Web lists-archives.com

Re: [Samba] winbind finds all domain users except Administrator




On Tue, 14 Nov 2017 21:36:49 +0100
Fabian Fritz <fabianfuture@xxxxxx> wrote:

> I tried mapping to root but I still get an ACCESS_DENIED when I try to
> mount a share from the domain member.
> 
> I'd be very surprised if the samba admin account is the one and only
> account that is intentionally denied from accessing shares on a
> member.
> 
> I'm pretty sure this is a bug. I tried this again with two clean
> installs (4.7.1) on Linux, one in a VM. Compare this on the DC:
> 
> # ./bin/wbinfo -n'MYDOM\administrator'
> S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
> # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
> 0
> 
> to this on the Domain member:
> 
> # ./bin/wbinfo -n'MYDOM\Administrator'
> S-1-5-21-2836217491-369655975-2769631473-500 SID_USER (1)
> 
> # ./bin/wbinfo -S"S-1-5-21-2836217491-369655975-2769631473-500"
> 
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-2836217491-369655975-2769631473-500 to
> uid
> 
> With other accounts I don't see that error.
> 
> In the log.winbindd (log level = 10) on the member I see this:
> 
> [2017/11/14 20:14:36.631151,  1, pid=2654, effective(0, 0), real(0,
> 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
>        wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
>           out: struct wbint_Sids2UnixIDs
>               ids                      : *
>                   ids: struct wbint_TransIDArray
>                       num_ids                  : 0x00000001 (1)
>                       ids: ARRAY(1)
>                           ids: struct wbint_TransID
>                               type                     : ID_TYPE_UID
> (1) domain_index             : 0x00000000 (0)
>                               rid                      : 0x000001f4
> (500) xid: struct unixid
>                                   id                       :
> 0xffffffff (4294967295)
>                                   type                     :
> ID_TYPE_NOT_SPECIFIED (0)
> 
> 
> So it seems like I get back -1 (0xffffffff) as the uid. Should I file
> a bug ticket?

NO

You do not use Administrator as a normal user on Unix, you wouldn't use
Administrator like this on Windows.

Using wbinfo just shows that winbind can connect to AD, it doesn't show
that the Unix OS knows who the AD users are, you need to use 'getent'
for this.

You are using the winbind 'ad' backend with the range '100-60000'
Does 'Domain Users' have a gidNumber attribute containing a number
inside this range ?
Even if it does, you will not get the Unix OS to recognise
Administrator, because Administrator is mapped to 'root' and the Unix
ID for 'root' is '0' and '0' is outside the '100-60000' range.
I know what your next thought will be, give Administrator a uidNumber
inside the range, well, yes you could, but this would turn
Administrator into a normal user as far as the Unix OS is concerned
and isn't recommended.

Just use another user to mount the share ;-)

Rowland  

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba