[Samba] Unable to browse system shares of a newly migrated AD DC

Andrey Repin anrdaemon at yandex.ru
Mon Mar 30 08:07:17 MDT 2015 

Greetings, Rowland Penny!

<Trying to resend, sorry for possible duplicates.>

> On 30/03/15 10:06, L.P.H. van Belle wrote:

Please don't top-post. It make messages very hard to read.

>> I think this wont work since the user connectig isnt known in the AD,
>> since the user connecting is mapped to user nobody.

I'm doing s simple check (anonymous listing of DC shares) as per instructions.

>> auth_check_password_send: Checking password for unmapped user []\[]@[]
>> auth_check_password_send: mapped user is: [CCENTER]\[]@[]
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009)
>> and 'force unknown acl user = true' for service IPC$
>>
>> cat /etc/passwd | grep nobody
>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>>
>> and by default "Guest" (nobody) is disabled in the AD.
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>

> Hi Louis, It works for me

> This appears in log.smbd on my DC when I run the same command:

> [2015/03/30 10:15:42.442881,  3] 
> ../source3/smbd/service.c:856(make_connection_snum)
>    dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT 
> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)

> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'

> So the questions are, what are the permissions on /tmp and is user 
> '3000009' on the DC 'Everyone'

Permissions are fine, but migration did not create "Users" group in AD.
How can I resolve it?

# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy

# getent group
...
CCENTER\Enterprise Read-Only Domain Controllers:*:3000012:
CCENTER\Domain Admins:*:512:
CCENTER\Domain Users:*:513:
CCENTER\Domain Guests:*:514:
CCENTER\Domain Computers:*:515:
CCENTER\Domain Controllers:*:3000013:
CCENTER\Schema Admins:*:3000006:
CCENTER\Enterprise Admins:*:3000005:
CCENTER\Group Policy Creator Owners:*:3000003:
CCENTER\Read-Only Domain Controllers:*:3000014:
CCENTER\DnsUpdateProxy:*:3000015:


-- 
With best regards,
Andrey Repin
Monday, March 30, 2015 15:51:58

Sorry for my terrible english...

More information about the samba mailing list