[Samba] workaround needed for Security Principals, and SID's mapping bug.

Achim Gottinger achim at ag-web.biz
Fri Dec 2 09:53:37 UTC 2016 


Am 02.12.2016 um 09:34 schrieb L.P.H. van Belle via samba:
> Exact, and at this point, im at also.
>
> Here, typing the username results in the windows event and errors out.
> Did a lot of research and im 100% this is and missing mapping.
> Typing does not works, i dont know if this is a windows thing or a samba thing. But i found several reports where in a windows 7+ with Server 2008 also errors if you type the username.
>
> And thanks you for having a look..
> you too Rowland.
>
> Which version samba are you gues running atm?
>
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Achim Gottinger
>> via samba
>> Verzonden: vrijdag 2 december 2016 3:05
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] workaround needed for Security Principals, and
>> SID's mapping bug.
>>
>>
>>
>> Am 02.12.2016 um 02:08 schrieb Achim Gottinger via samba:
>>>
>>> Am 02.12.2016 um 01:47 schrieb Achim Gottinger via samba:
>>>>
>>>> Am 01.12.2016 um 13:35 schrieb L.P.H. van Belle via samba:
>>>>> Hai Rowland,
>>>>>
>>>>> This happens when im creating a "Scheduled task" ,
>>>>> this task needs NT AUTHORITY\System but you need to select the
>> account,
>>>>> when you select the account a sid/rid mapping is done and this fails.
>>>>> Resulting in the windows event id and error code.
>>>>> While searching for that i found that i cant type the username.
>>>>> You must select it.
>>>>>
>>>>> To
>>> Tried this and it behaves the same way here. The builtin\SYSTEM
>>> account shows up as DOMAINNAME\SYSTEM.
>>>
>>> But to run as the lokal SYSTEM account I think you must pick the
>>> Server as search base and then choose the system account. Here this
>>> leads to an fault and exit of the gpo manangement editor.
>>>
>> Here i can typ in the username. If that does not work for you you can
>> edit the SchedTask.xml (or similar) file in the gpo folder direct.
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
I tested against a server running debian wheezy with sernet's samba 
package version 4.2.
Using Windows 7 as an client I can edit the username field.
Have you tried editing the runAs tag in the corresponding xml file 
SchedTask.xml or similar in the sysvol policy folder?
On a sidenote if i create an task direct (not via gpo) i can select 
local system account and the builtin\system account. Both show up as 
nt-authority\system (localized).

More information about the samba mailing list