[Samba] Unable to browse system shares of a newly migrated AD DC

Rowland Penny rowlandpenny at googlemail.com
Mon Mar 30 15:16:37 MDT 2015 

On 30/03/15 21:50, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>>>> Hi Louis, It works for me
>>>> This appears in log.smbd on my DC when I run the same command:
>>>> [2015/03/30 10:15:42.442881,  3]
>>>> ../source3/smbd/service.c:856(make_connection_snum)
>>>>      dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
>>>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>>>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>>>> So the questions are, what are the permissions on /tmp and is user
>>>> '3000009' on the DC 'Everyone'
>>> Permissions are fine, but migration did not create "Users" group in AD.
>>> How can I resolve it?
>> I would be very very surprised if it hasn't been created, 'wbinfo -g'
>> will not show it though, try this:
>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>> '(&(objectclass=group)(cn=users))'
> # editing 1 records
> # record 1
> dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
> cn: Users
> description: Users are prevented from making accidental or intentional system-
>   wide changes and can run most applications
> member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
> member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
> member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
> instanceType: 4
> whenCreated: 20150329223248.0Z
> uSNCreated: 3563
> name: Users
> objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961
> objectSid: S-1-5-32-545
> sAMAccountName: Users
> sAMAccountType: 536870912
> systemFlags: -1946157056
> groupType: -2147483643
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan
> isCriticalSystemObject: TRUE
> gidNumber: 30002
> whenChanged: 20150329223254.0Z
> objectClass: top
> objectClass: posixGroup
> objectClass: group
> msSFU30NisDomain: ccenter
> uSNChanged: 3798
> distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
>
>> and the same command will show who '3000009' is:
>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>> '(&(objectClass=sidMap)(xidNumber=3000009))'
>> If you haven't get 'ldbedit', install ldb-tools
> That is one handy tool, I may say!
>
>> When you run the second command, what does the line that starts 'cn:' show ?
> Nothing useful, unfortunately.

Yes it does :-)

It shows that your '3000009' is like my '3000013' is the group 'Everyone'

>
> # ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))'
> # editing 1 records
> # record 1
> dn: CN=S-1-1-0
> cn: S-1-1-0
> objectClass: sidMap
> objectSid: S-1-1-0
> type: ID_TYPE_BOTH
> xidNumber: 3000009
> distinguishedName: CN=S-1-1-0
>
> # 0 adds  0 modifies  0 deletes
>
> I suppose, the group mapping is screwed somehow.
> May be I've copied the wrong tdb from PDC?
>
>

Now as we have confirmed that your windows DC is running the same 
command as mine and mine works, we need to look at what is different 
between your DC and mine. This would seem to be that samba cannot write 
to the /tmp directory, so I will ask again (but in a slightly different 
way), what does 'ls -la / | grep tmp' show ??

Mine shows this:

root at dc01:~# ls -la / | grep tmp
drwxrwxrwt    8 root         root                 4096 Mar 30 22:09 tmp

Which shows that any user or group can read,write or enter the /tmp 
directory.

Rowland

More information about the samba mailing list