[Samba] Admin UID changed with upgrade to 4.8.2

Mark Foley mfoley at ohprs.org
Fri Jun 15 15:28:59 UTC 2018 

On Fri, 15 Jun 2018 08:08:53 +0100 Rowland Penny <rpenny at samba.org> wrote:
>
> On Thu, 14 Jun 2018 20:10:03 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Thu, 14 Jun 2018 21:37:58 +0100 Rowland Penny wrote:
> > >
> > > On Thu, 14 Jun 2018 16:03:35 -0400
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > > Nevertheless, 'ls' does give names though I don't seem to have
> > > > either libnss-winbind or libpam-winbind files on my AD/DC.
> > >
> > > I keep forgetting that you use slackware, I suppose it uses
> > > something different, but do you have any file like:
> > > libnss_winbind.so.2
> > 
> > Yes, I have:
> > 
> > -rwxr-xr-x 1 root root 13928 2015-04-17
> > 12:46:33 /usr/lib64/pppd/2.4.7/winbind.so -rwxr-xr-x 1 root root
> > 47864 2016-06-23 18:40:38 /usr/lib64/kde4/kgreet_winbind.so
> > -rwxr-xr-x 1 root root 1307104 2018-06-10
> > 22:37:16 /usr/lib64/python2.7/site-packages/samba/dcerpc/winbind.so
> > -rwxr-xr-x 1 root root 14112 2018-06-10
> > 22:37:16 /usr/lib64/libnss_winbind.so.2 lrwxrwxrwx 1 root root 19
> > 2018-06-10 22:39:17 /usr/lib64/libnss_winbind.so ->
> > libnss_winbind.so.2
> > 
> > Might it be prudent to remove (or rename) the lib modules from 2015
> > and 2016? Perhaps the lib search order is picking up the wrong one.
>
> Unless something strange is going on (and I don't think it is), you
> have the correct links, the others are for something else.
>
> > 
> > > > Circling back to the OP, with 4.4.16 I got:  
> > > > 
> > > > > ls -l
> > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> > > > total 16
> > > > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22
> > > > Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users  958
> > > > 2014-09-13 04:01 Registry.pol* drwxrwx--- 4
> > > > BUILTIN\administrators users 4096 2014-09-13 03:22 Scripts/
> > > > 
> > > > Now, with 4.8.2, doing the same ls gives me:
> > > > 
> > > > > ls -l
> > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> > > > total 16
> > > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/
> > > > -rwxrwx--- 1 3000000 users  958 2014-09-13 04:01 Registry.pol*
> > > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/
> > > > 
> > > > I'm still not sure I've gleaned an answer. I'll check sam.ldb and
> > > > imap.ldb for clues.
> > 
> > > For some reason, nsswitch (and/or idmap.ldb) isn't mapping
> > > '3000000' to 'Administrators'
> > 
> > ... but it used to with 4.4.16 ...
> > 
> > in my idmap.ldb I have only:
> > 
> > # record 71
> > dn: CN=S-1-5-32-544
> > cn: S-1-5-32-544
> > objectClass: sidMap
> > objectSid: S-1-5-32-544
> > type: ID_TYPE_BOTH
> > xidNumber: 3000000
> > distinguishedName: CN=S-1-5-32-544
>
> So '3000000' is 'Administrators' and is both a group and a user.
>
> > 
> > in sam.ldb for objectSID: S-1-5-32-544, I have:
> > 
> > # record 163   
> > dn: CN=Administrators,CN=Builtin,DC=hprs,DC=local
> > objectClass: top
> > objectClass: group
> > cn: Administrators
> > description: Administrators have complete and unrestricted access to
> > the compu ter/domain
> > instanceType: 4
> > whenCreated: 20140903044615.0Z
> > uSNCreated: 3562
> > name: Administrators
> > objectGUID: 06970ceb-a0bb-4d7a-b878-51f54ac210bd
> > objectSid: S-1-5-32-544
> > adminCount: 1
> > sAMAccountName: Administrators
> > sAMAccountType: 536870912
> > systemFlags: -1946157056
> > groupType: -2147483643
> > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hprs,DC=local
> > isCriticalSystemObject: TRUE  
> > whenChanged: 20150825012848.0Z
> > uSNChanged: 6468
> > member: CN=Enterprise Admins,CN=Users,DC=hprs,DC=local
> > member: CN=Domain Admins,CN=Users,DC=hprs,DC=local
> > member: CN=Administrator,CN=Users,DC=hprs,DC=local
> > distinguishedName: CN=Administrators,CN=Builtin,DC=hprs,DC=local
> >
>
> So no uidNumber or gidNumber.
>  
> > Is there someplace else I can look for this? In ADUC for the
> > 'Administrator' I have nothing in NIS Domain, UID or Primary Group
> > name/GID.  Should I for this user, or is 'Administrator' "special"?
>
> Good, you shouldn't have, if you look in idmap.ldb, you will find that
> RID '500' is mapped to 'xidNumber' '0'.
>  
> > > AH-Ha, the only place that maps an ID to a user AND a group is
> > > idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given
> > > 'Administrators' a uidNumber ? or is it being mapped to
> > > 'ID_TYPE_UID' in idmap.ldb ?
> > 
> > As shown in my idmap.ldb entry, it has "ID_TYPE_BOTH". A clue?
> > 
>
> Not really, more a poser, everything looks okay, but it still isn't
> working fully, perhaps time to run 'net cache flush' again ?

ran 'net cache flush', then restarted samba. No change. 

So, libnss_winbind.so is correct, idmap.ldb is correct, sam.ldb is correct, ADUC is correct,
yet still getting only UID on 'ls' for BUILTIN\administrators.  I'm Stumped!

Is there anything else to check/try?

[acl_xattr stuff deleted]

--Mark

More information about the samba mailing list