[Samba] (RESOLVED) Admin UID changed with upgrade to 4.8.2

[Mark Foley]

On Fri, 15 Jun 2018 08:08:53 +0100 Rowland Penny wrote:
>
> On Thu, 14 Jun 2018 20:10:03 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Thu, 14 Jun 2018 21:37:58 +0100 Rowland Penny wrote:
> > >
> > > On Thu, 14 Jun 2018 16:03:35 -0400
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > > Nevertheless, 'ls' does give names though I don't seem to have
> > > > either libnss-winbind or libpam-winbind files on my AD/DC.
> > >
> > > I keep forgetting that you use slackware, I suppose it uses
> > > something different, but do you have any file like:
> > > libnss_winbind.so.2
> > 
> > Yes, I have:
> > 
> > -rwxr-xr-x 1 root root 13928 2015-04-17
> > 12:46:33 /usr/lib64/pppd/2.4.7/winbind.so -rwxr-xr-x 1 root root
> > 47864 2016-06-23 18:40:38 /usr/lib64/kde4/kgreet_winbind.so
> > -rwxr-xr-x 1 root root 1307104 2018-06-10
> > 22:37:16 /usr/lib64/python2.7/site-packages/samba/dcerpc/winbind.so
> > -rwxr-xr-x 1 root root 14112 2018-06-10
> > 22:37:16 /usr/lib64/libnss_winbind.so.2 lrwxrwxrwx 1 root root 19
> > 2018-06-10 22:39:17 /usr/lib64/libnss_winbind.so ->
> > libnss_winbind.so.2
> > 
> > Might it be prudent to remove (or rename) the lib modules from 2015
> > and 2016? Perhaps the lib search order is picking up the wrong one.
>
> Unless something strange is going on (and I don't think it is), you
> have the correct links, the others are for something else.
>
> > 
> > > > Circling back to the OP, with 4.4.16 I got:  
> > > > 
> > > > > ls -l
> > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> > > > total 16
> > > > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22
> > > > Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users  958
> > > > 2014-09-13 04:01 Registry.pol* drwxrwx--- 4
> > > > BUILTIN\administrators users 4096 2014-09-13 03:22 Scripts/
> > > > 
> > > > Now, with 4.8.2, doing the same ls gives me:
> > > > 
> > > > > ls -l
> > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> > > > total 16
> > > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/
> > > > -rwxrwx--- 1 3000000 users  958 2014-09-13 04:01 Registry.pol*
> > > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/
> > > > 
> > > > I'm still not sure I've gleaned an answer. I'll check sam.ldb and
> > > > imap.ldb for clues.
> > 
> > > For some reason, nsswitch (and/or idmap.ldb) isn't mapping
> > > '3000000' to 'Administrators'
> > 
> > ... but it used to with 4.4.16 ...
> > 
> > in my idmap.ldb I have only:
> > 
> > # record 71
> > dn: CN=S-1-5-32-544
> > cn: S-1-5-32-544
> > objectClass: sidMap
> > objectSid: S-1-5-32-544
> > type: ID_TYPE_BOTH
> > xidNumber: 3000000
> > distinguishedName: CN=S-1-5-32-544
>
> So '3000000' is 'Administrators' and is both a group and a user.
>
> > 
> > in sam.ldb for objectSID: S-1-5-32-544, I have:
> > 
> > # record 163   
> > dn: CN=Administrators,CN=Builtin,DC=hprs,DC=local
> > objectClass: top
> > objectClass: group
> > cn: Administrators
> > description: Administrators have complete and unrestricted access to
> > the compu ter/domain
> > instanceType: 4
> > whenCreated: 20140903044615.0Z
> > uSNCreated: 3562
> > name: Administrators
> > objectGUID: 06970ceb-a0bb-4d7a-b878-51f54ac210bd
> > objectSid: S-1-5-32-544
> > adminCount: 1
> > sAMAccountName: Administrators
> > sAMAccountType: 536870912
> > systemFlags: -1946157056
> > groupType: -2147483643
> > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hprs,DC=local
> > isCriticalSystemObject: TRUE  
> > whenChanged: 20150825012848.0Z
> > uSNChanged: 6468
> > member: CN=Enterprise Admins,CN=Users,DC=hprs,DC=local
> > member: CN=Domain Admins,CN=Users,DC=hprs,DC=local
> > member: CN=Administrator,CN=Users,DC=hprs,DC=local
> > distinguishedName: CN=Administrators,CN=Builtin,DC=hprs,DC=local
> >
>
> So no uidNumber or gidNumber.
>  
> > Is there someplace else I can look for this? In ADUC for the
> > 'Administrator' I have nothing in NIS Domain, UID or Primary Group
> > name/GID.  Should I for this user, or is 'Administrator' "special"?
>
> Good, you shouldn't have, if you look in idmap.ldb, you will find that
> RID '500' is mapped to 'xidNumber' '0'.
>  
> > > AH-Ha, the only place that maps an ID to a user AND a group is
> > > idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given
> > > 'Administrators' a uidNumber ? or is it being mapped to
> > > 'ID_TYPE_UID' in idmap.ldb ?
> > 
> > As shown in my idmap.ldb entry, it has "ID_TYPE_BOTH". A clue?
> > 
>
> Not really, more a poser, everything looks okay, but it still isn't
> working fully, perhaps time to run 'net cache flush' again ?
>
> > 
> > > > > And Louis also uses 'acl_xattr:ignore system acls = yes', 
> > > > 
> > > > How do you know that? I don't see that listed in Louis' message?
> > >
> > > I just do ;-)
> > >
> > > Try reading 'man vfs_acl_xattr'
> > 
> > The man page says in part:
> > 
> >  "When set to yes, a best effort mapping from/to the POSIX ACL layer
> > will not be done by this module.  The default is no, which means that
> > Samba keeps setting and evaluating both the system ACLs and the NT
> > ACLs.  This is better if you need your system ACLs be set for local
> > or NFS file access, too.  If you only access the data via Samba you
> > might set this to yes to achieve better NT ACL compatibility."
> > 
> > then lists additional settings for file mods if 'yes' is selected. I
> > assume mine is set to the default 'no'. So is this something I should
> > fiddle with or is it no big deal?
>
> From my understanding, when 'acl_xattr:ignore system acls = no' is set
> (the default), Samba will attempt to change the ACLs when set from
> Windows, it will use 'setfacl' whilst doing this, it will also write
> the extended attributes to security.NTACL. If 'no' is changed to 'yes',
> it does what it says on the tin, the Unix ACLs are ignored, you can
> change them on the Unix side to whatever you like, but from the Windows
> side, they will be ignored as if they were not there. From the
> perspective of whether you should set it or not, I would tend towards
> fixing your current problem first and decide later.
>   
> Rowland
>

I think I'm going to consider this one "not a problem". From Rowland's and Louis' expert
commentary, it appears that my various config files and database are OK. I think Rowland's
suspicions about something being amiss with libnss_winbind could the problem.

I am running Slackware 14.2 whose official release version of Samba is 4.4.16.  As pointed out
in this maillist, that branch is end-of-life.  So, I updated this 14.2 system with the pending
"current" version of Samba which is 4.8.2 (built from source, not binaries).  Along with that
update was libnss_winbind.so.2 and numerous other Samba related modules. 

It is entirely possible that some 14.2 stuff is not quite compatible with "current" stuff. So
far, this is the only things I've run into. Perhaps when "current" become stable "15.0" (or
whatever they name it), and I can install a complete, integrated system, this issue might go
away.

It does not appear to be causing any functional troubles and, as mentioned, configs all look
OK, so I think I'll consider this issues resolved and focus on my sysvol permission issues in
the "Fixing sysvol permissions" thread.

Thank you both for your expertise and patience.

--Mark