[Samba] Unable to browse system shares of a newly migrated AD DC
anrdaemon at yandex.ru
Tue Mar 31 16:33:41 MDT 2015
>>>>>> Hi Louis, It works for me
>>>>>> This appears in log.smbd on my DC when I run the same command:
>>>>>> [2015/03/30 10:15:42.442881, 3]
>>>>>> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
>>>>>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>>>>>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>>>>>> So the questions are, what are the permissions on /tmp and is user
>>>>>> '3000009' on the DC 'Everyone'
>>>>> Permissions are fine, but migration did not create "Users" group in AD.
>>>>> How can I resolve it?
>>>> I would be very very surprised if it hasn't been created, 'wbinfo -g'
>>>> will not show it though, try this:
>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>> # editing 1 records
>>> # record 1
>>> dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
>>> cn: Users
>>> description: Users are prevented from making accidental or intentional system-
>>> wide changes and can run most applications
>>> member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>> member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
>>> member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
>>> instanceType: 4
>>> whenCreated: 20150329223248.0Z
>>> uSNCreated: 3563
>>> name: Users
>>> objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961
>>> objectSid: S-1-5-32-545
>>> sAMAccountName: Users
>>> sAMAccountType: 536870912
>>> systemFlags: -1946157056
>>> groupType: -2147483643
>>> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan
>>> isCriticalSystemObject: TRUE
>>> gidNumber: 30002
>>> whenChanged: 20150329223254.0Z
>>> objectClass: top
>>> objectClass: posixGroup
>>> objectClass: group
>>> msSFU30NisDomain: ccenter
>>> uSNChanged: 3798
>>> distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
>>>> and the same command will show who '3000009' is:
>>>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>>> If you haven't get 'ldbedit', install ldb-tools
>>> That is one handy tool, I may say!
>>>> When you run the second command, what does the line that starts 'cn:' show ?
>>> Nothing useful, unfortunately.
>> Yes it does :-)
>> It shows that your '3000009' is like my '3000013' is the group 'Everyone'
>>> # ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))'
>>> # editing 1 records
>>> # record 1
>>> dn: CN=S-1-1-0
>>> cn: S-1-1-0
>>> objectClass: sidMap
>>> objectSid: S-1-1-0
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000009
>>> distinguishedName: CN=S-1-1-0
>>> # 0 adds 0 modifies 0 deletes
>>> I suppose, the group mapping is screwed somehow.
>>> May be I've copied the wrong tdb from PDC?
>> Now as we have confirmed that your windows DC is running the same
>> command as mine and mine works, we need to look at what is different
>> between your DC and mine. This would seem to be that samba cannot write
>> to the /tmp directory, so I will ask again (but in a slightly different
>> way), what does 'ls -la / | grep tmp' show ??
>> Mine shows this:
>> root at dc01:~# ls -la / | grep tmp
>> drwxrwxrwt 8 root root 4096 Mar 30 22:09 tmp
>> Which shows that any user or group can read,write or enter the /tmp
> Mine shows the same.
> I was intended to include it, but lost in resend somehow.
> # ls -ld /tmp
> drwxrwxrwt 2 root root 4096 Mar 30 23:47 /tmp
> # ls -lnd /tmp
> drwxrwxrwt 2 0 0 4096 Mar 30 23:47 /tmp
> That's why I'm puzzled to no end.
> Any logs I can enable to get better info?
> With best regards,
> Andrey Repin
> Tuesday, March 31, 2015 00:51:30
> Sorry for my terrible english...
With best regards,
Wednesday, April 1, 2015 01:33:13
Sorry for my terrible english...
More information about the samba