[Samba] Admin UID changed with upgrade to 4.8.2

Mark Foley mfoley at ohprs.org
Wed Jun 13 20:49:56 UTC 2018


On Wed, 13 Jun 2018 08:50:00 +0200 "L.P.H. van Belle wrote:
>
> Imo, this is a left over of an old bug, just remove the file Registry.po imo, i'll bet its never used. 
> The computer looks for Registry.pol not Registry.po. 

Done. Registry.po removed.

But another problem I've with Registry.pol which I've posted under topic "Are some Group
Policies broken?", which you've also replied to. I'll look at that message shortly.

> > -rwxrwx--- 1 root    users  958 2014-09-13 04:01 Registry.po*
> > -rwxrwx--- 1 3000000 users  958 2014-09-13 04:01 Registry.pol*
> Look at the date 2014, and i do remember something about this. 
>
> But... What does getfacl say about these files/folders Or get my script: 
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh 
> And see if there is something wrong here in you SID/UID mappins 
> The script does not apply settings by default it only check and creates a file with the acl.
> So you can review it. 

Results of your script (excellent tool, btw):

$ ./samba-check-set-sysvol.sh
Review the file : default-rights-sysvol.acl, these contains the defaults for sysvol.
The sysvol ACLS info.....

Please check your share rights for sysvol from within windows.
If these are incorrect, correct them and run this script again.
Set your sysvol SHARE permissions as followed.
EVERYONE: READ
Authenticated Users: FULL CONTROL
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
User/Group system is added compaired to a win2008R2 sysvol, you need this for some GPO
settings.

Set your sysvol FOLDER permissions as followed.
Authenticated Users: Read & Exec, Show folder content, Read
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL

#####COMMENT#######################################
Louis - I made the following changes to sysvol from Windows logged in as the domain
administrator:

'EVERYONE' was set to 'special', but in 'Advanced' nothing appeared to be set. I set this to
FULL CONTROL.

'Authenticated Users' was not in the list at all. I added this and set to FULL CONTROL.

'HPRS\Administrators' was set to 'special', 'Advanced' showed FULL CONTROL. I set this to FULL
CONTROL on the main/first dialog.

I did not find HPRS\SYSTEM. When I search for that it came up with only SYSTEM. I did nothing.

Puzzlement: Your program output has "Set your sysvol SHARE permissions ..." and a second
section with, "Set your sysvol FOLDER permissions ...". When I right-click on SYSVOL >
Properities > Security, I only have one dialog for viewing and setting permissions. There is
nothing about SHARE permissions versus FOLDER permissions. Nor do I see any other tab related
to sharing. What do you mean by this?
#####END-OF-COMMENT##################################

$ cat default-rights-sysvol.acl
# file: /var/lib/samba/sysvol
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

>
> And post you smb.conf that helps, really. 

I will post this below, after Rowland's comment.

> You updated from 4.4 to 4.8, thats a big step. 
> I have summerices the smb.conf changes, i suggest review it carefully again. 
> http://downloads.van-belle.nl/samba4/Upgrade-info.txt
> Or 
> https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release)
> The complete list. 

I will check out both of these documents.

Meanwhile, I will restart samba and see if any of the changes I made to sysvol permissions have
any effect on my issues.

> Louis

> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Rowland Penny via samba
> > Verzonden: woensdag 13 juni 2018 8:33
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Admin UID changed with upgrade to 4.8.2
> > 
> > On Tue, 12 Jun 2018 16:53:30 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> > 
> > > In order to get help using a more up-to-date version of Samba, I've
> > > just upgraded from 4.4.16 to 4.8.2. So far, nothing new seems to be
> > > broken, but I still have to track down some issues I've been having.
> > > 
> > > First off, I notice that something has changed with my
> > > BUILTIN\administrators ID. before, I had, e.g.:
> > > 
> > > > ls -l
> > > 
> > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4
> > -AA63-FD8708A553D7\}/Machine/
> > > total 16
> > > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22
> > > Microsoft/ -rwxrwx--- 1 root                   users  958 2014-09-13
> > > 04:01 Registry.po* -rwxrwx--- 1 BUILTIN\administrators users  958
> > > 2014-09-13 04:01 Registry.pol* drwxrwx--- 4 BUILTIN\administrators
> > > users 4096 2014-09-13 03:22 Scripts/
> > > 
> > > Now, with 4.8.2, doing the same ls gives me:
> > > 
> > > > ls -l
> > > 
> > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4
> > -AA63-FD8708A553D7\}/Machine/
> > > total 16
> > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/
> > > -rwxrwx--- 1 root    users  958 2014-09-13 04:01 Registry.po*
> > > -rwxrwx--- 1 3000000 users  958 2014-09-13 04:01 Registry.pol*
> > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/
> > > 
> > > Is this a problem? Why would that user now be missing? What should I
> > > do about this?
> > > 
> > > THX --Mark
> > > 
> > 
> > 3000000 is very probably Administrators, has libnss_winbind etc been
> > updated ?
> > 
> > Rowland

I have no libnss_winbind file on my system. Should I?

You had once written (20 Aug 2015 15:56:15 Subject: Re: [Samba] Samba4 DC/AD documents created
in redirected folders with bogus UID), "'3000000' is the UID/GID (yes it > is both) for
'S-1-5-32-544' which is the Administrators group."

So, it stands to reason that this 3000000 now showing as the UID of these files is the
administrator. But why did it go from ls'ing "BUILTIN\administrators" under 4.4.16 to now
showing the actual GID with 4.8.2? Seems like something is not doing what it should.


--Mark

My smb.conf:

# Global parameters
[global]
        workgroup = HPRS
        realm = hprs.local
        netbios name = MAIL
        interfaces = lo, eth1
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

    winbind use default domain = yes
    template shell = /bin/bash

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    log level = 2 passdb:5 auth:10 winbind:2 lanman:10
    max log size = 10000

[netlogon]
        path = /var/lib/samba/sysvol/hprs.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No

[share]
    path = /var/lib/samba/share
    comment = Shared folder
    read only = No



More information about the samba mailing list