[Samba] Root user shows up as "administrator"
Matthias Kühne | Ellerhold AG
matthias.kuehne at ellerhold.de
Wed Feb 17 11:56:20 UTC 2021
Hey,
sadly "net cache flush" did nothing.
But this did the trick:
systemctl restart nscd nslcd
nscd --invalidate=passwd
nscd --invalidate=group
nscd --invalidate=hosts
nscd --invalidate=services
nscd --invalidate=netgroup
net cache flush
root is root again at last.
After around 10 mins it reverted back to DOMAIN\Administrator. Running
net cache flush -> still administrator.
Ive demoted the dc-2 again, cleared out all entries in ADUC and DNS and
reverted the VM to a snapshot directly after it was freshly installed. I
installed samba, joined the domain as DC ...
root is root again! ~ 10 mins later root is Admin again. I checked again
40 mins later and voila - its root again.
Somethings definitly not right here...
I rechecked the other DCs:
root at DC1# id DOMAIN\\administrator
uid=10372(DOMAIN\administrator) gid=10072(DOMAIN\domain users)
groups=10072(DOMAIN\domain users),3000004(DOMAIN\domain
admins),100000519(DOMAIN\enterprise admins),100000520(DOMAIN\group
policy creator owners),100000518(DOMAIN\schema
admins),100000572(DOMAIN\denied rodc password replication
group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
The DC1 didnt pick up the removal of the UID! After clearing the cache
(see above):
root at DC1 # id AD-ELLERHOLD\\administrator
uid=0(DOMAIN\administrator) gid=10072(DOMAIN\domain users)
groups=10072(DOMAIN\domain users),3000004(DOMAIN\domain
admins),100000519(DOMAIN\enterprise admins),100000520(DOMAIN\group
policy creator owners),100000518(DOMAIN\schema
admins),100000572(DOMAIN\denied rodc password replication
group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
# whoami
DOMAIN\administrator
WHAT? Oh no :/
After a reboot of the machine:
# id DOMAIN\\administrator
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
Yay!
Then I thought: Is running NSCD on a DC the problem? Should I disable
it? Or should I disable parts of NSCD (described here:
https://wiki.archlinux.org/index.php/LDAP_authentication#NSCD_Configuration
although this is a tutorial for SSSD instead winbind)
Same question(s) for a domain member!
DC2's root is back to DOMAIN\administrator.
root at DC2 # id AD-ELLERHOLD\\administrator
uid=0(DOMAIN\administrator) gid=10072(DOMAIN\domain users)
groups=10072(DOMAIN\domain users),3000004(DOMAIN\domain
admins),100000519(DOMAIN\enterprise admins),100000520(DOMAIN\group
policy creator owners),100000518(DOMAIN\schema
admins),100000572(DOMAIN\denied rodc password replication
group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
root at DC2 # whoami
DOMAIN\administrator
root at DC2 # systemctl stop nscd
root at DC2 # whoami
root
root at DC2 # id DOMAIN\\administrator
uid=0(root) gid=0(root) groups=0(root)
Seems like nscd is the problem! It's confused that 2 users (root and
DOMAIN\Administrator) have the same UID (0) and returns one at random
(or something like that)? Is my suspicion correct?
There is one sentence in
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting to
disable nscd completly.
IBut there is no mention of nscd in
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member nor
in
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
. If I'm correct - could you please add a line in each of the HOW-TOs to
disable nscd completly (or disable parts of it)?
Thanks for your help!
--
Matthias Kühne
Senior Webentwickler
Datenschutzbeauftragter
Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul
Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99
Web www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe
Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold
----------------
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
More information about the samba
mailing list