[Samba] samba Digest, Vol 205, Issue 28

Darren Conte darren.conte at volereservices.com
Tue Jan 28 17:31:31 UTC 2020 

> ---------- Forwarded message ----------
> From: Rowland penny <rpenny at samba.org>
> To: samba at lists.samba.org
> Cc:
> Bcc:
> Date: Mon, 27 Jan 2020 15:08:57 +0000
> Subject: Re: [Samba] Administrator lost write privileges to sysvol (Can't
> add/edit anything using RSAT Tools)
> On 27/01/2020 14:49, Darren Conte via samba wrote:
> >> Perhaps I should have been more explicit, If you have more than one DC
> > in a domain and only one of those is giving problems, then demote the
> > problem DC, but if you have only DC (which isn't recommended) then you
> > have problems,.
> >> As I said, Sysvol is only used for GPOs and Administrator not being able
> > to write to it is not the fault, but a symptom.
> >> Can you log into a Windows PC as Administrator, connect to a share on a
> > Unix machine as Administrator and create a file. Then go to the Unix
> > machine and see who the file was saved as.
> >> Rowland
> > Rowland - I logged onto a PC as DOMAIN\Administrator and created the two
> > items below from Windows.  As you can see the owner is 'root'.
> >
> > root at server:/Shares/Pool# ls -la | grep 'Fred'
> > drwxrwsrwx+   2 root     users   4096 Jan 27 08:26 Fred
> > -rwxrwxrwx+   1 root     users   8458 Jan 27 08:26 Fred.odt
> Good, this is what I expected and shows that Administrator is being
> mapped to 'root'
> >
> > When other 'Domain Users' create content within /Shares/Pool, owner = UID
> > (respectively).
> > drwxrwsrwx+   4  3000027 users   4096 Jan 27 08:27 Test_Folder
> >
> > My issue only stems around DOMAIN\Administrator, here's why.  As a test,
> I
> > logged in as another Delegated User who was a 'Member of' the Domain
> Admins
> > group.  What is strange, is that username has full WRITE privileges to
> ADUC
> > and GPO, and can add/edit all objects (which is expected).  So, I
> > successfully added my username to the 'Members' of Domain Admins, logged
> > out and was successfully able to verify that I have full WRITE privileges
> > too.  So again, it seems like removing 'Rodolfo' from 'Domain Admins'
> > incorrectly only seemed to corrupt DOMAIN\Administrator since that was
> the
> > username I was performing the task from.
> This is very strange, is Administrator a member of Domain Admins ? or
> did you change 'Administrator' to 'Rodolfo' ? (those may actually be the
> same question)
>

Nope - I have never touched Administrator.  Rodolfo was added as a normal
user, delegated incorrectly to 'Domain Admins' then removed incorrectly
from 'Domain Admins'.


> > If that is the case, do you think if I logon as my Delegated User, remove
> > DOMAIN\Administrator from 'Members' in Domain Admins group, reboot then
> > re-add it back in, might straighten out the corruption? I don't know if
> > there would be downstream issues, so I am looking for your input before I
> > do-so.  Let me know your thoughts?
>
> It should show in Domain Admins like this:
>
> member: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
>


> It does.
>


> And 'Domain Admins' should be a member of 'Administrators'
>


> It is.
>


> Can you dump the following objects from AD, sanitise them and then post
> them:
>
> CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com
>
>  ldbsearch -H /usr/local/samba/private/sam.ldb -b $(echo dc=$(hostname -d)
| sed 's/\./,dc=/g') -s sub '(&(objectClass=group)(cn=Administrators))'
member

# record 1
dn: CN=Administrators,CN=Builtin,DC=SAMDOM,DC=net
member: CN=Enterprise Admins,CN=Users,DC=SAMDOM,DC=net
member: CN=Domain Admins,CN=Users,DC=SAMDOM,DC=net
member: CN=Administrator,CN=Users,DC=SAMDOM,DC=net


> CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
>
>  root at server:/# samba-tool user show administrator
dn: CN=Administrator,CN=Users,DC=SAMDOM,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20190719185346.0Z
uSNCreated: 3626
name: Administrator
objectGUID: f5d21cc0-5c91-47fd-a0e1-1b775789d11d
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1307040974-1114864040-1086783555-500
adminCount: 1
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=SAMDOM,DC=net
isCriticalSystemObject: TRUE
memberOf: CN=Domain Admins,CN=Users,DC=SAMDOM,DC=net
memberOf: CN=Schema Admins,CN=Users,DC=SAMDOM,DC=net
memberOf: CN=Enterprise Admins,CN=Users,DC=SAMDOM,DC=net
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=SAMDOM,DC=net
memberOf: CN=Administrators,CN=Builtin,DC=SAMDOM,DC=net
userAccountControl: 66048
accountExpires: 0
scriptPath: logon_ISZ.bat
profilePath: \\server\Profiles\Administrator
pwdLastSet: 132174046013252990
lastLogonTimestamp: 132241081297276560
whenChanged: 20200121192209.0Z
uSNChanged: 44849
lastLogon: 132246956868906390
logonCount: 4898
distinguishedName: CN=Administrator,CN=Users,DC=SAMDOM,DC=net


> CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
>
> root at server:/# samba-tool group show 'Domain Admins'

dn: CN=Domain Admins,CN=Users,DC=SAMDOM,DC=net
objectClass: top
objectClass: group
cn: Domain Admins
description: Designated administrators of the domain
instanceType: 4
whenCreated: 20190719185347.0Z
uSNCreated: 3630
name: Domain Admins
objectGUID: 6f529b8b-cb16-4b23-831b-b8edfdb700b3
objectSid: S-1-5-21-1307040974-1114864040-1086783555-512
adminCount: 1
sAMAccountName: Domain Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=SAMDOM,DC=net
isCriticalSystemObject: TRUE
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=SAMDOM,DC=
 net
memberOf: CN=Administrators,CN=Builtin,DC=SAMDOM,DC=net
member: CN=Darren,CN=Users,DC=SAMDOM,DC=net
member: CN=Administrator,CN=Users,DC=SAMDOM,DC=net
whenChanged: 20200127141558.0Z
uSNChanged: 46387
distinguishedName: CN=Domain Admins,CN=Users,DC=SAMDOM,DC=net




> One other thing, can you please reply to the mailing list, I do not know
> what you are actually doing, but it is breaking the thread ;-)
>
> Rowland
>
> Thanks again,
Darren


>
>
> _______________________________________________
> samba mailing list
> samba at lists.samba.org
> https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list