[Samba] winbind finds all domain users except Administrator
Fabian Fritz
fabianfuture at web.de
Tue Nov 14 21:27:18 UTC 2017
Okay, right.
Is there anything that the Samba admininistrator account can do that the
users in the group domain admins can't (other than direct configurations on
the samba server)?
Also on a kind of unrelated note: I have several Unix servers that used NIS
up until now to get the users. I would prefer if they could get the
username like right now, without the MYDOM\ prefix. Is it possible to
configure winbind to leave out the domain or strip it? Or could I have them
use LDAP to get the username from my DC without the domain? user map isn't
an option, as then they'd have to have the accounts locally as well and I'd
have to keep track of updates.
Thank you,
Fabian
2017-11-14 22:00 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Tue, 14 Nov 2017 21:36:49 +0100
> Fabian Fritz <fabianfuture at web.de> wrote:
>
> > I tried mapping to root but I still get an ACCESS_DENIED when I try to
> > mount a share from the domain member.
> >
> > I'd be very surprised if the samba admin account is the one and only
> > account that is intentionally denied from accessing shares on a
> > member.
> >
> > I'm pretty sure this is a bug. I tried this again with two clean
> > installs (4.7.1) on Linux, one in a VM. Compare this on the DC:
> >
> > # ./bin/wbinfo -n'MYDOM\administrator'
> > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
> > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
> > 0
> >
> > to this on the Domain member:
> >
> > # ./bin/wbinfo -n'MYDOM\Administrator'
> > S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
> >
> > # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
> >
> > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to
> > uid
> >
> > With other accounts I don't see that error.
> >
> > In the log.winbindd (log level = 10) on the member I see this:
> >
> > [2017/11/14 20:14:36.631151, 1, pid=2654, effective(0, 0), real(0,
> > 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
> > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
> > out: struct wbint_Sids2UnixIDs
> > ids : *
> > ids: struct wbint_TransIDArray
> > num_ids : 0x00000001 (1)
> > ids: ARRAY(1)
> > ids: struct wbint_TransID
> > type : ID_TYPE_UID
> > (1) domain_index : 0x00000000 (0)
> > rid : 0x000001f4
> > (500) xid: struct unixid
> > id :
> > 0xffffffff (4294967295)
> > type :
> > ID_TYPE_NOT_SPECIFIED (0)
> >
> >
> > So it seems like I get back -1 (0xffffffff) as the uid. Should I file
> > a bug ticket?
>
> NO
>
> You do not use Administrator as a normal user on Unix, you wouldn't use
> Administrator like this on Windows.
>
> Using wbinfo just shows that winbind can connect to AD, it doesn't show
> that the Unix OS knows who the AD users are, you need to use 'getent'
> for this.
>
> You are using the winbind 'ad' backend with the range '100-60000'
> Does 'Domain Users' have a gidNumber attribute containing a number
> inside this range ?
> Even if it does, you will not get the Unix OS to recognise
> Administrator, because Administrator is mapped to 'root' and the Unix
> ID for 'root' is '0' and '0' is outside the '100-60000' range.
> I know what your next thought will be, give Administrator a uidNumber
> inside the range, well, yes you could, but this would turn
> Administrator into a normal user as far as the Unix OS is concerned
> and isn't recommended.
>
> Just use another user to mount the share ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list