
10.9.8.3        _ldap._tcp.gc._msdcs.rc1.mydomain.com  _ldap._tcp.gc._msdcs
10.9.8.3        _ldap._tcp.rc1.mydomain.com             _ldap._tcp
10.9.8.3        _ldap._tcp.dc._msdcs.rc1.mydomain.com   _ldap._tcp.dc._msdcs
10.9.8.3         _kerberos._udp.rc1.mydomain.com         _kerberos._udp
10.9.8.3        rc1.mydomain.com                        rc1

>> I was able to join the original 'old' W7 machine to a Windows based
>> 2003 Native domain over a VPN without any problems with similar use
>> cases (eg. domain admin able to operate the machine as a local
>> administrator).
>>
>> Part of me suspects it's a missing GPO which would, on a Windows based
>> AD domain, result in *Admin users getting added to local
>> administrators group. Unfortunately, I'm not knowledgeable enough
>> about AD to know this, and I can't seem to find anything while
>> browsing with RSAT.
> No. On a domain join the domain admins group is always added to the
> local administrators group. Therefore domain admins should immediately
> gain local admin permissions.

That was what I'd assumed/was familiar with, but I wasn't sure if that was 
pushed from AD GPOs or if it was something inherent in the client implementation.

>> In all scenarios, the systems in question were successfully joined to
>> the samba 4 domain. There are no other AD domains (or samba3/NT4)
>> domains on this subnet (and only accessible over ipsec).
>>
>> If need be, I can rebuild with debugging symbols, but I have not yet
>> done so due to the (clock) time commitment on that system; this is a
>> significantly older test machine.

What I'm miffed about is that I've tried several systems (3 W7) with different 
results on each, but some semblance of "not working" with regard to expected 
local administrative rights (or, for that matter, any rights at all, such as not 
being able to run explorer with the above stated errors resulting.)


More information about the samba-technical mailing list