[Samba] Unable to browse system shares of a newly migrated AD DC

Mon Mar 30 17:27:18 MDT 2015

Greetings, Rowland Penny!

>>>>> Hi Louis, It works for me
>>>>> This appears in log.smbd on my DC when I run the same command:
>>>>> [2015/03/30 10:15:42.442881,  3]
>>>>> ../source3/smbd/service.c:856(make_connection_snum)
>>>>>      dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
>>>>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>>>>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>>>>> So the questions are, what are the permissions on /tmp and is user
>>>>> '3000009' on the DC 'Everyone'
>>>> Permissions are fine, but migration did not create "Users" group in AD.
>>>> How can I resolve it?
>>> I would be very very surprised if it hasn't been created, 'wbinfo -g'
>>> will not show it though, try this:
>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>> '(&(objectclass=group)(cn=users))'
>> # editing 1 records
>> # record 1
>> dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
>> cn: Users
>> description: Users are prevented from making accidental or intentional system-
>>   wide changes and can run most applications
>> member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>> member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
>> member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
>> instanceType: 4
>> whenCreated: 20150329223248.0Z
>> uSNCreated: 3563
>> name: Users
>> objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961
>> objectSid: S-1-5-32-545
>> sAMAccountName: Users
>> sAMAccountType: 536870912
>> systemFlags: -1946157056
>> groupType: -2147483643
>> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan
>> isCriticalSystemObject: TRUE
>> gidNumber: 30002
>> whenChanged: 20150329223254.0Z
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: group
>> msSFU30NisDomain: ccenter
>> uSNChanged: 3798
>> distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
>>
>>> and the same command will show who '3000009' is:
>>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>> '(&(objectClass=sidMap)(xidNumber=3000009))'
>>> If you haven't get 'ldbedit', install ldb-tools
>> That is one handy tool, I may say!
>>
>>> When you run the second command, what does the line that starts 'cn:' show ?
>> Nothing useful, unfortunately.

> Yes it does :-)

> It shows that your '3000009' is like my '3000013' is the group 'Everyone'

>>
>> # ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))'
>> # editing 1 records
>> # record 1
>> dn: CN=S-1-1-0
>> cn: S-1-1-0
>> objectClass: sidMap
>> objectSid: S-1-1-0
>> type: ID_TYPE_BOTH
>> xidNumber: 3000009
>> distinguishedName: CN=S-1-1-0
>>
>> # 0 adds  0 modifies  0 deletes
>>
>> I suppose, the group mapping is screwed somehow.
>> May be I've copied the wrong tdb from PDC?
>>
>>

> Now as we have confirmed that your windows DC is running the same 
> command as mine and mine works, we need to look at what is different 
> between your DC and mine. This would seem to be that samba cannot write 
> to the /tmp directory, so I will ask again (but in a slightly different 
> way), what does 'ls -la / | grep tmp' show ??

> Mine shows this:

> root at dc01:~# ls -la / | grep tmp
> drwxrwxrwt    8 root         root                 4096 Mar 30 22:09 tmp

> Which shows that any user or group can read,write or enter the /tmp 
> directory.

Mine shows the same.
I was intended to include it, but lost in resend somehow.

# ls -ld /tmp
drwxrwxrwt 2 root root 4096 Mar 30 23:47 /tmp

# ls -lnd /tmp
drwxrwxrwt 2 0 0 4096 Mar 30 23:47 /tmp

That's why I'm puzzled to no end.
Any logs I can enable to get better info?

-- 
With best regards,
Andrey Repin
Tuesday, March 31, 2015 00:51:30

Sorry for my terrible english...