[Samba] Admin UID changed with upgrade to 4.8.2

Mark Foley mfoley at ohprs.org
Fri Jun 15 00:10:03 UTC 2018 

On Thu, 14 Jun 2018 21:37:58 +0100 Rowland Penny wrote:
>
> On Thu, 14 Jun 2018 16:03:35 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > Nevertheless, 'ls' does give names though I don't seem to have either
> > libnss-winbind or libpam-winbind files on my AD/DC.
>
> I keep forgetting that you use slackware, I suppose it uses something
> different, but do you have any file like: libnss_winbind.so.2

Yes, I have:

-rwxr-xr-x 1 root root 13928 2015-04-17 12:46:33 /usr/lib64/pppd/2.4.7/winbind.so
-rwxr-xr-x 1 root root 47864 2016-06-23 18:40:38 /usr/lib64/kde4/kgreet_winbind.so
-rwxr-xr-x 1 root root 1307104 2018-06-10 22:37:16 /usr/lib64/python2.7/site-packages/samba/dcerpc/winbind.so
-rwxr-xr-x 1 root root 14112 2018-06-10 22:37:16 /usr/lib64/libnss_winbind.so.2
lrwxrwxrwx 1 root root 19 2018-06-10 22:39:17 /usr/lib64/libnss_winbind.so -> libnss_winbind.so.2

Might it be prudent to remove (or rename) the lib modules from 2015 and 2016? Perhaps the lib
search order is picking up the wrong one.

> > Circling back to the OP, with 4.4.16 I got:  
> > 
> > > ls -l
> > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> > total 16
> > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22
> > Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users  958 2014-09-13
> > 04:01 Registry.pol* drwxrwx--- 4 BUILTIN\administrators users 4096
> > 2014-09-13 03:22 Scripts/
> > 
> > Now, with 4.8.2, doing the same ls gives me:
> > 
> > > ls -l
> > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> > total 16
> > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/
> > -rwxrwx--- 1 3000000 users  958 2014-09-13 04:01 Registry.pol*
> > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/
> > 
> > I'm still not sure I've gleaned an answer. I'll check sam.ldb and
> > imap.ldb for clues.

> For some reason, nsswitch (and/or idmap.ldb) isn't mapping '3000000' to
> 'Administrators'

... but it used to with 4.4.16 ...

in my idmap.ldb I have only:

# record 71
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

in sam.ldb for objectSID: S-1-5-32-544, I have:

# record 163   
dn: CN=Administrators,CN=Builtin,DC=hprs,DC=local
objectClass: top
objectClass: group
cn: Administrators
description: Administrators have complete and unrestricted access to the compu
 ter/domain
instanceType: 4
whenCreated: 20140903044615.0Z
uSNCreated: 3562
name: Administrators
objectGUID: 06970ceb-a0bb-4d7a-b878-51f54ac210bd
objectSid: S-1-5-32-544
adminCount: 1
sAMAccountName: Administrators
sAMAccountType: 536870912
systemFlags: -1946157056
groupType: -2147483643
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hprs,DC=local
isCriticalSystemObject: TRUE  
whenChanged: 20150825012848.0Z
uSNChanged: 6468
member: CN=Enterprise Admins,CN=Users,DC=hprs,DC=local
member: CN=Domain Admins,CN=Users,DC=hprs,DC=local
member: CN=Administrator,CN=Users,DC=hprs,DC=local
distinguishedName: CN=Administrators,CN=Builtin,DC=hprs,DC=local

Is there someplace else I can look for this? In ADUC for the 'Administrator' I have nothing in
NIS Domain, UID or Primary Group name/GID.  Should I for this user, or is 'Administrator'
"special"?

For all "normal" domain users I have:

NIS Domain: hprs
UID: 1000x
Primary group name/GID: Domain Users

> > > > With 4.8.2 on my DC's i see: 
> > > > ls -al sysvol/
> > > > drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14
> > > > internal.domain.tld 
> > 
> > Funny you should mention that. I was going to post the same thing,
> > mine is:
> > 
> > rwxrwxr--+ 3 root BUILTIN\administrators   4096 2014-09-03 00:46
> > sysvol/
> > 
> > I thought it strange that it would list the 300000 groupname, but for
> > files owned by 300000 it will only list the UID number, not the
> > username. 
>
> AH-Ha, the only place that maps an ID to a user AND a group is
> idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given
> 'Administrators' a uidNumber ? or is it being mapped to 'ID_TYPE_UID'
> in idmap.ldb ?

As shown in my idmap.ldb entry, it has "ID_TYPE_BOTH". A clue?

> > and am missing Louis':
> > group:3000002:rwx
> > group:3000003:r-x
> > 
> > whereas Louis has:
> > group:BUILTIN\134server\040operators:r-x
> > 
> > For 'other' I have "other::r--" whereas Louis has "other::---"
> > 
> > For default I am again missing user 3000001 and my 3000003 is rwx
> > rather than Louis' r-x. My 'default-group' is "r-x", Louis' "---".
> > Same group difference with 'default' as mentioned above with my
> > 040AUTHORITY and Louis' 040operators.
> > My "default:other::r-x", Louis' "default:other::---"
> > 
> > Are my different settings bad?

> Not necessarily, different DC's get different ID's for the
> users/groups.

OK, so not to worry here.

> > > And Louis also uses 'acl_xattr:ignore system acls = yes', 
> > 
> > How do you know that? I don't see that listed in Louis' message?
>
> I just do ;-)
>
> Try reading 'man vfs_acl_xattr'

The man page says in part:

 "When set to yes, a best effort mapping from/to the POSIX ACL layer will not be done by this
  module.  The default is no, which means that Samba keeps setting and evaluating both the system
  ACLs and the NT ACLs.  This is better if you need your system ACLs be set for local or NFS file
  access, too.  If you only access the data via Samba you might set this to yes to achieve better
  NT ACL compatibility."

then lists additional settings for file mods if 'yes' is selected. I assume mine is set to the
default 'no'. So is this something I should fiddle with or is it no big deal?

> > > this means that you can ignore the system ACL and what getfacl
> > > produces.
> > >
> > > The permissions you set from windows is actually stored in in
> > > 'security.NTACL'
> > >
> > > To see the contents of this attr:
> > >
> > > getfattr -n security.NTACL /home/testdata
> > > getfattr: Removing leading '/' from absolute path names
> > > # file: home/testdata
> > > security.NTACL=0sAwA [deleted] KCAAA
> > >
> > > Not very readable is it ?
> > 
> > Tried that on /var/lib/samba/sysvol. Yup, gobbledygook!
>
> Just set them from Windows and ignore the Unix acls
>
> Rowland

Which I assume answers the "no big deal" question just posed: not to worry.

So, do you see anything amiss, e.g. with my idmap.ldb setting, ADUC?

--Mark

More information about the samba mailing list