[Samba] Security Principals, and SID's mapping bug

L.P.H. van Belle belle at bazuin.nl
Wed Jan 25 07:46:00 UTC 2017 

Arg,, Your totaly right Rowland, 

How stuppid that i missed that id mapping, removed it from my DC2 forgot DC1.. To much phone calls inbetween... 
So I removed it now. 

But Nope, samba still gives me NTDOM\system back. 
I go test some more.. 

Gr. 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: dinsdag 24 januari 2017 20:18
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Security Principals, and SID's mapping bug
> 
> On Tue, 24 Jan 2017 15:02:14 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > Hai,
> >
> > Does anyone know more if this is adressed or point me to the bug
> > report? There should be one, but i cant find it.
> >
> > Im finding the following again, tested with samba 4.4.5, now samba
> > 4.5.3. These reports go back to the year 2013.
> > I searched in my mail samba folder for S-1-5-18
> >
> > The problem.
> >
> > I create a "computer" Scheduled task.
> > Now this task MUST run as : SYSTEM 	(S-1-5-18)
> > After typing "SYSTEM" the : Change user/group ( at security options )
> > in the task. It system changes to : NTDOM\SYSTEM
> >
> > With user : NTDOM\SYSTEM
> > Resulting in :
> > http://www.eventid.net/display-eventid-4098-source-
> Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> > This exact event. And the ScheduledTask is not applied to the
> > computer, even not created in the computer.
> >
> > Now when i change it to : NT Authority\SYSTEM
> > It creates the needed task, but it does not run the error:
> > http://www.eventid.net/display-eventid-4098-source-
> Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> > again.
> >
> > Now when i change it to : SYSTEM
> > It does not create the needed task, and it does not run, the error:
> > http://www.eventid.net/display-eventid-4098-source-
> Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
> > again.
> >
> > I also tested this on several computers outside the domain.
> > That works fine with user  "NT Authority\SYSTEM"
> > Reproduceable steps:
> > create a schedule task in GPO. User or computer that does not matter.
> > At security context Set ( try to ) set user SYSTEM
> >
> > Do read:
> > https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
> > And see here, Security options :
> > Computer Configuration , by default the task is run in the security
> > context of the SYSTEM account.
> >
> > And in case of a samba AD DC, this wil never work since systems isnt
> > correctly mapped.
> >
> >
> > On both DCs:
> > wbinfo -G 3000002
> >
> > wbinfo -s S-1-5-18
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-18
> 
> Well yes, but:
> 
> root at member1:~# wbinfo -S S-1-5-18
> 3000015
> root at member1:~# wbinfo -U 3000015
> S-1-5-18
> 
> So winbind knows who SYSTEM is
> 
> >
> > Im open for any suggestion EXCEPT changing the user in the schedules
> > task.
> >
> > This is my complete smb.conf of my samba 4.5.3 ( on debian Jessie )
> > Maybe i missed something here.
> >
> >
> > [global]
> >         workgroup = NTDOM
> >         realm = INTERNAL.DOMAIN.TLD
> >         netbios name = DC1
> >
> >         server role = active directory domain controller
> >         server services = -dns
> >
> >         interfaces = 192.168.0.1 127.0.0.1
> >         bind interfaces only = yes
> >         time server = yes
> >
> >         idmap_ldb:use rfc2307 = yes
> >
> >         ## map id's outside to domain to tdb files.
> >         idmap config * : backend = tdb
> >         idmap config * : range = 2000-9999
> 
> How many times have I got to tell people that 'idmap config' lines have
> no place in a DC smb.conf ?
> 
> see:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=12155
> 
> and:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=12410
> 
> The lines DO NOTHING on a DC, so why add them ????
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list