[Samba] Unable to browse system shares of a newly migrated AD DC
Rowland Penny
rowlandpenny at googlemail.com
Mon Mar 30 15:16:37 MDT 2015
On 30/03/15 21:50, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>>>> Hi Louis, It works for me
>>>> This appears in log.smbd on my DC when I run the same command:
>>>> [2015/03/30 10:15:42.442881, 3]
>>>> ../source3/smbd/service.c:856(make_connection_snum)
>>>> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
>>>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>>>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>>>> So the questions are, what are the permissions on /tmp and is user
>>>> '3000009' on the DC 'Everyone'
>>> Permissions are fine, but migration did not create "Users" group in AD.
>>> How can I resolve it?
>> I would be very very surprised if it hasn't been created, 'wbinfo -g'
>> will not show it though, try this:
>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>> '(&(objectclass=group)(cn=users))'
> # editing 1 records
> # record 1
> dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
> cn: Users
> description: Users are prevented from making accidental or intentional system-
> wide changes and can run most applications
> member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
> member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
> member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
> instanceType: 4
> whenCreated: 20150329223248.0Z
> uSNCreated: 3563
> name: Users
> objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961
> objectSid: S-1-5-32-545
> sAMAccountName: Users
> sAMAccountType: 536870912
> systemFlags: -1946157056
> groupType: -2147483643
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan
> isCriticalSystemObject: TRUE
> gidNumber: 30002
> whenChanged: 20150329223254.0Z
> objectClass: top
> objectClass: posixGroup
> objectClass: group
> msSFU30NisDomain: ccenter
> uSNChanged: 3798
> distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
>
>> and the same command will show who '3000009' is:
>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>> '(&(objectClass=sidMap)(xidNumber=3000009))'
>> If you haven't get 'ldbedit', install ldb-tools
> That is one handy tool, I may say!
>
>> When you run the second command, what does the line that starts 'cn:' show ?
> Nothing useful, unfortunately.
Yes it does :-)
It shows that your '3000009' is like my '3000013' is the group 'Everyone'
>
> # ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))'
> # editing 1 records
> # record 1
> dn: CN=S-1-1-0
> cn: S-1-1-0
> objectClass: sidMap
> objectSid: S-1-1-0
> type: ID_TYPE_BOTH
> xidNumber: 3000009
> distinguishedName: CN=S-1-1-0
>
> # 0 adds 0 modifies 0 deletes
>
> I suppose, the group mapping is screwed somehow.
> May be I've copied the wrong tdb from PDC?
>
>
Now as we have confirmed that your windows DC is running the same
command as mine and mine works, we need to look at what is different
between your DC and mine. This would seem to be that samba cannot write
to the /tmp directory, so I will ask again (but in a slightly different
way), what does 'ls -la / | grep tmp' show ??
Mine shows this:
root at dc01:~# ls -la / | grep tmp
drwxrwxrwt 8 root root 4096 Mar 30 22:09 tmp
Which shows that any user or group can read,write or enter the /tmp
directory.
Rowland
More information about the samba
mailing list