[Samba] Unable to browse system shares of a newly migrated AD DC
Andrey Repin
anrdaemon at yandex.ru
Mon Mar 30 08:07:17 MDT 2015
Greetings, Rowland Penny!
<Trying to resend, sorry for possible duplicates.>
> On 30/03/15 10:06, L.P.H. van Belle wrote:
Please don't top-post. It make messages very hard to read.
>> I think this wont work since the user connectig isnt known in the AD,
>> since the user connecting is mapped to user nobody.
I'm doing s simple check (anonymous listing of DC shares) as per instructions.
>> auth_check_password_send: Checking password for unmapped user []\[]@[]
>> auth_check_password_send: mapped user is: [CCENTER]\[]@[]
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009)
>> and 'force unknown acl user = true' for service IPC$
>>
>> cat /etc/passwd | grep nobody
>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>>
>> and by default "Guest" (nobody) is disabled in the AD.
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
> Hi Louis, It works for me
> This appears in log.smbd on my DC when I run the same command:
> [2015/03/30 10:15:42.442881, 3]
> ../source3/smbd/service.c:856(make_connection_snum)
> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
> So the questions are, what are the permissions on /tmp and is user
> '3000009' on the DC 'Everyone'
Permissions are fine, but migration did not create "Users" group in AD.
How can I resolve it?
# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
# getent group
...
CCENTER\Enterprise Read-Only Domain Controllers:*:3000012:
CCENTER\Domain Admins:*:512:
CCENTER\Domain Users:*:513:
CCENTER\Domain Guests:*:514:
CCENTER\Domain Computers:*:515:
CCENTER\Domain Controllers:*:3000013:
CCENTER\Schema Admins:*:3000006:
CCENTER\Enterprise Admins:*:3000005:
CCENTER\Group Policy Creator Owners:*:3000003:
CCENTER\Read-Only Domain Controllers:*:3000014:
CCENTER\DnsUpdateProxy:*:3000015:
--
With best regards,
Andrey Repin
Monday, March 30, 2015 15:51:58
Sorry for my terrible english...
More information about the samba
mailing list