[Samba] Unable to browse system shares of a newly migrated AD DC
rowlandpenny at googlemail.com
Mon Mar 30 09:09:24 MDT 2015
On 30/03/15 15:07, Andrey Repin wrote:
> Greetings, Rowland Penny!
> <Trying to resend, sorry for possible duplicates.>
>> On 30/03/15 10:06, L.P.H. van Belle wrote:
> Please don't top-post. It make messages very hard to read.
>>> I think this wont work since the user connectig isnt known in the AD,
>>> since the user connecting is mapped to user nobody.
> I'm doing s simple check (anonymous listing of DC shares) as per instructions.
>>> auth_check_password_send: Checking password for unmapped user \@
>>> auth_check_password_send: mapped user is: [CCENTER]\@
>>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009)
>>> and 'force unknown acl user = true' for service IPC$
>>> cat /etc/passwd | grep nobody
>>> and by default "Guest" (nobody) is disabled in the AD.
>> Hi Louis, It works for me
>> This appears in log.smbd on my DC when I run the same command:
>> [2015/03/30 10:15:42.442881, 3]
>> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>> So the questions are, what are the permissions on /tmp and is user
>> '3000009' on the DC 'Everyone'
> Permissions are fine, but migration did not create "Users" group in AD.
> How can I resolve it?
> # wbinfo -g
> Enterprise Read-Only Domain Controllers
> Domain Admins
> Domain Users
> Domain Guests
> Domain Computers
> Domain Controllers
> Schema Admins
> Enterprise Admins
> Group Policy Creator Owners
> Read-Only Domain Controllers
> # getent group
> CCENTER\Enterprise Read-Only Domain Controllers:*:3000012:
> CCENTER\Domain Admins:*:512:
> CCENTER\Domain Users:*:513:
> CCENTER\Domain Guests:*:514:
> CCENTER\Domain Computers:*:515:
> CCENTER\Domain Controllers:*:3000013:
> CCENTER\Schema Admins:*:3000006:
> CCENTER\Enterprise Admins:*:3000005:
> CCENTER\Group Policy Creator Owners:*:3000003:
> CCENTER\Read-Only Domain Controllers:*:3000014:
I would be very very surprised if it hasn't been created, 'wbinfo -g'
will not show it though, try this:
ldbedit -e nano -H /var/lib/samba/private/sam.ldb
and the same command will show who '3000009' is:
ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
If you haven't get 'ldbedit', install ldb-tools
When you run the second command, what does the line that starts 'cn:' show ?
More information about the samba