[Samba] Unable to browse system shares of a newly migrated AD DC

L.P.H. van Belle belle at bazuin.nl
Mon Mar 30 03:38:23 MDT 2015 

I've never got this to work ok with "Guest" users.

I'll watch the thread... if you manage to get this working.

Greetz, 

Louis




>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: maandag 30 maart 2015 11:26
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Unable to browse system shares of a 
>newly migrated AD DC
>
>On 30/03/15 10:06, L.P.H. van Belle wrote:
>> I think this wont work since the user connectig isnt known in the AD,
>> since the user connecting is mapped to user nobody.
>>
>>
>> auth_check_password_send: Checking password for unmapped 
>user []\[]@[]
>> auth_check_password_send: mapped user is: [CCENTER]\[]@[]
>> connect_acl_xattr: setting 'inherit acls = true' 'dos 
>filemode = true'
>> connect to service IPC$ initially as user NT 
>AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009)
>> and 'force unknown acl user = true' for service IPC$
>>
>> cat /etc/passwd | grep nobody
>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>>
>> and by default "Guest" (nobody) is disabled in the AD.
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: rowlandpenny at googlemail.com
>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>> Verzonden: maandag 30 maart 2015 10:49
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Unable to browse system shares of a
>>> newly migrated AD DC
>>>
>>> On 30/03/15 00:01, Andrey Repin wrote:
>>>> Greetings, Rowland Penny!
>>>>
>>>>> [2015/03/30 01:05:38.096168,  3, effective(0, 0), real(0, 0)]
>>>>> ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
>>>>>     auth_check_password_send: Checking password for unmapped
>>> user []\[]@[]
>>>>>     auth_check_password_send: mapped user is: [CCENTER]\[]@[]
>>>>> [2015/03/30 01:05:38.125440,  2, effective(0, 0), real(0, 0)]
>>>>> ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr)
>>>>>     connect_acl_xattr: setting 'inherit acls = true' 'dos
>>> filemode = true'
>>>>> and 'force unknown acl user = true' for service IPC$
>>>>> [2015/03/30 01:05:38.127532,  3, effective(0, 0), real(0, 0)]
>>>>> ../source3/smbd/service.c:856(make_connection_snum)
>>>>>     127.0.0.1 (ipv4:127.0.0.1:45066) connect to service IPC$
>>> initially as
>>>>> user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, 
>gid=3000009) (pid 882)
>>>>> [2015/03/30 01:05:38.127627,  3, effective(0, 0), real(0, 0)]
>>>>> ../source3/smbd/reply.c:1024(reply_tcon_and_X)
>>>>>     tconX service=IPC$
>>>>> [2015/03/30 01:05:38.128477,  3, effective(0, 0), real(0, 0)]
>>>>> ../source3/smbd/process.c:1802(process_smb)
>>>>>     Transaction 3 of length 106 (0 toread)
>>>>> [2015/03/30 01:05:38.128537,  3, effective(0, 0), real(0, 0)]
>>>>> ../source3/smbd/process.c:1405(switch_message)
>>>>>     switch message SMBntcreateX (pid 882) conn 0xb893b588
>>>>> [2015/03/29 22:05:38.128622,  3, effective(65534, 3000009),
>>> real(65534, 0)]
>>>> By the way, what the group 3000009 is supposed to be? Domain
>>> Users? Domain
>>>> Admins?
>>>>
>>>>> ../source3/smbd/service.c:197(set_current_service)
>>>>>     chdir (/tmp) failed, reason: Permission denied
>>>>> [2015/03/29 22:05:38.128674,  3, effective(65534, 3000009),
>>> real(65534, 0)]
>>>>> ../source3/smbd/error.c:82(error_packet_set)
>>>>>     NT error packet at ../source3/smbd/process.c(1524)
>>> cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
>>>>> [2015/03/29 22:05:38.138398,  3, effective(65534, 3000009),
>>> real(65534, 0)]
>>>>> ../source3/smbd/process.c:1802(process_smb)
>>>>>     Transaction 4 of length 118 (0 toread)
>>>>> [2015/03/29 22:05:38.138453,  3, effective(65534, 3000009),
>>> real(65534, 0)]
>>>>> ../source3/smbd/process.c:1405(switch_message)
>>>>>     switch message SMBtrans (pid 882) conn 0xb893b588
>>>>> [2015/03/29 22:05:38.138494,  3, effective(65534, 3000009),
>>> real(65534, 0)]
>>>>> ../source3/smbd/service.c:197(set_current_service)
>>>>>     chdir (/tmp) failed, reason: Permission denied
>>>>> [2015/03/29 22:05:38.138529,  3, effective(65534, 3000009),
>>> real(65534, 0)]
>>>>> ../source3/smbd/error.c:82(error_packet_set)
>>>>>     NT error packet at ../source3/smbd/process.c(1524)
>>> cmd=37 (SMBtrans) NT_STATUS_ACCESS_DENIED
>>>>> [2015/03/29 22:05:38.139702,  3, effective(65534, 3000009),
>>> real(65534, 0)]
>>>>> ../source3/smbd/process.c:1802(process_smb)
>>>>>     Transaction 5 of length 39 (0 toread)
>>>>> [2015/03/29 22:05:38.139771,  3, effective(65534, 3000009),
>>> real(65534, 0)]
>>>>> ../source3/smbd/process.c:1405(switch_message)
>>>>>     switch message SMBtdis (pid 882) conn 0xb893b588
>>>>> [2015/03/30 01:05:38.139897,  3, effective(0, 0), real(0, 0)]
>>>>> ../source3/smbd/service.c:1130(close_cnum)
>>>>>     127.0.0.1 (ipv4:127.0.0.1:45066) closed connection to
>>> service IPC$
>>>>> [2015/03/30 01:05:38.141264,  3, effective(0, 0), real(0, 0)]
>>>>> ../source3/smbd/server_exit.c:221(exit_server_common)
>>>>>     Server exit (failed to receive smb request)
>>>> --
>>>> WBR,
>>>> Andrey Repin, 30.03.2015, <01:54>
>>>>
>>>> Sorry for my terrible english...
>>>>
>>> OK, It would seem that you possibly have a problem with your /tmp
>>> directory, it should be readable and writeable by anybody 
>i.e. on my DC
>>> ls -la / shows:
>>>
>>> drwxrwxrwt  14 root     root      4096 Mar 30 09:17 tmp
>>>
>>> As for who '3000009' is, you can find out this by running 
>(on the DC)
>>> 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb' and
>>> searching for
>>> '3000009', on my DC this results in this:
>>>
>>> dn: CN=S-1-5-32-545
>>> cn: S-1-5-32-545
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-545
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000009
>>> distinguishedName: CN=S-1-5-32-545
>>>
>>> So '3000009' has the SID 'S-1-5-32-545'
>>> To find out who this is go here:
>>> http://support.microsoft.com/en-us/kb/243330
>>>
>>> This reveals that this is the SID of the 'Users' group
>>>
>>> This is probably true for your DC, but I would check your DC,
>>> as you can
>>> have differences between DCs.
>>>
>>> Rowland
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
>Hi Louis, It works for me
>
>This appears in log.smbd on my DC when I run the same command:
>
>[2015/03/30 10:15:42.442881,  3] 
>../source3/smbd/service.c:856(make_connection_snum)
>   dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT 
>AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>
>3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>
>So the questions are, what are the permissions on /tmp and is user 
>'3000009' on the DC 'Everyone'
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list