[Samba] builtin groups are not mapped by winbind

L. van Belle belle at samba.org
Fri May 20 07:53:57 UTC 2022 

Good morning people around the world.. 

@rowland, This script isnt running anymore, can you check/verify it. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivile
ges.sh 

Can you have a check in it also.  
This smells like a bug.. 

All mentioned groups exists.. in the AD as Builtin\GroupNames and should how
with above script. 

net rpc rights list privileges SeBackupPrivilege -UADDOM\\Administrator
-S$(hostname -f)
Enter ADDOM\Administrator's password:
Could not connect to server server.internal.hostname.tld
Connection failed: NT_STATUS_INVALID_TOKEN

If its all good. I get *( tested on a old old samba version 4.6.16.) 

SeBackupPrivilege:
  BUILTIN\Administrators

So, I think there is more going on here.. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba Namens Rowland Penny via samba
> Verzonden: vrijdag 20 mei 2022 08:30
> Aan: samba at lists.samba.org
> CC: Rowland Penny <rpenny at samba.org>
> Onderwerp: Re: [Samba] builtin groups are not mapped by winbind
> 
> On Thu, 2022-05-19 at 22:31 -0300, Anderson Sampaio Mello via samba
> wrote:
> > Thanks for the reply Rowland.
> >
> > But actually I want to map these groups to groups builtins, that's why
> > I reported such a problem.
> 
> It isn't a problem, for those are WINDOWS groups and are not used on Unix,
> so why do you need to map them ?
> 
> >
> > The suggested command generates the same output as shown but the
> > mapping is not done for other BUILTIN user groups, only the groups
> > "BUILTIN\Administrators", "BUILTIN\Guests", "BUILTIN\Users" are
> mapped
> > automatically.
> >
> > I would like to know why mapping is not done for BUILTIN groups:
> >
> > "BUILTIN\Account Operators"
> > "BUILTIN\Server Operators"
> > "BUILTIN\Backup Operators"
> > "BUILTIN\Print Operators"
> > "BUILTIN\Replicator"
> >
> > As is done for "BUILTIN\Administrators", "BUILTIN\Guests",
> > "BUILTIN\Users" ?
> >
> > If anything, it's that BUILTIN group mappings are created inside
> > group_mapping.tdb and not in winbindd_idmap.tdb
> 
> Exactly, that is because they are Windows groups not normally used on
Unix.
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list