[Samba] Admin UID changed with upgrade to 4.8.2
L.P.H. van Belle
belle at bazuin.nl
Fri Jun 15 15:47:16 UTC 2018
Hai Mark,
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark
> Foley via samba
> Verzonden: vrijdag 15 juni 2018 17:29
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Admin UID changed with upgrade to 4.8.2
>
> On Fri, 15 Jun 2018 08:08:53 +0100 Rowland Penny
> <rpenny at samba.org> wrote:
> >
> > On Thu, 14 Jun 2018 20:10:03 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > On Thu, 14 Jun 2018 21:37:58 +0100 Rowland Penny wrote:
> > > >
> > > > On Thu, 14 Jun 2018 16:03:35 -0400
> > > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > > >
> > > > > Nevertheless, 'ls' does give names though I don't seem to have
> > > > > either libnss-winbind or libpam-winbind files on my AD/DC.
> > > >
> > > > I keep forgetting that you use slackware, I suppose it uses
> > > > something different, but do you have any file like:
> > > > libnss_winbind.so.2
> > >
> > > Yes, I have:
> > >
> > > -rwxr-xr-x 1 root root 13928 2015-04-17
> > > 12:46:33 /usr/lib64/pppd/2.4.7/winbind.so -rwxr-xr-x 1 root root
> > > 47864 2016-06-23 18:40:38 /usr/lib64/kde4/kgreet_winbind.so
> > > -rwxr-xr-x 1 root root 1307104 2018-06-10
> > > 22:37:16
> /usr/lib64/python2.7/site-packages/samba/dcerpc/winbind.so
> > > -rwxr-xr-x 1 root root 14112 2018-06-10
> > > 22:37:16 /usr/lib64/libnss_winbind.so.2 lrwxrwxrwx 1 root root 19
> > > 2018-06-10 22:39:17 /usr/lib64/libnss_winbind.so ->
> > > libnss_winbind.so.2
> > >
> > > Might it be prudent to remove (or rename) the lib modules
> from 2015
> > > and 2016? Perhaps the lib search order is picking up the
> wrong one.
> >
> > Unless something strange is going on (and I don't think it is), you
> > have the correct links, the others are for something else.
> >
> > >
> > > > > Circling back to the OP, with 4.4.16 I got:
> > > > >
> > > > > > ls -l
> > > > >
> /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4
> -AA63-FD8708A553D7\}/Machine/
> > > > > total 16
> > > > > drwxrwx--- 3 BUILTIN\administrators users 4096
> 2014-09-13 03:22
> > > > > Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users 958
> > > > > 2014-09-13 04:01 Registry.pol* drwxrwx--- 4
> > > > > BUILTIN\administrators users 4096 2014-09-13 03:22 Scripts/
> > > > >
> > > > > Now, with 4.8.2, doing the same ls gives me:
> > > > >
> > > > > > ls -l
> > > > >
> /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4
> -AA63-FD8708A553D7\}/Machine/
> > > > > total 16
> > > > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/
> > > > > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol*
> > > > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/
> > > > >
> > > > > I'm still not sure I've gleaned an answer. I'll check
> sam.ldb and
> > > > > imap.ldb for clues.
> > >
> > > > For some reason, nsswitch (and/or idmap.ldb) isn't mapping
> > > > '3000000' to 'Administrators'
> > >
> > > ... but it used to with 4.4.16 ...
> > >
> > > in my idmap.ldb I have only:
> > >
> > > # record 71
> > > dn: CN=S-1-5-32-544
> > > cn: S-1-5-32-544
> > > objectClass: sidMap
> > > objectSid: S-1-5-32-544
> > > type: ID_TYPE_BOTH
> > > xidNumber: 3000000
> > > distinguishedName: CN=S-1-5-32-544
> >
> > So '3000000' is 'Administrators' and is both a group and a user.
> >
> > >
> > > in sam.ldb for objectSID: S-1-5-32-544, I have:
> > >
> > > # record 163
> > > dn: CN=Administrators,CN=Builtin,DC=hprs,DC=local
> > > objectClass: top
> > > objectClass: group
> > > cn: Administrators
> > > description: Administrators have complete and
> unrestricted access to
> > > the compu ter/domain
> > > instanceType: 4
> > > whenCreated: 20140903044615.0Z
> > > uSNCreated: 3562
> > > name: Administrators
> > > objectGUID: 06970ceb-a0bb-4d7a-b878-51f54ac210bd
> > > objectSid: S-1-5-32-544
> > > adminCount: 1
> > > sAMAccountName: Administrators
> > > sAMAccountType: 536870912
> > > systemFlags: -1946157056
> > > groupType: -2147483643
> > > objectCategory:
> CN=Group,CN=Schema,CN=Configuration,DC=hprs,DC=local
> > > isCriticalSystemObject: TRUE
> > > whenChanged: 20150825012848.0Z
> > > uSNChanged: 6468
> > > member: CN=Enterprise Admins,CN=Users,DC=hprs,DC=local
> > > member: CN=Domain Admins,CN=Users,DC=hprs,DC=local
> > > member: CN=Administrator,CN=Users,DC=hprs,DC=local
> > > distinguishedName: CN=Administrators,CN=Builtin,DC=hprs,DC=local
> > >
> >
> > So no uidNumber or gidNumber.
> >
> > > Is there someplace else I can look for this? In ADUC for the
> > > 'Administrator' I have nothing in NIS Domain, UID or Primary Group
> > > name/GID. Should I for this user, or is 'Administrator'
> "special"?
> >
> > Good, you shouldn't have, if you look in idmap.ldb, you
> will find that
> > RID '500' is mapped to 'xidNumber' '0'.
> >
> > > > AH-Ha, the only place that maps an ID to a user AND a group is
> > > > idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given
> > > > 'Administrators' a uidNumber ? or is it being mapped to
> > > > 'ID_TYPE_UID' in idmap.ldb ?
> > >
> > > As shown in my idmap.ldb entry, it has "ID_TYPE_BOTH". A clue?
> > >
> >
> > Not really, more a poser, everything looks okay, but it still isn't
> > working fully, perhaps time to run 'net cache flush' again ?
>
> ran 'net cache flush', then restarted samba. No change.
>
> So, libnss_winbind.so is correct, idmap.ldb is correct,
> sam.ldb is correct, ADUC is correct,
> yet still getting only UID on 'ls' for
> BUILTIN\administrators. I'm Stumped!
You see the GID here not UID.
The UID of BUILTIN\administrators is 300000?
Which is a type: ID_TYPE_BOTH
https://wiki.samba.org/index.php?title=User_and_Group_management
But linux can not show the group as user, windows can.
>
> Is there anything else to check/try?
>
> [acl_xattr stuff deleted]
>
> --Mark
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
No, this looks good to me.
Greetz,
Louis
More information about the samba
mailing list