[Samba] Unable to browse system shares of a newly migrated AD DC

Andrey Repin anrdaemon at yandex.ru
Mon Mar 30 14:50:36 MDT 2015

Greetings, Rowland Penny!

>>> Hi Louis, It works for me
>>> This appears in log.smbd on my DC when I run the same command:
>>> [2015/03/30 10:15:42.442881,  3]
>>> ../source3/smbd/service.c:856(make_connection_snum)
>>>     dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
>>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>>> So the questions are, what are the permissions on /tmp and is user
>>> '3000009' on the DC 'Everyone'
>> Permissions are fine, but migration did not create "Users" group in AD.
>> How can I resolve it?

> I would be very very surprised if it hasn't been created, 'wbinfo -g' 
> will not show it though, try this:

> ldbedit -e nano -H /var/lib/samba/private/sam.ldb 
> '(&(objectclass=group)(cn=users))'

# editing 1 records
# record 1
dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
cn: Users
description: Users are prevented from making accidental or intentional system-
 wide changes and can run most applications
member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
instanceType: 4
whenCreated: 20150329223248.0Z
uSNCreated: 3563
name: Users
objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961
objectSid: S-1-5-32-545
sAMAccountName: Users
sAMAccountType: 536870912
systemFlags: -1946157056
groupType: -2147483643
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan
isCriticalSystemObject: TRUE
gidNumber: 30002
whenChanged: 20150329223254.0Z
objectClass: top
objectClass: posixGroup
objectClass: group
msSFU30NisDomain: ccenter
uSNChanged: 3798
distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan

> and the same command will show who '3000009' is:

> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb 
> '(&(objectClass=sidMap)(xidNumber=3000009))'

> If you haven't get 'ldbedit', install ldb-tools

That is one handy tool, I may say!

> When you run the second command, what does the line that starts 'cn:' show ?

Nothing useful, unfortunately.

# ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))'
# editing 1 records
# record 1
dn: CN=S-1-1-0
cn: S-1-1-0
objectClass: sidMap
objectSid: S-1-1-0
xidNumber: 3000009
distinguishedName: CN=S-1-1-0

# 0 adds  0 modifies  0 deletes

I suppose, the group mapping is screwed somehow.
May be I've copied the wrong tdb from PDC?

With best regards,
Andrey Repin
Monday, March 30, 2015 23:44:13

Sorry for my terrible english...

More information about the samba mailing list