Web lists-archives.com

Re: [Samba] winbind finds all domain users except Administrator

I tried mapping to root but I still get an ACCESS_DENIED when I try to
mount a share from the domain member.

I'd be very surprised if the samba admin account is the one and only
account that is intentionally denied from accessing shares on a member.

I'm pretty sure this is a bug. I tried this again with two clean installs
(4.7.1) on Linux, one in a VM. Compare this on the DC:

# ./bin/wbinfo -n'MYDOM\administrator'
S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
# ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"

to this on the Domain member:

# ./bin/wbinfo -n'MYDOM\Administrator'
S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)

# ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"

failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to uid

With other accounts I don't see that error.

In the log.winbindd (log level = 10) on the member I see this:

[2017/11/14 20:14:36.631151,  1, pid=2654, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
          out: struct wbint_Sids2UnixIDs
              ids                      : *
                  ids: struct wbint_TransIDArray
                      num_ids                  : 0x00000001 (1)
                      ids: ARRAY(1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_UID (1)
                              domain_index             : 0x00000000 (0)
                              rid                      : 0x000001f4 (500)
                              xid: struct unixid
                                  id                       : 0xffffffff
                                  type                     :

So it seems like I get back -1 (0xffffffff) as the uid. Should I file a bug


2017-11-14 10:35 GMT+01:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:

> On Mon, 13 Nov 2017 23:15:15 +0100
> Fabian Fritz <fabianfuture@xxxxxx> wrote:
> > I see. I know, the range is a bit odd, but I previously used NIS to
> > get the Unix users from another machine. Now I'm updating to AD and
> > don't use NIS anymore.Since I want to keep all the file ownerships (I
> > use this solaris member as a file server), I had to map the domain
> > users to that same range.
> OK, hindsight is a wonderful thing, but starting the ID range at 100
> isn't a good idea (for the reason I gave), but sometimes you have to.
> >
> >
> > I used the Administrator to login to some Windows machine in the
> > domain and was surprised when I got a ACCESS_DENIED when I tried to
> > mount a network share there. So this only happens for Administrator?
> > So I have to use one of the users in the domain admins group when I
> > need to do administrative stuff on my windows machines and also need
> > the shares?
> If you use a user.map, Administrator becomes 'root' on Unix domain
> members and root can do anything on a Unix domain member.
> Try reading this:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> If you have any questions after reading that, just ask ;-)
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba