[Samba] Unable to browse system shares of a newly migrated AD DC

Tue Mar 31 16:33:41 MDT 2015

Greetings, All!

Anyone? Please?

>>>>>> Hi Louis, It works for me
>>>>>> This appears in log.smbd on my DC when I run the same command:
>>>>>> [2015/03/30 10:15:42.442881,  3]
>>>>>> ../source3/smbd/service.c:856(make_connection_snum)
>>>>>>      dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
>>>>>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>>>>>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>>>>>> So the questions are, what are the permissions on /tmp and is user
>>>>>> '3000009' on the DC 'Everyone'
>>>>> Permissions are fine, but migration did not create "Users" group in AD.
>>>>> How can I resolve it?
>>>> I would be very very surprised if it hasn't been created, 'wbinfo -g'
>>>> will not show it though, try this:
>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>> '(&(objectclass=group)(cn=users))'
>>> # editing 1 records
>>> # record 1
>>> dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
>>> cn: Users
>>> description: Users are prevented from making accidental or intentional system-
>>>   wide changes and can run most applications
>>> member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>> member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
>>> member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
>>> instanceType: 4
>>> whenCreated: 20150329223248.0Z
>>> uSNCreated: 3563
>>> name: Users
>>> objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961
>>> objectSid: S-1-5-32-545
>>> sAMAccountName: Users
>>> sAMAccountType: 536870912
>>> systemFlags: -1946157056
>>> groupType: -2147483643
>>> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan
>>> isCriticalSystemObject: TRUE
>>> gidNumber: 30002
>>> whenChanged: 20150329223254.0Z
>>> objectClass: top
>>> objectClass: posixGroup
>>> objectClass: group
>>> msSFU30NisDomain: ccenter
>>> uSNChanged: 3798
>>> distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
>>>
>>>> and the same command will show who '3000009' is:
>>>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>>> '(&(objectClass=sidMap)(xidNumber=3000009))'
>>>> If you haven't get 'ldbedit', install ldb-tools
>>> That is one handy tool, I may say!
>>>
>>>> When you run the second command, what does the line that starts 'cn:' show ?
>>> Nothing useful, unfortunately.

>> Yes it does :-)

>> It shows that your '3000009' is like my '3000013' is the group 'Everyone'

>>>
>>> # ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))'
>>> # editing 1 records
>>> # record 1
>>> dn: CN=S-1-1-0
>>> cn: S-1-1-0
>>> objectClass: sidMap
>>> objectSid: S-1-1-0
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000009
>>> distinguishedName: CN=S-1-1-0
>>>
>>> # 0 adds  0 modifies  0 deletes
>>>
>>> I suppose, the group mapping is screwed somehow.
>>> May be I've copied the wrong tdb from PDC?
>>>
>>>

>> Now as we have confirmed that your windows DC is running the same 
>> command as mine and mine works, we need to look at what is different 
>> between your DC and mine. This would seem to be that samba cannot write 
>> to the /tmp directory, so I will ask again (but in a slightly different 
>> way), what does 'ls -la / | grep tmp' show ??

>> Mine shows this:

>> root at dc01:~# ls -la / | grep tmp
>> drwxrwxrwt    8 root         root                 4096 Mar 30 22:09 tmp

>> Which shows that any user or group can read,write or enter the /tmp 
>> directory.

> Mine shows the same.
> I was intended to include it, but lost in resend somehow.

> # ls -ld /tmp
> drwxrwxrwt 2 root root 4096 Mar 30 23:47 /tmp

> # ls -lnd /tmp
> drwxrwxrwt 2 0 0 4096 Mar 30 23:47 /tmp

> That's why I'm puzzled to no end.
> Any logs I can enable to get better info?

> -- 
> With best regards,
> Andrey Repin
> Tuesday, March 31, 2015 00:51:30

> Sorry for my terrible english...

-- 
With best regards,
Andrey Repin
Wednesday, April 1, 2015 01:33:13

Sorry for my terrible english...