[Samba] winbind finds all domain users except Administrator
Fabian Fritz
fabianfuture at web.de
Tue Nov 14 20:36:49 UTC 2017
I tried mapping to root but I still get an ACCESS_DENIED when I try to
mount a share from the domain member.
I'd be very surprised if the samba admin account is the one and only
account that is intentionally denied from accessing shares on a member.
I'm pretty sure this is a bug. I tried this again with two clean installs
(4.7.1) on Linux, one in a VM. Compare this on the DC:
# ./bin/wbinfo -n'MYDOM\administrator'
S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
# ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
0
to this on the Domain member:
# ./bin/wbinfo -n'MYDOM\Administrator'
S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
# ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to uid
With other accounts I don't see that error.
In the log.winbindd (log level = 10) on the member I see this:
[2017/11/14 20:14:36.631151, 1, pid=2654, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
out: struct wbint_Sids2UnixIDs
ids : *
ids: struct wbint_TransIDArray
num_ids : 0x00000001 (1)
ids: ARRAY(1)
ids: struct wbint_TransID
type : ID_TYPE_UID (1)
domain_index : 0x00000000 (0)
rid : 0x000001f4 (500)
xid: struct unixid
id : 0xffffffff
(4294967295)
type :
ID_TYPE_NOT_SPECIFIED (0)
So it seems like I get back -1 (0xffffffff) as the uid. Should I file a bug
ticket?
Thanks,
Fabian
2017-11-14 10:35 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Mon, 13 Nov 2017 23:15:15 +0100
> Fabian Fritz <fabianfuture at web.de> wrote:
>
> > I see. I know, the range is a bit odd, but I previously used NIS to
> > get the Unix users from another machine. Now I'm updating to AD and
> > don't use NIS anymore.Since I want to keep all the file ownerships (I
> > use this solaris member as a file server), I had to map the domain
> > users to that same range.
>
> OK, hindsight is a wonderful thing, but starting the ID range at 100
> isn't a good idea (for the reason I gave), but sometimes you have to.
>
> >
> >
> > I used the Administrator to login to some Windows machine in the
> > domain and was surprised when I got a ACCESS_DENIED when I tried to
> > mount a network share there. So this only happens for Administrator?
> > So I have to use one of the users in the domain admins group when I
> > need to do administrative stuff on my windows machines and also need
> > the shares?
>
> If you use a user.map, Administrator becomes 'root' on Unix domain
> members and root can do anything on a Unix domain member.
>
> Try reading this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> If you have any questions after reading that, just ask ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list