[Samba] Administrator lost write privileges to sysvol (Can't add/edit anything using RSAT Tools)

Darren Conte darren.conte at volereservices.com
Fri Jan 24 16:05:28 UTC 2020


On 23/01/2020 14:36, Darren Conte via samba wrote:
>> Perplexed how Administrator lost the ability to write.
>>
>You and me both :-(
>
>Try this:
>
>ldbsearch -H /var/lib/samba/private/idmap.ldb
"(&(objectClass=sidMap)(cn=$(net getdomainsid | awk '{print $NF}')-500))"
>
>It should return something like this:
>
>dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
>cn: S-1-5-21-1768301897-3342589593-1064908849-500
>objectClass: sidMap
>objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
>type: ID_TYPE_UID
>xidNumber: 0
>distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500
>
>The important one is 'xidNumber', it should be '0'
>
>Does Administrator have a 'uidNumber' attribute ?
>
>Rowland


Rowland, see below. I ran other commands to further show that Administrator
seems mapped properly.

root at server:/# ldbsearch -H /usr/local/samba/private/idmap.ldb
"(&(objectClass=sidMap)(cn=$(net getdomainsid | awk '{print $NF}')-500))"
# record 1
dn: CN=S-1-5-21-1307040974-1114864040-1086783555-500
cn: S-1-5-21-1307040974-1114864040-1086783555-500
objectClass: sidMap
objectSid: S-1-5-21-1307040974-1114864040-1086783555-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-1307040974-1114864040-1086783555-500

# returned 1 records
# 1 entries
# 0 referrals

root at server:/# wbinfo --user-groups=Administrator
100
3000006
3000007
3000004
3000008
3000005
3000009
3000000

root at server:/# wbinfo --name-to-sid=Administrator
S-1-5-21-1307040974-1114864040-1086783555-500 SID_USER (1)

root at server:/# wbinfo --user-info=Administrator
RADICALLAW\administrator:*:0:100::/home/RADICALLAW/administrator:/bin/false

root at server:/# wbinfo
--sid-to-fullname=S-1-5-21-1307040974-1114864040-1086783555-500
RADICALLAW\ 1

I do not have a "UNIX Attributes" tab in ADUC.
I am not using any linux domain workstations/members and do not have the
setting "idmap_ldb:use rfc2307 = yes" in smb.conf [Global].  Should I apply
this setting to see what exists? Or is there a command I can run to check
for 'uidNumber' attribute?


Louis writes:

>Compaired to mine.
># file: home/samba/sysvol
># owner: root
># group: root
># flags: -s-
>user::rwx
>user:root:rwx
>user:BUILTIN\\administrators:rwx
>user:BUILTIN\\server\040operators:r-x
>user:NT\040AUTHORITY\\system:rwx
>user:NT\040AUTHORITY\\authenticated\040users:r-x
>group::rwx
>group:BUILTIN\\administrators:rwx
>group:BUILTIN\\server\040operators:r-x
>group:NT\040AUTHORITY\\system:rwx
>group:NT\040AUTHORITY\\authenticated\040users:r-x
>mask::rwx
>other::---
>default:user::rwx
>default:user:root:rwx
>default:user:BUILTIN\\administrators:rwx
>default:user:BUILTIN\\server\040operators:r-x
>default:user:NT\040AUTHORITY\\system:rwx
>default:user:NT\040AUTHORITY\\authenticated\040users:r-x
>default:group::---
>default:group:BUILTIN\\administrators:rwx
>default:group:BUILTIN\\server\040operators:r-x
>default:group:NT\040AUTHORITY\\system:rwx
>default:group:NT\040AUTHORITY\\authenticated\040users:r-x
>default:mask::rwx
>default:other::---
>default:other::---
>
>You see the differences..
>
>I think its mostly share of ACL rights the need be corrected.
>
>Greetz,
>
>Louis

Louis,
My getfacl might see different to yours but it's similar to 3 other
installations of samba 4.11.4 I have at other client locations. You have
the BUILTIN\Group Names spelled out and I have the gid's but they map to
the same thing (see below). The only group that's missing is 'Pre-Windows
2000 Compatibility' and this is most likely due to the
"--reset-well-known-acls" command I ran to try and get WRITE access back
again.

root at server:/# getfacl usr/local/samba/var/locks/sysvol
# file: usr/local/samba/var/locks/sysvol
# owner: 3000000
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::r-x
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::rwx

root at server:/# wbinfo --gid-info=3000000
BUILTIN\administrators:x:3000000:
root at server:/# wbinfo --gid-info=3000001
BUILTIN\server operators:x:3000001:
root at server:/# wbinfo --gid-info=3000003
NT AUTHORITY\authenticated users:x:3000003:

root at server:/# wbinfo --user-groups=administrator
100
3000006
3000007
3000004
3000008
3000005
3000009
3000000
root at server:/# ^C
root at server:/# wbinfo --gid-info=3000006
RADICALLAW\schema admins:x:3000006:

root at server:/# wbinfo --gid-info=3000007
RADICALLAW\enterprise admins:x:3000007:

root at server:/# wbinfo --gid-info=3000004
RADICALLAW\domain admins:x:3000004:

root at server:/# wbinfo --gid-info=3000008
RADICALLAW\group policy creator owners:x:3000008:

root at server:/# wbinfo --gid-info=3000005
RADICALLAW\denied rodc password replication group:x:3000005:

root at server:/# wbinfo --gid-info=3000009
BUILTIN\users:x:3000009:

root at server:/# wbinfo --gid-info=3000000
BUILTIN\administrators:x:3000000:

Wouldn't the 3000000 allow me WRITE access and the ability to change ACLs
via Windows?  This is what's perplexing.

Plus, this also should have been re-applied when I re-installed 4.11.4 with
commands below, correct?
./configure --enable-debug --enable-selftest
make && make install
samba-tool dbcheck --cross-ncs --fix
reboot

Again, I incorrectly removed the 'Domain Admins' Group from a delegated
User in their 'Members of' attribute in ADUC, and when I closed ADUC, I
lost all WRITE permissions as the DOMAIN\Administrator to everything. Which
means I cannot change anything in ADUC, GPO or the ACL permissions to the
sysvol directory from Windows.

I think it's a combo of both sysvol permissions, but driven more by what
Rowland is saying, a db issue. If there wasn't a db issue, I would think I
could change sysvol permissions.

Losing my mind here. :-/  Can we just replace the db's?
I have a full-backup (.bz2) from the day before this occurred, but do not
want to go through the entire restore process which will disrupt the work
location and the samba 4.9+ restore seems complicated to me anyhow.  BTW,
the restore process prior to 4.9, where I could simple stop samba, untar
.bz2 files, and replace everything with a few commands, would be super
useful right now. Please bring that back guys.

Is there a simple way to restore the database files without bringing down
the site for an extended period of time doing an entire restore? It's a
very busy office with users in many global locations.   I say that because
since I do not have WRITE access to anything, nothing has changed.

Thanks again for all the input.
Darren












---------- Forwarded message ----------
From: Rowland penny <rpenny at samba.org>
To: samba at lists.samba.org
Cc:
Bcc:
Date: Thu, 23 Jan 2020 15:05:16 +0000
Subject: Re: [Samba] Administrator lost write privileges to sysvol (Can't
add/edit anything using RSAT Tools)
On 23/01/2020 14:36, Darren Conte via samba wrote:
> Perplexed how Administrator lost the ability to write.
>
You and me both :-(

Try this:

ldbsearch -H /var/lib/samba/private/idmap.ldb
"(&(objectClass=sidMap)(cn=$(net getdomainsid | awk '{print $NF}')-500))"

It should return something like this:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
cn: S-1-5-21-1768301897-3342589593-1064908849-500
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500

The important one is 'xidNumber', it should be '0'

Does Administrator have a 'uidNumber' attribute ?

Rowland







---------- Forwarded message ----------
From: "L.P.H. van Belle" <belle at bazuin.nl>
To: "samba at lists.samba.org" <samba at lists.samba.org>
Cc:
Bcc:
Date: Thu, 23 Jan 2020 16:06:04 +0100
Subject: Re: [Samba] Administrator lost write privileges to sysvol (Can't
add/edit anything using RSAT Tools)
I havent read the complete thread but was "Create Group" set on the share.

What does. getfacl say on the file/folder

Deny preffers over Allow.

Your setup on sysvol shows :
getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: 3000000
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::r-x
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::rwx

Compaired to mine.
# file: home/samba/sysvol
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:BUILTIN\\server\040operators:r-x
user:NT\040AUTHORITY\\system:rwx
user:NT\040AUTHORITY\\authenticated\040users:r-x
group::rwx
group:BUILTIN\\administrators:rwx
group:BUILTIN\\server\040operators:r-x
group:NT\040AUTHORITY\\system:rwx
group:NT\040AUTHORITY\\authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040AUTHORITY\\system:rwx
default:user:NT\040AUTHORITY\\authenticated\040users:r-x
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040AUTHORITY\\system:rwx
default:group:NT\040AUTHORITY\\authenticated\040users:r-x
default:mask::rwx
default:other::---
default:other::---

You see the differences..

I think its mostly share of ACL rights the need be corrected.


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: woensdag 22 januari 2020 19:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Administrator lost write privileges to
> sysvol (Can't add/edit anything using RSAT Tools)
>
> On 22/01/2020 17:44, Darren Conte via samba wrote:
> > Thanks for the reply Rowland.
> >
> > I do realize now, the add/removal of a group member must be
> performed from
> > the 'members' attribute of the Group. I was unaware of this.
> >
> > Here is the command results.  This is a compiled samba so I
> edited your
> > command to point to the correct directory.
> >
> >> Is your old user in the output ?
> > No - the old user 'Rodolfo' is not listed here anymore.
> >
> > root at server:/# ldbsearch -H
> /usr/local/samba/private/sam.ldb -b $(echo
> > dc=$(hostname -d) | sed 's/\./,dc=/g') -s sub
> > '(&(objectClass=group)(cn=Domain Admins))' member
> > # record 1
> > dn: CN=Domain Admins,CN=Users,DC=radicallaw,DC=net
> > member: CN=Jeanne Mirer,CN=Users,DC=radicallaw,DC=net
> > member: CN=Administrator,CN=Users,DC=radicallaw,DC=net
> >
> I only half expected it would be ;-)
>
> Try running 'samba-tool dbcheck' on the DC, does it show any errors ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>






---------- Forwarded message ----------
From: Rowland penny <rpenny at samba.org>
To: samba at lists.samba.org
Cc:
Bcc:
Date: Thu, 23 Jan 2020 15:30:32 +0000
Subject: Re: [Samba] Administrator lost write privileges to sysvol (Can't
add/edit anything using RSAT Tools)
On 23/01/2020 15:06, L.P.H. van Belle via samba wrote:
> I havent read the complete thread but was "Create Group" set on the share.
>
> What does. getfacl say on the file/folder
>
> Deny preffers over Allow.
>
> Your setup on sysvol shows :
> getfacl /usr/local/samba/var/locks/sysvol
> getfacl: Removing leading '/' from absolute path names
> # file: usr/local/samba/var/locks/sysvol
> # owner: 3000000
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::r-x
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::rwx
>
> Compaired to mine.
> # file: home/samba/sysvol
> # owner: root
> # group: root
> # flags: -s-
> user::rwx
> user:root:rwx
> user:BUILTIN\\administrators:rwx
> user:BUILTIN\\server\040operators:r-x
> user:NT\040AUTHORITY\\system:rwx
> user:NT\040AUTHORITY\\authenticated\040users:r-x
> group::rwx
> group:BUILTIN\\administrators:rwx
> group:BUILTIN\\server\040operators:r-x
> group:NT\040AUTHORITY\\system:rwx
> group:NT\040AUTHORITY\\authenticated\040users:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\\administrators:rwx
> default:user:BUILTIN\\server\040operators:r-x
> default:user:NT\040AUTHORITY\\system:rwx
> default:user:NT\040AUTHORITY\\authenticated\040users:r-x
> default:group::---
> default:group:BUILTIN\\administrators:rwx
> default:group:BUILTIN\\server\040operators:r-x
> default:group:NT\040AUTHORITY\\system:rwx
> default:group:NT\040AUTHORITY\\authenticated\040users:r-x
> default:mask::rwx
> default:other::---
> default:other::---
>
> You see the differences..
>
> I think its mostly share of ACL rights the need be corrected.
>
>
Hi Louis, I don't think the problem has anything to do with sysvol
(though I am open to having my mind changed), the problem seem to have
something to do with Administrator no longer being able to write to AD
from ADUC.

Rowland




---------- Forwarded message ----------
From: "L.P.H. van Belle" <belle at bazuin.nl>
To: "samba at lists.samba.org" <samba at lists.samba.org>
Cc:
Bcc:
Date: Thu, 23 Jan 2020 16:53:08 +0100
Subject: Re: [Samba] Administrator lost write privileges to sysvol (Can't
add/edit anything using RSAT Tools)
Ah,, ok i miss read that.

So its something in the DB..

Are the SePrivilages checked. ?

I use something like this for that.

SEPRIVILEGE="SeMachineAccountPrivilege \
SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege \
SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \
SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemtimePrivilege \
SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege \
SeSystemProfilePrivilege SeProfileSingleProcessPrivilege \
SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege \
SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege \
SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege
SeCreateGlobalPrivilege \
SeEnableDelegationPrivilege"

kinit Administrator

for sepriv in $SEPRIVILEGE ; do
    # For a member server.
    # net rpc rights list privileges $sepriv -S $(hostname -f) -k

    # samba-tool dsacl get ?
    # ( i never had to check that, so above command but then for AD-DC's.

done
kdestroy



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: donderdag 23 januari 2020 16:31
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Administrator lost write privileges to
> sysvol (Can't add/edit anything using RSAT Tools)
>
> On 23/01/2020 15:06, L.P.H. van Belle via samba wrote:
> > I havent read the complete thread but was "Create Group"
> set on the share.
> >
> > What does. getfacl say on the file/folder
> >
> > Deny preffers over Allow.
> >
> > Your setup on sysvol shows :
> > getfacl /usr/local/samba/var/locks/sysvol
> > getfacl: Removing leading '/' from absolute path names
> > # file: usr/local/samba/var/locks/sysvol
> > # owner: 3000000
> > # group: 3000000
> > user::rwx
> > user:root:rwx
> > user:3000000:rwx
> > user:3000001:r-x
> > user:3000002:rwx
> > user:3000003:r-x
> > group::rwx
> > group:3000000:rwx
> > group:3000001:r-x
> > group:3000002:rwx
> > group:3000003:r-x
> > mask::rwx
> > other::r-x
> > default:user::rwx
> > default:user:root:rwx
> > default:user:3000000:rwx
> > default:user:3000001:r-x
> > default:user:3000002:rwx
> > default:user:3000003:r-x
> > default:group::r-x
> > default:group:3000000:rwx
> > default:group:3000001:r-x
> > default:group:3000002:rwx
> > default:group:3000003:r-x
> > default:mask::rwx
> > default:other::rwx
> >
> > Compaired to mine.
> > # file: home/samba/sysvol
> > # owner: root
> > # group: root
> > # flags: -s-
> > user::rwx
> > user:root:rwx
> > user:BUILTIN\\administrators:rwx
> > user:BUILTIN\\server\040operators:r-x
> > user:NT\040AUTHORITY\\system:rwx
> > user:NT\040AUTHORITY\\authenticated\040users:r-x
> > group::rwx
> > group:BUILTIN\\administrators:rwx
> > group:BUILTIN\\server\040operators:r-x
> > group:NT\040AUTHORITY\\system:rwx
> > group:NT\040AUTHORITY\\authenticated\040users:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:BUILTIN\\administrators:rwx
> > default:user:BUILTIN\\server\040operators:r-x
> > default:user:NT\040AUTHORITY\\system:rwx
> > default:user:NT\040AUTHORITY\\authenticated\040users:r-x
> > default:group::---
> > default:group:BUILTIN\\administrators:rwx
> > default:group:BUILTIN\\server\040operators:r-x
> > default:group:NT\040AUTHORITY\\system:rwx
> > default:group:NT\040AUTHORITY\\authenticated\040users:r-x
> > default:mask::rwx
> > default:other::---
> > default:other::---
> >
> > You see the differences..
> >
> > I think its mostly share of ACL rights the need be corrected.
> >
> >
> Hi Louis, I don't think the problem has anything to do with sysvol
> (though I am open to having my mind changed), the problem
> seem to have
> something to do with Administrator no longer being able to
> write to AD
> from ADUC.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>




_______________________________________________
samba mailing list
samba at lists.samba.org
https://lists.samba.org/mailman/listinfo/samba
-------------- next part --------------
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQQlQWgAwvkyRy78FZYoaL1+KxeTUQUCXinBCwAKCRAoaL1+KxeT
UYV+AJ9G9dvUIyBBWaAcM8OGyncKsrtgegCdHgZoRSP0gqN2ZhltL35FoaYa3JY=
=UFVm
-----END PGP SIGNATURE-----


More information about the samba mailing list