Security Principals, and SID's mapping bug

L.P.H. van Belle belle at bazuin.nl
Tue Jan 24 14:02:14 UTC 2017


Hai, 

Does anyone know more if this is adressed or point me to the bug report?
There should be one, but i cant find it. 

Im finding the following again, tested with samba 4.4.5, now samba 4.5.3.
These reports go back to the year 2013. 
I searched in my mail samba folder for S-1-5-18 

The problem.

I create a "computer" Scheduled task. 
Now this task MUST run as : SYSTEM 	(S-1-5-18) 
After typing "SYSTEM" the : Change user/group ( at security options ) in the task. It system changes to : NTDOM\SYSTEM

With user : NTDOM\SYSTEM
Resulting in : http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm 
This exact event. 
And the ScheduledTask is not applied to the computer, even not created in the computer. 

Now when i change it to : NT Authority\SYSTEM
It creates the needed task, but it does not run the error:  
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
again. 

Now when i change it to : SYSTEM
It does not create the needed task, and it does not run, the error:  
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
again. 

I also tested this on several computers outside the domain. 
That works fine with user  "NT Authority\SYSTEM" 
Reproduceable steps: 
create a schedule task in GPO. User or computer that does not matter. 
At security context Set ( try to ) set user SYSTEM

Do read: 
https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
And see here, Security options : 
Computer Configuration , by default the task is run in the security context of the SYSTEM account.

And in case of a samba AD DC, this wil never work since systems isnt correctly mapped. 


On both DCs:
wbinfo -G 3000002

wbinfo -s S-1-5-18
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-18

Im open for any suggestion EXCEPT changing the user in the schedules task.

This is my complete smb.conf of my samba 4.5.3 ( on debian Jessie ) 
Maybe i missed something here.


[global]
        workgroup = NTDOM
        realm = INTERNAL.DOMAIN.TLD
        netbios name = DC1

        server role = active directory domain controller
        server services = -dns

        interfaces = 192.168.0.1 127.0.0.1
        bind interfaces only = yes
        time server = yes

        idmap_ldb:use rfc2307 = yes

        ## map id's outside to domain to tdb files.
        idmap config * : backend = tdb
        idmap config * : range = 2000-9999

        winbind nss info = rfc2307
        winbind expand groups = 4

        template shell = /bin/bash
        template homedir = /home/users/%U

        ## disable printing completely and no error log messages.
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        # disable usershares creating, when set empty no error log messages.
        usershare path =

        # Add and Update TLS Key
        tls enabled = yes
        tls keyfile = /etc/ssl/local/private/xxxxx.key.pem
        tls certfile = /etc/ssl/local/certs/xxxxx.cert.pem
        tls cafile = /etc/ssl/certs/xxxxx-ca.pem

[sysvol]
        path = /home/samba/sysvol
        read only = No
        acl_xattr:ignore system acls = yes

[netlogon]
        path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
        read only = No
        acl_xattr:ignore system acls = yes



Greetz, 

Louis







More information about the samba-technical mailing list