[Samba] Security Principals, and SID's mapping bug

Rowland Penny rpenny at samba.org
Tue Jan 24 19:17:48 UTC 2017 

On Tue, 24 Jan 2017 15:02:14 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai, 
> 
> Does anyone know more if this is adressed or point me to the bug
> report? There should be one, but i cant find it. 
> 
> Im finding the following again, tested with samba 4.4.5, now samba
> 4.5.3. These reports go back to the year 2013. 
> I searched in my mail samba folder for S-1-5-18 
> 
> The problem.
> 
> I create a "computer" Scheduled task. 
> Now this task MUST run as : SYSTEM 	(S-1-5-18) 
> After typing "SYSTEM" the : Change user/group ( at security options )
> in the task. It system changes to : NTDOM\SYSTEM
> 
> With user : NTDOM\SYSTEM
> Resulting in :
> http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> This exact event. And the ScheduledTask is not applied to the
> computer, even not created in the computer. 
> 
> Now when i change it to : NT Authority\SYSTEM
> It creates the needed task, but it does not run the error:  
> http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> again. 
> 
> Now when i change it to : SYSTEM
> It does not create the needed task, and it does not run, the error:  
> http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> again. 
> 
> I also tested this on several computers outside the domain. 
> That works fine with user  "NT Authority\SYSTEM" 
> Reproduceable steps: 
> create a schedule task in GPO. User or computer that does not matter. 
> At security context Set ( try to ) set user SYSTEM
> 
> Do read: 
> https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
> And see here, Security options : 
> Computer Configuration , by default the task is run in the security
> context of the SYSTEM account.
> 
> And in case of a samba AD DC, this wil never work since systems isnt
> correctly mapped. 
> 
> 
> On both DCs:
> wbinfo -G 3000002
> 
> wbinfo -s S-1-5-18
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-18

Well yes, but:

root at member1:~# wbinfo -S S-1-5-18
3000015
root at member1:~# wbinfo -U 3000015
S-1-5-18

So winbind knows who SYSTEM is

> 
> Im open for any suggestion EXCEPT changing the user in the schedules
> task.
> 
> This is my complete smb.conf of my samba 4.5.3 ( on debian Jessie ) 
> Maybe i missed something here.
> 
> 
> [global]
>         workgroup = NTDOM
>         realm = INTERNAL.DOMAIN.TLD
>         netbios name = DC1
> 
>         server role = active directory domain controller
>         server services = -dns
> 
>         interfaces = 192.168.0.1 127.0.0.1
>         bind interfaces only = yes
>         time server = yes
> 
>         idmap_ldb:use rfc2307 = yes
> 
>         ## map id's outside to domain to tdb files.
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999

How many times have I got to tell people that 'idmap config' lines have
no place in a DC smb.conf ?

see:

https://bugzilla.samba.org/show_bug.cgi?id=12155

and:

https://bugzilla.samba.org/show_bug.cgi?id=12410

The lines DO NOTHING on a DC, so why add them ????

Rowland

More information about the samba mailing list