[Samba] Security Principals, and SID's mapping bug

Rowland Penny repenny241155 at gmail.com
Wed Jan 25 10:47:18 UTC 2017


On Wed, 25 Jan 2017 10:21:04 +0100
L.P.H. van Belle <belle at bazuin.nl> wrote:

> While searching through the windows GPO editor for the users.
> It's now as followed. ( after the smb.conf correction ) 
> 
> TEST 1 ( windows 7 ( a domain member, but local search )
> Creating a task localy on the computer, Searched SYSTEM, gives back. 
> WIN7 : NT AUTHORITY\SYSTEM
> 
> TEST 2
>  ( Samba AD ) 
> Selected a WIN7 PC and search for system    : BUILDIN\SYSTEM
> Selected the samba AD and search for system : NTDOM\SYSTEM
> 
> The EXACT same steps on my windows 2008R2 server.
> TEST 3 ( Windows 2008R2 server ) 
> Im getting : NT AUTHORITY\System
> 
> Anyhow, samba is consistent in giving back some WRONG user/group
> info. An overview, i have compaired the output of 2 DC's and 1
> member. All done on samba 4.5.3. 
> 
> wbinfo -u -g etc. all work fine. 
> wbinfo --all-domains
> BUILTIN
> NTDOM
> 
> DC 1 and DC 2 are exact the same with the output. 
> wbinfo --gid-info=3000001
> BUILTIN\server operators:x:3000001:
> wbinfo --gid-info=3000002
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000002
> wbinfo --uid-to-sid=3000001
> S-1-5-32-549
> wbinfo --uid-to-sid=3000002
> S-1-5-18
> wbinfo --gid-to-sid=3000001
> S-1-5-32-549
> wbinfo --gid-to-sid=3000002
> S-1-5-18
> wbinfo --sid-to-uid=S-1-5-32-549
> 3000001
> wbinfo --sid-to-uid=S-1-5-18
> 3000002
> wbinfo --sid-to-gid=S-1-5-32-549
> 3000001
> wbinfo --sid-to-gid=S-1-5-18
> 3000002
> wbinfo --sid-to-name=S-1-5-32-549
> BUILTIN\Server Operators 4
> wbinfo --sid-to-name=S-1-5-18
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-18
> wbinfo --sid-to-fullname=S-1-5-32-549
> BUILTIN\Server Operators 4
> wbinfo --sid-to-fullname=S-1-5-18
> failed to call wbcGetDisplayName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-18
> wbinfo --name-to-sid=BUILTIN\Server Operators
> S-1-5-32-549 SID_ALIAS (4)
> wbinfo --name-to-sid=NTDOM\Server Operators
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name NTDOM\Server Operators
> wbinfo --name-to-sid=BUILDIN\SYSTEM
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name BUILDIN\SYSTEM
> wbinfo --name-to-sid=NTDOM\SYSTEM
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name NTDOM\SYSTEM
> wbinfo --lookup-sids=S-1-5-32-549
> S-1-5-32-549 -> <none>\Server Operators 4
> wbinfo --lookup-sids=S-1-5-18
> wbcLookupSids failed: WBC_ERR_INVALID_SID
> Could not lookup SIDs S-1-5-18
> 
> 
> The member, and yes i know not all info should be here, just for
> comparison. But watch what happens with : S-1-5-18. 
> 
> wbinfo --gid-info=3000001
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000001
> wbinfo --gid-info=3000002
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000002
> wbinfo --uid-to-sid=3000001
> failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert uid 3000001 to sid
> wbinfo --uid-to-sid=3000002
> failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert uid 3000002 to sid
> wbinfo --gid-to-sid=3000001
> failed to call wbcGidToSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert gid 3000001 to sid
> wbinfo --gid-to-sid=3000002
> failed to call wbcGidToSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert gid 3000002 to sid
> wbinfo --sid-to-uid=S-1-5-32-549
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-549 to uid
> wbinfo --sid-to-uid=S-1-5-18
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-18 to uid
> wbinfo --sid-to-gid=S-1-5-32-549
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-549 to gid
> wbinfo --sid-to-gid=S-1-5-18
> 2000
> wbinfo --sid-to-name=S-1-5-32-549
> BUILTIN\Server Operators 4
> wbinfo --sid-to-name=S-1-5-18
> NT AUTHORITY\SYSTEM 5
> wbinfo --sid-to-fullname=S-1-5-32-549
> BUILTIN\Server Operators 4
> wbinfo --sid-to-fullname=S-1-5-18
> NT AUTHORITY\SYSTEM 5
> wbinfo --name-to-sid=BUILTIN\Server Operators
> S-1-5-32-549 SID_ALIAS (4)
> wbinfo --name-to-sid=NTDOM\Server Operators
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name NTDOM\Server Operators
> wbinfo --name-to-sid=BUILDIN\SYSTEM
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name BUILDIN\SYSTEM
> wbinfo --name-to-sid=NTDOM\SYSTEM
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name NTDOM\SYSTEM
> wbinfo --lookup-sids=S-1-5-32-549
> S-1-5-32-549 -> <none>\Server Operators 4
> wbinfo --lookup-sids=S-1-5-18
> wbcLookupSids failed: WBC_ERR_INVALID_SID
> Could not lookup SIDs S-1-5-18
> 
> 
> To me this confirms this bug, why would the member server give back : 
> wbinfo --sid-to-name=S-1-5-18
> NT AUTHORITY\SYSTEM 5
> 
> But the DC which really needs it :
> wbinfo --sid-to-name=S-1-5-18
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-18
> 
> Can someone explain this difference? 
> 
> 
> And can someone confirm this problem still exists on there system and 
> gives the same results as mine so im sure its not something from and
> older samba. My setup runs as of 4.1.x and is upgraded multiple times
> something like to 4.2.3 ( and some others. )
> to 4.2.10 => 4.3.x
> to 4.3.x  => 4.4.3
> to 4.4.5  => 4.5.3
> 

OK, I understand it a bit better now, Samba is being inconsistent ;-)

If you look here:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

You will find this:

SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.

If you then look at the security tab of a folder on a Win7 machine,
you will find it is just shown as 'SYSTEM'

So, by my reading, it isn't 'BUILDIN', 'NTDOM' or 'NT AUTHORITY', it
is just plain 'SYSTEM' 

Rowland




More information about the samba-technical mailing list