[Samba] Admin UID changed with upgrade to 4.8.2

Rowland Penny rpenny at samba.org
Fri Jun 15 07:08:53 UTC 2018


On Thu, 14 Jun 2018 20:10:03 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> On Thu, 14 Jun 2018 21:37:58 +0100 Rowland Penny wrote:
> >
> > On Thu, 14 Jun 2018 16:03:35 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > Nevertheless, 'ls' does give names though I don't seem to have
> > > either libnss-winbind or libpam-winbind files on my AD/DC.
> >
> > I keep forgetting that you use slackware, I suppose it uses
> > something different, but do you have any file like:
> > libnss_winbind.so.2
> 
> Yes, I have:
> 
> -rwxr-xr-x 1 root root 13928 2015-04-17
> 12:46:33 /usr/lib64/pppd/2.4.7/winbind.so -rwxr-xr-x 1 root root
> 47864 2016-06-23 18:40:38 /usr/lib64/kde4/kgreet_winbind.so
> -rwxr-xr-x 1 root root 1307104 2018-06-10
> 22:37:16 /usr/lib64/python2.7/site-packages/samba/dcerpc/winbind.so
> -rwxr-xr-x 1 root root 14112 2018-06-10
> 22:37:16 /usr/lib64/libnss_winbind.so.2 lrwxrwxrwx 1 root root 19
> 2018-06-10 22:39:17 /usr/lib64/libnss_winbind.so ->
> libnss_winbind.so.2
> 
> Might it be prudent to remove (or rename) the lib modules from 2015
> and 2016? Perhaps the lib search order is picking up the wrong one.

Unless something strange is going on (and I don't think it is), you
have the correct links, the others are for something else.

> 
> > > Circling back to the OP, with 4.4.16 I got:  
> > > 
> > > > ls -l
> > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> > > total 16
> > > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22
> > > Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users  958
> > > 2014-09-13 04:01 Registry.pol* drwxrwx--- 4
> > > BUILTIN\administrators users 4096 2014-09-13 03:22 Scripts/
> > > 
> > > Now, with 4.8.2, doing the same ls gives me:
> > > 
> > > > ls -l
> > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> > > total 16
> > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/
> > > -rwxrwx--- 1 3000000 users  958 2014-09-13 04:01 Registry.pol*
> > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/
> > > 
> > > I'm still not sure I've gleaned an answer. I'll check sam.ldb and
> > > imap.ldb for clues.
> 
> > For some reason, nsswitch (and/or idmap.ldb) isn't mapping
> > '3000000' to 'Administrators'
> 
> ... but it used to with 4.4.16 ...
> 
> in my idmap.ldb I have only:
> 
> # record 71
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544

So '3000000' is 'Administrators' and is both a group and a user.

> 
> in sam.ldb for objectSID: S-1-5-32-544, I have:
> 
> # record 163   
> dn: CN=Administrators,CN=Builtin,DC=hprs,DC=local
> objectClass: top
> objectClass: group
> cn: Administrators
> description: Administrators have complete and unrestricted access to
> the compu ter/domain
> instanceType: 4
> whenCreated: 20140903044615.0Z
> uSNCreated: 3562
> name: Administrators
> objectGUID: 06970ceb-a0bb-4d7a-b878-51f54ac210bd
> objectSid: S-1-5-32-544
> adminCount: 1
> sAMAccountName: Administrators
> sAMAccountType: 536870912
> systemFlags: -1946157056
> groupType: -2147483643
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hprs,DC=local
> isCriticalSystemObject: TRUE  
> whenChanged: 20150825012848.0Z
> uSNChanged: 6468
> member: CN=Enterprise Admins,CN=Users,DC=hprs,DC=local
> member: CN=Domain Admins,CN=Users,DC=hprs,DC=local
> member: CN=Administrator,CN=Users,DC=hprs,DC=local
> distinguishedName: CN=Administrators,CN=Builtin,DC=hprs,DC=local
>

So no uidNumber or gidNumber.
 
> Is there someplace else I can look for this? In ADUC for the
> 'Administrator' I have nothing in NIS Domain, UID or Primary Group
> name/GID.  Should I for this user, or is 'Administrator' "special"?

Good, you shouldn't have, if you look in idmap.ldb, you will find that
RID '500' is mapped to 'xidNumber' '0'.
 
> > AH-Ha, the only place that maps an ID to a user AND a group is
> > idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given
> > 'Administrators' a uidNumber ? or is it being mapped to
> > 'ID_TYPE_UID' in idmap.ldb ?
> 
> As shown in my idmap.ldb entry, it has "ID_TYPE_BOTH". A clue?
> 

Not really, more a poser, everything looks okay, but it still isn't
working fully, perhaps time to run 'net cache flush' again ?

> 
> > > > And Louis also uses 'acl_xattr:ignore system acls = yes', 
> > > 
> > > How do you know that? I don't see that listed in Louis' message?
> >
> > I just do ;-)
> >
> > Try reading 'man vfs_acl_xattr'
> 
> The man page says in part:
> 
>  "When set to yes, a best effort mapping from/to the POSIX ACL layer
> will not be done by this module.  The default is no, which means that
> Samba keeps setting and evaluating both the system ACLs and the NT
> ACLs.  This is better if you need your system ACLs be set for local
> or NFS file access, too.  If you only access the data via Samba you
> might set this to yes to achieve better NT ACL compatibility."
> 
> then lists additional settings for file mods if 'yes' is selected. I
> assume mine is set to the default 'no'. So is this something I should
> fiddle with or is it no big deal?

From my understanding, when 'acl_xattr:ignore system acls = no' is set
(the default), Samba will attempt to change the ACLs when set from
Windows, it will use 'setfacl' whilst doing this, it will also write
the extended attributes to security.NTACL. If 'no' is changed to 'yes',
it does what it says on the tin, the Unix ACLs are ignored, you can
change them on the Unix side to whatever you like, but from the Windows
side, they will be ignored as if they were not there. From the
perspective of whether you should set it or not, I would tend towards
fixing your current problem first and decide later.
  
Rowland



More information about the samba mailing list