[Samba] Missing entries in idmap.ldb

Kirin van der Veer kirin.vanderveer at planetinnovation.com.au
Mon Nov 17 22:00:17 MST 2014 

I originally thought that was the best way to do it, but it does not grant
rights to all shares and folders.
When I run:
net -I <serverIPaddress> rpc rights list accounts -U administrator

I can clearly see that SeDiskOperatorPrivilege is assigned to the correct
group, but it does not allow access.

Editing idmap.ldb was a last ditch attempt to fix the problem. It's not my
preferred option, since all file modifications by admins now show as "root"
and you can't tell who did what. But it's the best I can do for now.

>From the admin users point of view you just get "Access denied". I suppose
I could fire up a high log level and then attempt access to try and work
out why it does not work, but we are moving to a "real" Windows AD anyway.

On 18 November 2014 09:47, Rowland Penny <rowlandpenny at googlemail.com>
wrote:

>  On 17/11/14 22:35, Kirin van der Veer wrote:
>
>   Hi Rowland,
>  I was trying to change the AD -> Unix mapping of some of my users.
>  I wanted to map some admin accounts to the root user (0) so that they
> could easily edit permissions on all shares and folders regardless of the
> groups that they were assigned to.
>  If there's a better way of accomplishing that then I'm all ears.
>
>
> Please don't do that, you are creating multiple 'Administrator' users.
>
> Have you ever heard of group in AD called 'Domain Admins' ?? add your
> admin users to this group and give 'Domain Admins' the required privileges.
>
> net rpc rights grant WORKGROUP\\"Domain Admins" SeDiskOperatorPrivilege
> -UAdministrator
>
> Where 'WORKGROUP' is the name you provided when you provisioned.
>
> Rowland
>
>
>  Kirin.
>
> On 17 November 2014 20:38, Rowland Penny <rowlandpenny at googlemail.com>
> wrote:
>
>> On 17/11/14 00:57, Kirin van der Veer wrote:
>>
>>> Thanks for replying to my issue.
>>> I was trying to edit the user mapping for the above users manually.
>>> (apologies that I neglected to mention that in my initial email).
>>> I have solved the problem with wbinfo.
>>> If I run:
>>> wbinfo --sids-to-unix-ids S-1-5-21-3663128747-3839060396-3176805764-11981
>>>
>>> Then it populates data into the idmap.ldb and I am able to edit user
>>> mappings with the following command:
>>> ldbedit -e /usr/bin/vim -H /var/lib/samba/private/idmap.ldb
>>> objectsid=S-1-5-21-3663128747-3839060396-3176805764-11981
>>>
>>> (which is the original command I was trying to use)
>>>
>>> Sorry if I was not clear in my original email, and thanks for your help.
>>>
>>> Kirin.
>>>
>>>
>>> On 15 November 2014 05:23, Rowland Penny <rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>
>>>     On 14/11/14 18:18, Marc Muehlfeld wrote:
>>>
>>>         Hello Kirin,
>>>
>>>         Am 13.11.2014 um 23:38 schrieb Kirin van der Veer:
>>>
>>>             When I run ldbedit on idmap.ldb some of my SIDs seem to be
>>>             missing.
>>>             The below output demonstrates the problem quite clearly:
>>>
>>>             root at server:/# wbinfo -n administrator
>>>             S-1-5-21-3663128747-3839060396-3176805764-500 SID_USER (1)
>>>             root at server:/# ldbedit -e /usr/bin/vim -H
>>>             /var/lib/samba/private/idmap.ldb
>>>             objectsid=S-1-5-21-3663128747-3839060396-3176805764-500
>>>             # 0 adds  0 modifies  0 deletes
>>>             root at server:/# wbinfo -n user1-admin
>>>             S-1-5-21-3663128747-3839060396-3176805764-11824 SID_USER (1)
>>>             root at server:/# ldbedit -e /usr/bin/vim -H
>>>             /var/lib/samba/private/idmap.ldb
>>>             objectsid=S-1-5-21-3663128747-3839060396-3176805764-11824
>>>             # 0 adds  0 modifies  0 deletes
>>>             root at server:/# wbinfo -n user2-admin
>>>             S-1-5-21-3663128747-3839060396-3176805764-11983 SID_USER (1)
>>>             root at server:/# ldbedit -e /usr/bin/vim -H
>>>             /var/lib/samba/private/idmap.ldb
>>>             objectsid=S-1-5-21-3663128747-3839060396-3176805764-11983
>>>             no matching records - cannot edit
>>>             root at server:/# wbinfo -n user3-admin
>>>             S-1-5-21-3663128747-3839060396-3176805764-11981 SID_USER (1)
>>>             root at server:/# ldbedit -e /usr/bin/vim -H
>>>             /var/lib/samba/private/idmap.ldb
>>>             objectsid=S-1-5-21-3663128747-3839060396-3176805764-11981
>>>             no matching records - cannot edit
>>>
>>>
>>>         I'm not sure, if I understand, what you do there. You get the
>>>         SID of an
>>>         account and then edit idmap.ldb? But what do you do there when
>>>         you say
>>>
>>>             # ldbedit -e /usr/bin/vim -H /var/lib/samba/private/idmap.ldb
>>>             objectsid=S-1-5-21-3663128747-3839060396-3176805764-11981
>>>
>>>         Do you mean with that, that you search for that line in the
>>>         editor and
>>>         you can't find it?
>>>
>>>
>>>
>>>         Regards,
>>>         Marc
>>>
>>>     Hi, I think the OP is having a problem he isn't telling us and he
>>>     is trying to find a reason for it. I do not think that it is
>>>     anything to do with idmap.ldb, I have users that do not appear in
>>>     idmap.ldb and do not have any problems.
>>>
>>>     Rowland
>>>
>>>     --     To unsubscribe from this list go to the following URL and
>>> read the
>>>     instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>>
>>> --
>>> Kirin van der Veer
>>> *_______________________
>>> IT Support*
>>> Planet Innovation
>>> Phone: 03 9945 7549
>>> Mobile: 0409 728 275
>>> 81–89 Cotham Road, Kew VIC 3101 Australia
>>> planetinnovation.com.au <http://planetinnovation.com.au>
>>>
>>>
>>> *IMPORTANT NOTE. *If you are NOT AN AUTHORISED RECIPIENT of this e-mail,
>>> please contact Planet Innovation Pty Ltd by return e-mail or by telephone
>>> on +613 9945 7510 <%2B613%209945%207510>.  In this case, you should not
>>> read, print, re-transmit, store or act in reliance on this e-mail or any
>>> attachments, and should destroy all copies of them.  This e-mail and any
>>> attachments are confidential and may contain legally privileged information
>>> and/or copyright material of Planet Innovation Pty Ltd or third parties.
>>> You should only re-transmit, distribute or commercialise the material if
>>> you are authorised to do so.  Although we use virus scanning software, we
>>> deny all liability for viruses or alike in any message or attachment. This
>>> notice should not be removed.
>>>
>>> **
>>>
>> Why are you trying to edit idmap.ldb ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
>   Kirin van der Veer
>
> *_______________________ IT Support*
>  Planet Innovation
> Phone: 03 9945 7549
> Mobile: 0409 728 275
> 81–89 Cotham Road, Kew VIC 3101 Australia
> planetinnovation.com.au
>
>
> *IMPORTANT NOTE. *If you are NOT AN AUTHORISED RECIPIENT of this e-mail,
> please contact Planet Innovation Pty Ltd by return e-mail or by telephone
> on +613 9945 7510.  In this case, you should not read, print,
> re-transmit, store or act in reliance on this e-mail or any attachments,
> and should destroy all copies of them.  This e-mail and any attachments are
> confidential and may contain legally privileged information and/or
> copyright material of Planet Innovation Pty Ltd or third parties.  You
> should only re-transmit, distribute or commercialise the material if you
> are authorised to do so.  Although we use virus scanning software, we deny
> all liability for viruses or alike in any message or attachment. This
> notice should not be removed.
>
>
>


-- 
Kirin van der Veer

*_______________________IT Support*
Planet Innovation
Phone: 03 9945 7549
Mobile: 0409 728 275
81–89 Cotham Road, Kew VIC 3101 Australia
planetinnovation.com.au

-- 
 

*IMPORTANT NOTE. *If you are NOT AN AUTHORISED RECIPIENT of this e-mail, 
please contact Planet Innovation Pty Ltd by return e-mail or by telephone 
on +613 9945 7510.  In this case, you should not read, print, re-transmit, 
store or act in reliance on this e-mail or any attachments, and should 
destroy all copies of them.  This e-mail and any attachments are 
confidential and may contain legally privileged information and/or 
copyright material of Planet Innovation Pty Ltd or third parties.  You 
should only re-transmit, distribute or commercialise the material if you 
are authorised to do so.  Although we use virus scanning software, we deny 
all liability for viruses or alike in any message or attachment. This 
notice should not be removed.

More information about the samba mailing list