[Samba] net rpc file checks in 3.5.x

Michal Soltys soltys at ziu.info
Thu Oct 14 03:41:23 MDT 2010 

This is in-reply to older question of mine:
http://www.mail-archive.com/samba@lists.samba.org/msg109014.html

On 10-06-30 18:48, Michal Soltys wrote:
> When doing simple:
>
> net rpc file -Untadmin
>
> With ntadmin being a user belonging to properly groupmapped domain admins,
>   (with rid 512), including cases with ntadmin being rid=500 itself,
> I always get:
>
> [2010/06/30 15:06:46.272578,  2] auth/auth.c:304(check_ntlm_password)
>    check_ntlm_password:  authentication for user [ntadmin] ->  [ntadmin] ->  [ntadmin] succeeded
> [2010/06/30 15:06:46.276232,  1] rpc_server/srv_srvsvc_nt.c:1039(_srvsvc_NetFileEnum)
>    Enumerating files only allowed for administrators
>
>
> I've peeked into srv_srvsvc_nt.c and the main difference from earlier
> samba versions (in the function mentioned in logs) is the addition
> of the following check:
>
>          if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
>                                  p->server_info->ptok)) {
>                  DEBUG(1, ("Enumerating files only allowed for "
>                            "administrators\n"));
>                  return WERR_ACCESS_DENIED;
>          }
>
> Judging from variables' names it checks if a user belongs to builtin group. Assuming
> this kind of check is intended in this place - how to actually make [functionally
> working] builtin group ? groupmap allows mapping to local and builtins groups, and
> I've also tested some net rpc group variations - but so far to no actual effect.

Actually, I mistyped sid - groupmap can handle buitlin groups just fine.

Overall it turned out, that the culprit (in my case) was a brief run of 
winbindd in the past. Basically once BUILTIN domain showed up in 
gencache.tdb, I had to do net groupmap and add the user used with the 
net tool (admin) to builtin administrators group (regardless if winbindd 
was or wasn't running after that). Alternative option was to simply stop 
samba / remove gencache.tdb / start again.

Earlier samba versions didn't perform this kind of check, so it never 
was an issue.

Should it be assumed these days, that groupmapping of builtin groups is 
no longer optional (or at least it is advised to have it in place) ?

More information about the samba mailing list