[Samba] Root user shows up as "administrator"

Matthias Kühne | Ellerhold AG matthias.kuehne at ellerhold.de
Wed Feb 17 11:56:20 UTC 2021 

Hey,

sadly "net cache flush" did nothing.

But this did the trick:

systemctl restart nscd nslcd
nscd --invalidate=passwd
nscd --invalidate=group
nscd --invalidate=hosts
nscd --invalidate=services
nscd --invalidate=netgroup
net cache flush

root is root again at last.

After around 10 mins it reverted back to DOMAIN\Administrator. Running 
net cache flush -> still administrator.

Ive demoted the dc-2 again, cleared out all entries in ADUC and DNS and 
reverted the VM to a snapshot directly after it was freshly installed. I 
installed samba, joined the domain as DC ...

root is root again! ~ 10 mins later root is Admin again. I checked again 
40 mins later and voila - its root again.

Somethings definitly not right here...


I rechecked the other DCs:

root at DC1# id DOMAIN\\administrator
uid=10372(DOMAIN\administrator) gid=10072(DOMAIN\domain users) 
groups=10072(DOMAIN\domain users),3000004(DOMAIN\domain 
admins),100000519(DOMAIN\enterprise admins),100000520(DOMAIN\group 
policy creator owners),100000518(DOMAIN\schema 
admins),100000572(DOMAIN\denied rodc password replication 
group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)

The DC1 didnt pick up the removal of the UID! After clearing the cache 
(see above):

root at DC1 # id AD-ELLERHOLD\\administrator
uid=0(DOMAIN\administrator) gid=10072(DOMAIN\domain users) 
groups=10072(DOMAIN\domain users),3000004(DOMAIN\domain 
admins),100000519(DOMAIN\enterprise admins),100000520(DOMAIN\group 
policy creator owners),100000518(DOMAIN\schema 
admins),100000572(DOMAIN\denied rodc password replication 
group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)

# whoami
DOMAIN\administrator

WHAT? Oh no :/

After a reboot of the machine:

# id DOMAIN\\administrator
uid=0(root) gid=0(root) groups=0(root)
# whoami
root

Yay!

Then I thought: Is running NSCD on a DC the problem? Should I disable 
it? Or should I disable parts of NSCD (described here: 
https://wiki.archlinux.org/index.php/LDAP_authentication#NSCD_Configuration 
although this is a tutorial for SSSD instead winbind)

Same question(s) for a domain member!

DC2's root is back to DOMAIN\administrator.

root at DC2 # id AD-ELLERHOLD\\administrator
uid=0(DOMAIN\administrator) gid=10072(DOMAIN\domain users) 
groups=10072(DOMAIN\domain users),3000004(DOMAIN\domain 
admins),100000519(DOMAIN\enterprise admins),100000520(DOMAIN\group 
policy creator owners),100000518(DOMAIN\schema 
admins),100000572(DOMAIN\denied rodc password replication 
group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)

root at DC2 # whoami
DOMAIN\administrator

root at DC2 # systemctl stop nscd

root at DC2 # whoami
root

root at DC2 # id DOMAIN\\administrator
uid=0(root) gid=0(root) groups=0(root)

Seems like nscd is the problem! It's confused that 2 users (root and 
DOMAIN\Administrator) have the same UID (0) and returns one at random 
(or something like that)? Is my suspicion correct?

There is one sentence in 
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting to 
disable nscd completly.

IBut there is no mention of nscd in 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member nor 
in 
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller 
. If I'm correct - could you please add a line in each of the HOW-TOs to 
disable nscd completly (or disable parts of it)?

Thanks for your help!

-- 
Matthias Kühne
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold




 
----------------
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

More information about the samba mailing list