Missing sids for domain administrator?

Hi,

I'm working on bug https://bugzilla.samba.org/show_bug.cgi?id=6592 and
something that has apparently changed in my setup is preventing me from
testing the final stages of the fix. I have a machine running Samba
server and joined to the domain, and am accessing that from the W2K3
domain server logged, logged into the latter as the domain
administrator. But the problem is that in its access checks smbd is not
getting the sid for the Administrators group (S-1-5-32-544).

In an email that I sent back in July
(http://lists.samba.org/archive/samba/2009-July/149285.html) I included
my samba log file, and at that point I was getting the S-1-5-32-544 sid,
but something has changed since then and now I am not. My question is
does anyone have any idea of what may have changed that would cause
that?

Here is an extract from the log in that email:

  Checking password for unmapped user [SD80]\[Administrator]@[IANSERVER]
with the new password interface
  check_ntlm_password:  mapped user is:
[SD80]\[Administrator]@[IANSERVER]
  check_ntlm_password: winbind authentication for user [Administrator]
succeeded
  check_ntlm_password:  authentication for user [Administrator]
->[Administrator] -> [SD80+administrator] succeeded
  se_access_check: user sid is
S-1-5-21-4023909512-3739307249-2032274589-500
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512
  se_access_check: also S-1-5-32-545
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-22-1-601
  se_access_check: also S-1-22-2-604
  se_access_check: also S-1-22-2-607
  se_access_check: also S-1-22-2-608
  se_access_check: also S-1-22-2-609
  se_access_check: also S-1-22-2-610
  se_access_check: also S-1-22-2-603
  se_access_check: also S-1-22-2-602

And here is what I am seeing now:

  check_ntlm_password:  Checking password for unmapped user
[SD80]\[Administrator]@[IANSERVER] with the new password interface
  check_ntlm_password:  mapped user is:
[SD80]\[Administrator]@[IANSERVER]
  check_ntlm_password: winbind authentication for user [Administrator]
succeeded
  check_ntlm_password:  authentication for user [Administrator] ->
[Administrator] -> [SD80+administrator] succeeded
  se_access_check: user sid is
S-1-5-21-4023909512-3739307249-2032274589-500
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512

The missing sids are for the Users and Administrators group, plus those
"S-2-22-2" sids, whatever they are.

Thanks
Ian
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

> -----Original Message-----
> From: samba-bounces@... On Behalf Of Ian Puleston
> Sent: Thursday, October 29, 2009 11:22 AM
>
> I'm working on bug https://bugzilla.samba.org/show_bug.cgi?id=6592 and
> something that has apparently changed in my setup is preventing me
from
> testing the final stages of the fix. I have a machine running Samba
> server and joined to the domain, and am accessing that from the W2K3
> domain server, logged into the latter as the domain
> administrator. But the problem is that in its access checks smbd is
not
> getting the sid for the Administrators group (S-1-5-32-544).
>
> Back in July I was getting the S-1-5-32-544 sid,
> but something has changed since then and now I am not.
 
The samba log from back in July: those
> "S-2-22-2" sids, whatever they are.

A bit more information I've managed to glean. I'm working on Fedora 10
which has Samba 3.2.15 installed, but the version I was building and
testing with was 3.2.4. Having now downloaded and built 3.2.15 I am now
seeing those "S-2-22-[12]" sids, but still not the sids for the
Administrators and Users groups.

But if I run the Fedora version of smbd 3.2.15 then I see the
S-1-5-32-545 sid too, but still not S-1-5-32-544. If I run the version
of 3.2.15 that I built I see neither. To build it I used "./configure
--with-ads", are there maybe some other options I should have used that
may explain that difference?

And I still need to find why I don't see sid S-1-5-32-544 with any
version?

Ian

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Thu, Oct 29, 2009 at 01:43:52PM -0700, Ian Puleston wrote:
> And I still need to find why I don't see sid S-1-5-32-544 with any
> version?

You do have that group as a local group in your
group_mapping.tdb? Please upload a debug level 10 log of all
the versions you tested at least up to the point where the
user token is listed.

Volker


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

> -----Original Message-----
> From: samba-bounces@... On Behalf Of Ian Puleston
> Sent: Thursday, October 29, 2009 1:44 PM

> > the problem is that in its access checks smbd is not
> > getting the sid for the Administrators group (S-1-5-32-544).
>
> But if I run the Fedora version of smbd 3.2.15 then I see the
> S-1-5-32-545 sid too, but still not S-1-5-32-544.

I'm not sure why, but that problem has cleared up now - I did a yum
reinstall of samba and after that its working OK - I am now getting the
S-1-5-32-544 sid for the domain administrator (maybe I did not have the
distro version installed as I thought I had?).

So I tried rebuilding the samba package "properly" with the correct
options for my fedora distro by using rpmbuild rather than downloading
and making it manually, and that built version works OK too.

> To build it I used "./configure --with-ads", are there maybe
> some other options I should have used that may explain that
> difference?
>
> And I still need to find why I don't see sid S-1-5-32-544 with any
> version?

It would still be nice to know what made the difference if anyone can
shed any light on it?

Ian
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

> -----Original Message-----
> From: Volker Lendecke
> Sent: Friday, October 30, 2009 7:01 AM
>
> On Thu, Oct 29, 2009 at 01:43:52PM -0700, Ian Puleston wrote:
> > And I still need to find why I don't see sid S-1-5-32-544 with any
> > version?
>
> You do have that group as a local group in your group_mapping.tdb?

Darn, that gave me an idea and I thought I'd cracked it. I think that I
do have the group mappings properly set:

[root@ian-linux samba]# net groupmap list
Administrators (S-1-5-32-544) -> BUILTIN+administrators
Users (S-1-5-32-545) -> BUILTIN+users

But when I do the same using the locally built version of the net
utility:

[Ian@ian-linux source]$ sudo bin/net groupmap list
Administrators (S-1-5-32-544) -> 647

So this would imply that the locally built version, and therefore by
implication the locally built version of smbd too, is using a different
group mappings file to the distro version, and that would explain why it
works with the distro smbd, but not with the one that I built.

However, I re-set the group mappings using the locally built net to be
the same as above, but unfortunately that didn't help - I still don't
see the S-1-5-32-544/545 sids :-(

> Please upload a debug level 10 log of all the versions you tested at
> least up to the point where the user token is listed.

I've uploaded them to:
http://diverian.tripod.com/home/Files/samba-logs/smbd.log.txt
http://diverian.tripod.com/home/Files/samba-logs/__ffff_192.168.168.3.lo
g.txt
http://diverian.tripod.com/home/Files/samba-logs/smbd.log.txt

But I have things working fine now with a build made using rpmbuild, so
unless you think there may be a bug somewhere, don't waste any
significant time on this.

Thanks,
Ian


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba