[Samba] Admin UID changed with upgrade to 4.8.2
L.P.H. van Belle
belle at bazuin.nl
Thu Jun 14 07:39:46 UTC 2018
Hi Mark,
See below. ;-)
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark
> Foley via samba
> Verzonden: woensdag 13 juni 2018 22:50
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Admin UID changed with upgrade to 4.8.2
>
> On Wed, 13 Jun 2018 08:50:00 +0200 "L.P.H. van Belle wrote:
> >
> > Imo, this is a left over of an old bug, just remove the
> file Registry.po imo, i'll bet its never used.
> > The computer looks for Registry.pol not Registry.po.
>
> Done. Registry.po removed.
>
> But another problem I've with Registry.pol which I've posted
> under topic "Are some Group
> Policies broken?", which you've also replied to. I'll look at
> that message shortly.
>
> > > -rwxrwx--- 1 root users 958 2014-09-13 04:01 Registry.po*
> > > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol*
> > Look at the date 2014, and i do remember something about this.
> >
> > But... What does getfacl say about these files/folders Or
> get my script:
> >
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> heck-set-sysvol.sh
> > And see if there is something wrong here in you SID/UID mappins
> > The script does not apply settings by default it only check
> and creates a file with the acl.
> > So you can review it.
>
> Results of your script (excellent tool, btw):
Thanks for the nice comment :-)
>
> $ ./samba-check-set-sysvol.sh
> Review the file : default-rights-sysvol.acl, these contains
> the defaults for sysvol.
> The sysvol ACLS info.....
>
> Please check your share rights for sysvol from within windows.
> If these are incorrect, correct them and run this script again.
> Set your sysvol SHARE permissions as followed.
> EVERYONE: READ
> Authenticated Users: FULL CONTROL
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> User/Group system is added compaired to a win2008R2 sysvol,
> you need this for some GPO
> settings.
>
> Set your sysvol FOLDER permissions as followed.
> Authenticated Users: Read & Exec, Show folder content, Read
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
>
> #####COMMENT#######################################
> Louis - I made the following changes to sysvol from Windows
> logged in as the domain
> administrator:
>
> 'EVERYONE' was set to 'special', but in 'Advanced' nothing
> appeared to be set. I set this to
> FULL CONTROL.
After that "Advanced" tab, klik change owner, klik edit/change.
There you wil see what "Special" is.
>
> 'Authenticated Users' was not in the list at all. I added
> this and set to FULL CONTROL.
>
> 'HPRS\Administrators' was set to 'special', 'Advanced' showed
> FULL CONTROL. I set this to FULL
> CONTROL on the main/first dialog.
>
> I did not find HPRS\SYSTEM. When I search for that it came up
> with only SYSTEM. I did nothing.
Ok, you need to add SYSTEM, thats one of the most important ones.
Then this is already a bit changed in samba, great, i'll go review that
When im done with my work here.
>
> Puzzlement: Your program output has "Set your sysvol SHARE
> permissions ..." and a second
> section with, "Set your sysvol FOLDER permissions ...". When
> I right-click on SYSVOL >
> Properities > Security, I only have one dialog for viewing
> and setting permissions. There is
> nothing about SHARE permissions versus FOLDER permissions.
> Nor do I see any other tab related
> to sharing. What do you mean by this?
SHARE Permissions:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
See : Setting Share Permissions and ACLs
Click Start, enter Computer Management, and start the application.
Select Action / Connect to another computer.
Enter the name of the Samba host and click OK to connect the console to the host.
Open the System Tools / Shared Folders / Shares menu entry.
And review you sysvol, and set it to :
EVERYONE: READ
Authenticated Users: FULL CONTROL
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM or (nothing) ) \SYSTEM, FULL CONTROL
Folder permissions:
Use explorer, browse to a folder, goto the security tab.
Set your sysvol FOLDER permissions as followed.
Authenticated Users: Read & Exec, Show folder content, Read
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> #####END-OF-COMMENT##################################
>
> $ cat default-rights-sysvol.acl
> # file: /var/lib/samba/sysvol
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> >
> > And post you smb.conf that helps, really.
>
> I will post this below, after Rowland's comment.
>
> > You updated from 4.4 to 4.8, thats a big step.
> > I have summerices the smb.conf changes, i suggest review it
> carefully again.
> > http://downloads.van-belle.nl/samba4/Upgrade-info.txt
> > Or
> >
> https://wiki.samba.org/index.php/Samba_Features_added/changed_
> (by_release)
> > The complete list.
>
> I will check out both of these documents.
>
> Meanwhile, I will restart samba and see if any of the changes
> I made to sysvol permissions have
> any effect on my issues.
>
> > Louis
>
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > > Rowland Penny via samba
> > > Verzonden: woensdag 13 juni 2018 8:33
> > > Aan: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] Admin UID changed with upgrade to 4.8.2
> > >
> > > On Tue, 12 Jun 2018 16:53:30 -0400
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > > In order to get help using a more up-to-date version of
> Samba, I've
> > > > just upgraded from 4.4.16 to 4.8.2. So far, nothing new
> seems to be
> > > > broken, but I still have to track down some issues I've
> been having.
> > > >
> > > > First off, I notice that something has changed with my
> > > > BUILTIN\administrators ID. before, I had, e.g.:
> > > >
> > > > > ls -l
> > > >
> > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4
> > > -AA63-FD8708A553D7\}/Machine/
> > > > total 16
> > > > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22
> > > > Microsoft/ -rwxrwx--- 1 root users
> 958 2014-09-13
> > > > 04:01 Registry.po* -rwxrwx--- 1 BUILTIN\administrators
> users 958
> > > > 2014-09-13 04:01 Registry.pol* drwxrwx--- 4
> BUILTIN\administrators
> > > > users 4096 2014-09-13 03:22 Scripts/
> > > >
> > > > Now, with 4.8.2, doing the same ls gives me:
> > > >
> > > > > ls -l
> > > >
> > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4
> > > -AA63-FD8708A553D7\}/Machine/
> > > > total 16
> > > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/
> > > > -rwxrwx--- 1 root users 958 2014-09-13 04:01 Registry.po*
> > > > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol*
> > > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/
> > > >
> > > > Is this a problem? Why would that user now be missing?
> What should I
> > > > do about this?
> > > >
> > > > THX --Mark
> > > >
> > >
> > > 3000000 is very probably Administrators, has
> libnss_winbind etc been
> > > updated ?
> > >
> > > Rowland
>
> I have no libnss_winbind file on my system. Should I?
>
> You had once written (20 Aug 2015 15:56:15 Subject: Re:
> [Samba] Samba4 DC/AD documents created
> in redirected folders with bogus UID), "'3000000' is the
> UID/GID (yes it > is both) for
> 'S-1-5-32-544' which is the Administrators group."
>
> So, it stands to reason that this 3000000 now showing as the
> UID of these files is the
> administrator. But why did it go from ls'ing
> "BUILTIN\administrators" under 4.4.16 to now
> showing the actual GID with 4.8.2? Seems like something is
> not doing what it should.
>
>
> --Mark
>
> My smb.conf:
>
> # Global parameters
> [global]
> workgroup = HPRS
> realm = hprs.local
> netbios name = MAIL
> interfaces = lo, eth1
> bind interfaces only = Yes
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> winbind use default domain = yes
> template shell = /bin/bash
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
> max log size = 10000
>
> [netlogon]
> path = /var/lib/samba/sysvol/hprs.local/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [Users]
> path = /redirectedFolders/Users
> comment = user folders for redirection
> read only = No
>
> [share]
> path = /var/lib/samba/share
> comment = Shared folder
> read only = No
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
And i did read the Comment to for Rowland below,
On debian you need :
libnss-winbind libpam-winbind to be installed.
I think you miss one of these.
With 4.8.2 on my DC's i see:
ls -al sysvol/
drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14 internal.domain.tld
Note the ^^^ (+) in above line, then use getfacl to see all ACL's
If you use chmod, you might destroy your very needed windows ACL's
And i see with getfacl
# file: var/lib/samba/sysvol/internal.domain.tld
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
Id you dont get you id's
Try adding Domain and Local-Realms to : /etc/idmapd.conf
Greetz,
Louis
More information about the samba
mailing list