[Samba] Unable to browse system shares of a newly migrated AD DC

Rowland Penny rowlandpenny at googlemail.com
Mon Mar 30 04:11:18 MDT 2015


On 30/03/15 10:38, L.P.H. van Belle wrote:
> I've never got this to work ok with "Guest" users.
>
> I'll watch the thread... if you manage to get this working.
>
> Greetz,
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: maandag 30 maart 2015 11:26
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Unable to browse system shares of a
>> newly migrated AD DC
>>
>> On 30/03/15 10:06, L.P.H. van Belle wrote:
>>> I think this wont work since the user connectig isnt known in the AD,
>>> since the user connecting is mapped to user nobody.
>>>
>>>
>>> auth_check_password_send: Checking password for unmapped
>> user []\[]@[]
>>> auth_check_password_send: mapped user is: [CCENTER]\[]@[]
>>> connect_acl_xattr: setting 'inherit acls = true' 'dos
>> filemode = true'
>>> connect to service IPC$ initially as user NT
>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009)
>>> and 'force unknown acl user = true' for service IPC$
>>>
>>> cat /etc/passwd | grep nobody
>>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>>>
>>> and by default "Guest" (nobody) is disabled in the AD.
>>>
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: rowlandpenny at googlemail.com
>>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>>> Verzonden: maandag 30 maart 2015 10:49
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Unable to browse system shares of a
>>>> newly migrated AD DC
>>>>
>>>> On 30/03/15 00:01, Andrey Repin wrote:
>>>>> Greetings, Rowland Penny!
>>>>>
>>>>>> [2015/03/30 01:05:38.096168,  3, effective(0, 0), real(0, 0)]
>>>>>> ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
>>>>>>      auth_check_password_send: Checking password for unmapped
>>>> user []\[]@[]
>>>>>>      auth_check_password_send: mapped user is: [CCENTER]\[]@[]
>>>>>> [2015/03/30 01:05:38.125440,  2, effective(0, 0), real(0, 0)]
>>>>>> ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr)
>>>>>>      connect_acl_xattr: setting 'inherit acls = true' 'dos
>>>> filemode = true'
>>>>>> and 'force unknown acl user = true' for service IPC$
>>>>>> [2015/03/30 01:05:38.127532,  3, effective(0, 0), real(0, 0)]
>>>>>> ../source3/smbd/service.c:856(make_connection_snum)
>>>>>>      127.0.0.1 (ipv4:127.0.0.1:45066) connect to service IPC$
>>>> initially as
>>>>>> user NT AUTHORITY\ANONYMOUS LOGON (uid=65534,
>> gid=3000009) (pid 882)
>>>>>> [2015/03/30 01:05:38.127627,  3, effective(0, 0), real(0, 0)]
>>>>>> ../source3/smbd/reply.c:1024(reply_tcon_and_X)
>>>>>>      tconX service=IPC$
>>>>>> [2015/03/30 01:05:38.128477,  3, effective(0, 0), real(0, 0)]
>>>>>> ../source3/smbd/process.c:1802(process_smb)
>>>>>>      Transaction 3 of length 106 (0 toread)
>>>>>> [2015/03/30 01:05:38.128537,  3, effective(0, 0), real(0, 0)]
>>>>>> ../source3/smbd/process.c:1405(switch_message)
>>>>>>      switch message SMBntcreateX (pid 882) conn 0xb893b588
>>>>>> [2015/03/29 22:05:38.128622,  3, effective(65534, 3000009),
>>>> real(65534, 0)]
>>>>> By the way, what the group 3000009 is supposed to be? Domain
>>>> Users? Domain
>>>>> Admins?
>>>>>
>>>>>> ../source3/smbd/service.c:197(set_current_service)
>>>>>>      chdir (/tmp) failed, reason: Permission denied
>>>>>> [2015/03/29 22:05:38.128674,  3, effective(65534, 3000009),
>>>> real(65534, 0)]
>>>>>> ../source3/smbd/error.c:82(error_packet_set)
>>>>>>      NT error packet at ../source3/smbd/process.c(1524)
>>>> cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
>>>>>> [2015/03/29 22:05:38.138398,  3, effective(65534, 3000009),
>>>> real(65534, 0)]
>>>>>> ../source3/smbd/process.c:1802(process_smb)
>>>>>>      Transaction 4 of length 118 (0 toread)
>>>>>> [2015/03/29 22:05:38.138453,  3, effective(65534, 3000009),
>>>> real(65534, 0)]
>>>>>> ../source3/smbd/process.c:1405(switch_message)
>>>>>>      switch message SMBtrans (pid 882) conn 0xb893b588
>>>>>> [2015/03/29 22:05:38.138494,  3, effective(65534, 3000009),
>>>> real(65534, 0)]
>>>>>> ../source3/smbd/service.c:197(set_current_service)
>>>>>>      chdir (/tmp) failed, reason: Permission denied
>>>>>> [2015/03/29 22:05:38.138529,  3, effective(65534, 3000009),
>>>> real(65534, 0)]
>>>>>> ../source3/smbd/error.c:82(error_packet_set)
>>>>>>      NT error packet at ../source3/smbd/process.c(1524)
>>>> cmd=37 (SMBtrans) NT_STATUS_ACCESS_DENIED
>>>>>> [2015/03/29 22:05:38.139702,  3, effective(65534, 3000009),
>>>> real(65534, 0)]
>>>>>> ../source3/smbd/process.c:1802(process_smb)
>>>>>>      Transaction 5 of length 39 (0 toread)
>>>>>> [2015/03/29 22:05:38.139771,  3, effective(65534, 3000009),
>>>> real(65534, 0)]
>>>>>> ../source3/smbd/process.c:1405(switch_message)
>>>>>>      switch message SMBtdis (pid 882) conn 0xb893b588
>>>>>> [2015/03/30 01:05:38.139897,  3, effective(0, 0), real(0, 0)]
>>>>>> ../source3/smbd/service.c:1130(close_cnum)
>>>>>>      127.0.0.1 (ipv4:127.0.0.1:45066) closed connection to
>>>> service IPC$
>>>>>> [2015/03/30 01:05:38.141264,  3, effective(0, 0), real(0, 0)]
>>>>>> ../source3/smbd/server_exit.c:221(exit_server_common)
>>>>>>      Server exit (failed to receive smb request)
>>>>> --
>>>>> WBR,
>>>>> Andrey Repin, 30.03.2015, <01:54>
>>>>>
>>>>> Sorry for my terrible english...
>>>>>
>>>> OK, It would seem that you possibly have a problem with your /tmp
>>>> directory, it should be readable and writeable by anybody
>> i.e. on my DC
>>>> ls -la / shows:
>>>>
>>>> drwxrwxrwt  14 root     root      4096 Mar 30 09:17 tmp
>>>>
>>>> As for who '3000009' is, you can find out this by running
>> (on the DC)
>>>> 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb' and
>>>> searching for
>>>> '3000009', on my DC this results in this:
>>>>
>>>> dn: CN=S-1-5-32-545
>>>> cn: S-1-5-32-545
>>>> objectClass: sidMap
>>>> objectSid: S-1-5-32-545
>>>> type: ID_TYPE_BOTH
>>>> xidNumber: 3000009
>>>> distinguishedName: CN=S-1-5-32-545
>>>>
>>>> So '3000009' has the SID 'S-1-5-32-545'
>>>> To find out who this is go here:
>>>> http://support.microsoft.com/en-us/kb/243330
>>>>
>>>> This reveals that this is the SID of the 'Users' group
>>>>
>>>> This is probably true for your DC, but I would check your DC,
>>>> as you can
>>>> have differences between DCs.
>>>>
>>>> Rowland
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> Hi Louis, It works for me
>>
>> This appears in log.smbd on my DC when I run the same command:
>>
>> [2015/03/30 10:15:42.442881,  3]
>> ../source3/smbd/service.c:856(make_connection_snum)
>>    dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>>
>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>>
>> So the questions are, what are the permissions on /tmp and is user
>> '3000009' on the DC 'Everyone'
>>
>> Rowland
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

Hi Louis, If I run 'smbclient -L localhost -U%' on the DC, I get this:

root at dc01:~# smbclient -L localhost -U%
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian]

     Sharename       Type      Comment
     ---------       ----      -------
     netlogon        Disk
     sysvol          Disk
     testshare       Disk
     IPC$            IPC       IPC Service (Samba 4.1.17-Debian)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian]

     Server               Comment
     ---------            -------

     Workgroup            Master
     ---------            -------
     WORKGROUP

If I then run virtually the same command an a client (replacing 
'localhost' with the DCs name), I get:

rowland at ThinkPad ~ $ smbclient -L dc01 -U%
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian]

     Sharename       Type      Comment
     ---------       ----      -------
     netlogon        Disk
     sysvol          Disk
     testshare       Disk
     IPC$            IPC       IPC Service (Samba 4.1.17-Debian)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian]

     Server               Comment
     ---------            -------

     Workgroup            Master
     ---------            -------
     WORKGROUP


Rowland



More information about the samba mailing list