[Samba] workaround needed for Security Principals, and SID's mapping bug.
L.P.H. van Belle via samba
Does anyone know if this Security Principals, and SID's mapping bug is resolved or if there is any patch.
Rowland? Achim? Any samba dev?
I really need it.
Im at samba 4.4.5
I cant find if its fixed in 4.4.7 or 4.5.1
To check if you affected with this, follow these steps.
1. Under "When running the task, use the following user account:", click "Change User or Group..."
2. Click "Locations"
3. Expand the [domain FQDN] and select the "Builtin" container, then click OK
4. In the box labelled "Enter the object name to select:" type "system", then click OK
5. You should see "NT AUTHORITY\System" in the box
If you affected with this bug, you wil see : DOMAIN\system
And not NT AUTHORITY\System or buildin\system
Due to the fact that i cant type the username, i need a solution.
Typing the username wil result in :
Windows (7) event id 4098 error code 0x80041316
I need a way so step 1-5 does result in : NT AUTHORITY\System
Greetz,
Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
For the stupid amongst us i.e. me ;-)
What bug are you referring to ?
What are the steps before '1.' ?
Rowland
L.P.H. van Belle via samba
This happens when im creating a "Scheduled task" ,
this task needs NT AUTHORITY\System but you need to select the account,
when you select the account a sid/rid mapping is done and this fails.
Resulting in the windows event id and error code.
While searching for that i found that i cant type the username.
You must select it.
To reproduce.
Create a GPO :
Computer Configuration> Preferences> Control Panel Settings> Scheduled Tasks. Right click in the blank pane and select New> Scheduled Task (Windows Vista and later).
Tab General, klik on Change user or Group.
Now go through step 1-5.
I found some related bug to NT Authority\system mis match.
https://bugzilla.samba.org/show_bug.cgi?id=11677
https://bugzilla.samba.org/show_bug.cgi?id=11997
all are : sid s-1-5-18 SID: S-1-5-19 related.
There are more.
I went through.
https://technet.microsoft.com/en-us/library/dn617202(v=ws.11).aspx
https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx
And i also did see that a patch was done, but i cant find/see
if this is the correct fix. ( found here : https://attachments.samba.org/attachment.cgi?id=11781
I was waiting for 4.5.2 to update my environment and hoping this is fixed.
It is still expected at 7 dec.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: donderdag 1 december 2016 12:05
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] workaround needed for Security Principals, and
> SID's mapping bug.
Achim Gottinger via samba
Hello Louis,
I'd check the mappings for the SID's in idmap.ldb: Are you sure you hit
an mapping issue here? These only occure once you hit the filesystem on
the linux side.
achim~
Achim Gottinger via samba
Am 02.12.2016 um 01:47 schrieb Achim Gottinger via samba:
>
>
> Am 01.12.2016 um 13:35 schrieb L.P.H. van Belle via samba:
>> Hai Rowland,
>>
>> This happens when im creating a "Scheduled task" ,
>> this task needs NT AUTHORITY\System but you need to select the account,
>> when you select the account a sid/rid mapping is done and this fails.
>> Resulting in the windows event id and error code.
>> While searching for that i found that i cant type the username.
>> You must select it.
>>
>> To
Tried this and it behaves the same way here. The builtin\SYSTEM account
shows up as DOMAINNAME\SYSTEM.
But to run as the lokal SYSTEM account I think you must pick the Server
as search base and then choose the system account. Here this leads to an
fault and exit of the gpo manangement editor.
Achim Gottinger via samba
Am 02.12.2016 um 02:08 schrieb Achim Gottinger via samba:
>
>
> Am 02.12.2016 um 01:47 schrieb Achim Gottinger via samba:
>>
>>
>> Am 01.12.2016 um 13:35 schrieb L.P.H. van Belle via samba:
>>> Hai Rowland,
>>>
>>> This happens when im creating a "Scheduled task" ,
>>> this task needs NT AUTHORITY\System but you need to select the account,
>>> when you select the account a sid/rid mapping is done and this fails.
>>> Resulting in the windows event id and error code.
>>> While searching for that i found that i cant type the username.
>>> You must select it.
>>>
>>> To
> Tried this and it behaves the same way here. The builtin\SYSTEM
> account shows up as DOMAINNAME\SYSTEM.
>
> But to run as the lokal SYSTEM account I think you must pick the
> Server as search base and then choose the system account. Here this
> leads to an fault and exit of the gpo manangement editor.
>
Here i can typ in the username. If that does not work for you you can
edit the SchedTask.xml (or similar) file in the gpo folder direct.
L.P.H. van Belle via samba
Here, typing the username results in the windows event and errors out.
Did a lot of research and im 100% this is and missing mapping.
Typing does not works, i dont know if this is a windows thing or a samba thing. But i found several reports where in a windows 7+ with Server 2008 also errors if you type the username.
And thanks you for having a look..
you too Rowland.
Which version samba are you gues running atm?
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Achim Gottinger
> via samba
> Verzonden: vrijdag 2 december 2016 3:05
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] workaround needed for Security Principals, and
> SID's mapping bug.
>
>
>
L.P.H. van Belle via samba
Yes im more then 100% sure.
https://bugzilla.samba.org/show_bug.cgi?id=11677 is related
https://bugzilla.samba.org/show_bug.cgi?id=11997 is related
Which is your bug report ;-)
https://bugzilla.samba.org/show_bug.cgi?id=12284 maybe related.
https://bugzilla.samba.org/show_bug.cgi?id=12155 maybe related
https://bugzilla.samba.org/show_bug.cgi?id=12164 confirms this bug.
Im setting up and 4.5.1 for jessie now and check again.
But i dont beleave is fully fixed yet.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Achim Gottinger
> via samba
> Verzonden: vrijdag 2 december 2016 1:47
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] workaround needed for Security Principals, and
> SID's mapping bug.
>
>
>
Achim Gottinger via samba
I tested against a server running debian wheezy with sernet's samba
package version 4.2.
Using Windows 7 as an client I can edit the username field.
Have you tried editing the runAs tag in the corresponding xml file
SchedTask.xml or similar in the sysvol policy folder?
On a sidenote if i create an task direct (not via gpo) i can select
local system account and the builtin\system account. Both show up as
nt-authority\system (localized).
L.P.H. van Belle via samba
> SchedTask.xml or similar in the sysvol policy folder?
I'll report later the result.
And yes, i can create a local also, that how i detected the sid/rid/id mapping problems.
But i cant go create 100 task localy, thats why i have GPO.
Greet,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Achim Gottinger
> via samba
> Verzonden: vrijdag 2 december 2016 10:54
L.P.H. van Belle via samba
The exact event from windows.
Eventlog info:
Source : Group Policy Scheduled Tasks.
ID : 4098
USER : SYSTEM
Error code : Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.' This error was suppressed.
So I'll wait until this bug is fixed.
I tried to read the code but thats way more difficult then what i can program. :-((
I'll put this on hold for now, and do it the ugly way,
bit anoying for my users but its what it is.
Thanks for all the support.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens L.P.H. van Belle
> via samba
> Verzonden: vrijdag 2 december 2016 11:01
Achim Gottinger via samba
Am 02.12.2016 um 11:35 schrieb L.P.H. van Belle via samba:
> Editing the xml.. results in same error. ( which is logical )
>
> The exact event from windows.
>
> Eventlog info:
> Source : Group Policy Scheduled Tasks.
> ID : 4098
> USER : SYSTEM
>
> Error code : Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.' This error was suppressed.
>
> So I'll wait until this bug is fixed.
>
> I tried to read the code but thats way more difficult then what i can program. :-((
>
> I'll put this on hold for now, and do it the ugly way,
> bit anoying for my users but its what it is.
>
> Thanks for all the support.
>
> Greetz,
>
> Louis
>
>
What did you use as runAs?
Found this similar issue
http://www.rozmazat.cz/articles/2015/05/07/no-mapping-between-account-names-and-security-ids-was-done.html
Achim Gottinger via samba
http://trentent.blogspot.de/2014/10/group-policy-preferences-scheduled-task.html
This seems to be an windows bug.
L.P.H. van Belle via samba
Tried :
BUILTIN\SYSTEM
NT AUTORITY\SYSTEM
.\SYSTEM
SYSTEM
This policy must run as "computer" not user.
So i've set :
Run whether user is logged on or not.
(x) do not store password.
But for now, im leaving it.
I'll think over it this weekend.
Maybe i'll create a new system like user for it.
May thanks for thinking with me.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Achim Gottinger
> via samba
> Verzonden: vrijdag 2 december 2016 15:36
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] workaround needed for Security Principals, and
> SID's mapping bug.
>
>
>
L.P.H. van Belle via samba
MS-DTYP
https://msdn.microsoft.com/en-us/library/cc980032.aspx
NT AUTHORITY\SYSTEM S-1-5-18
NT AUTHORITY\authenticated users S-1-5-11
Etc etc.
Monday i'll have a look again.
Have a nice weeken everybody.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Achim Gottinger
> via samba
> Verzonden: vrijdag 2 december 2016 15:42
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] workaround needed for Security Principals, and
> SID's mapping bug.
>
Rowland Penny via samba
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
> No, i believe that guy is wrong.
>
> MS-DTYP
> https://msdn.microsoft.com/en-us/library/cc980032.aspx
>
> NT AUTHORITY\SYSTEM S-1-5-18
> NT AUTHORITY\authenticated users S-1-5-11
> Etc etc.
>
> Monday i'll have a look again.
>
> Have a nice weeken everybody.
>
> Greetz,
>
> Louis
>
>
There may be something in what the guy is saying, he is saying that
'SYSTEM' was being treated as a group and if you check in idmap.ldb
'S-1-5-18' is 'ID_TYPE_BOTH'. I wonder if changing this to
'ID_TYPE_UID' would have any affect ?
Rowland
L.P.H. van Belle via samba
Does anyone know more if this is adressed or point me to the bug report?
There should be one, but i cant find it.
Im finding the following again, tested with samba 4.4.5, now samba 4.5.3.
These reports go back to the year 2013.
I searched in my mail samba folder for S-1-5-18
The problem.
I create a "computer" Scheduled task.
Now this task MUST run as : SYSTEM (S-1-5-18)
After typing "SYSTEM" the : Change user/group ( at security options ) in the task. It system changes to : NTDOM\SYSTEM
With user : NTDOM\SYSTEM
Resulting in : http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
This exact event.
And the ScheduledTask is not applied to the computer, even not created in the computer.
Now when i change it to : NT Authority\SYSTEM
It creates the needed task, but it does not run the error:
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
again.
Now when i change it to : SYSTEM
It does not create the needed task, and it does not run, the error:
http://www.eventid.net/display-eventid-4098-source-Group%20Policy%20Local%20Users%20and%20Groups-eventno-11122-phase-1.htm
again.
I also tested this on several computers outside the domain.
That works fine with user "NT Authority\SYSTEM"
Reproduceable steps:
create a schedule task in GPO. User or computer that does not matter.
At security context Set ( try to ) set user SYSTEM
Do read:
https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
And see here, Security options :
Computer Configuration , by default the task is run in the security context of the SYSTEM account.
And in case of a samba AD DC, this wil never work since systems isnt correctly mapped.
On both DCs:
wbinfo -G 3000002
wbinfo -s S-1-5-18
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-18
Im open for any suggestion EXCEPT changing the user in the schedules task.
This is my complete smb.conf of my samba 4.5.3 ( on debian Jessie )
Maybe i missed something here.
[global]
workgroup = NTDOM
realm = INTERNAL.DOMAIN.TLD
netbios name = DC1
server role = active directory domain controller
server services = -dns
interfaces = 192.168.0.1 127.0.0.1
bind interfaces only = yes
time server = yes
idmap_ldb:use rfc2307 = yes
## map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 2000-9999
winbind nss info = rfc2307
winbind expand groups = 4
template shell = /bin/bash
template homedir = /home/users/%U
## disable printing completely and no error log messages.
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# disable usershares creating, when set empty no error log messages.
usershare path =
# Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/xxxxx.key.pem
tls certfile = /etc/ssl/local/certs/xxxxx.cert.pem
tls cafile = /etc/ssl/certs/xxxxx-ca.pem
[sysvol]
path = /home/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
[netlogon]
path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
read only = No
acl_xattr:ignore system acls = yes
Greetz,
Louis
Rowland Penny via samba
root@member1:~# wbinfo -S S-1-5-18
3000015
root@member1:~# wbinfo -U 3000015
S-1-5-18
So winbind knows who SYSTEM is
>
> Im open for any suggestion EXCEPT changing the user in the schedules
> task.
>
> This is my complete smb.conf of my samba 4.5.3 ( on debian Jessie )
> Maybe i missed something here.
>
>
> [global]
> workgroup = NTDOM
> realm = INTERNAL.DOMAIN.TLD
> netbios name = DC1
>
> server role = active directory domain controller
> server services = -dns
>
> interfaces = 192.168.0.1 127.0.0.1
> bind interfaces only = yes
> time server = yes
>
> idmap_ldb:use rfc2307 = yes
>
> ## map id's outside to domain to tdb files.
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
no place in a DC smb.conf ?
see:
https://bugzilla.samba.org/show_bug.cgi?id=12155
and:
https://bugzilla.samba.org/show_bug.cgi?id=12410
The lines DO NOTHING on a DC, so why add them ????
Rowland
L.P.H. van Belle via samba
How stuppid that i missed that id mapping, removed it from my DC2 forgot DC1.. To much phone calls inbetween...
So I removed it now.
But Nope, samba still gives me NTDOM\system back.
I go test some more..
Gr.
Louis
> -----Oorspronkelijk bericht-----
> Verzonden: dinsdag 24 januari 2017 20:18
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Security Principals, and SID's mapping bug
L.P.H. van Belle via samba
It's now as followed. ( after the smb.conf correction )
TEST 1 ( windows 7 ( a domain member, but local search )
Creating a task localy on the computer, Searched SYSTEM, gives back.
WIN7 : NT AUTHORITY\SYSTEM
TEST 2
( Samba AD )
Selected a WIN7 PC and search for system : BUILDIN\SYSTEM
Selected the samba AD and search for system : NTDOM\SYSTEM
The EXACT same steps on my windows 2008R2 server.
TEST 3 ( Windows 2008R2 server )
Im getting : NT AUTHORITY\System
Anyhow, samba is consistent in giving back some WRONG user/group info.
An overview, i have compaired the output of 2 DC's and 1 member.
All done on samba 4.5.3.
wbinfo -u -g etc. all work fine.
wbinfo --all-domains
BUILTIN
NTDOM
DC 1 and DC 2 are exact the same with the output.
wbinfo --gid-info=3000001
BUILTIN\server operators:x:3000001:
wbinfo --gid-info=3000002
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000002
wbinfo --uid-to-sid=3000001
S-1-5-32-549
wbinfo --uid-to-sid=3000002
S-1-5-18
wbinfo --gid-to-sid=3000001
S-1-5-32-549
wbinfo --gid-to-sid=3000002
S-1-5-18
wbinfo --sid-to-uid=S-1-5-32-549
3000001
wbinfo --sid-to-uid=S-1-5-18
3000002
wbinfo --sid-to-gid=S-1-5-32-549
3000001
wbinfo --sid-to-gid=S-1-5-18
3000002
wbinfo --sid-to-name=S-1-5-32-549
BUILTIN\Server Operators 4
wbinfo --sid-to-name=S-1-5-18
Could not lookup sid S-1-5-18
BUILTIN\Server Operators 4
wbinfo --sid-to-fullname=S-1-5-18
failed to call wbcGetDisplayName: WBC_ERR_DOMAIN_NOT_FOUND
S-1-5-32-549 SID_ALIAS (4)
wbinfo --name-to-sid=NTDOM\Server Operators
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NTDOM\Server Operators
wbinfo --name-to-sid=BUILDIN\SYSTEM
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name BUILDIN\SYSTEM
wbinfo --name-to-sid=NTDOM\SYSTEM
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NTDOM\SYSTEM
wbinfo --lookup-sids=S-1-5-32-549
S-1-5-32-549 -> <none>\Server Operators 4
wbinfo --lookup-sids=S-1-5-18
wbcLookupSids failed: WBC_ERR_INVALID_SID
Could not lookup SIDs S-1-5-18
The member, and yes i know not all info should be here, just for comparison.
But watch what happens with : S-1-5-18.
wbinfo --gid-info=3000001
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000001
wbinfo --gid-info=3000002
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000002
wbinfo --uid-to-sid=3000001
failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert uid 3000001 to sid
wbinfo --uid-to-sid=3000002
failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert uid 3000002 to sid
wbinfo --gid-to-sid=3000001
failed to call wbcGidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert gid 3000001 to sid
wbinfo --gid-to-sid=3000002
failed to call wbcGidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert gid 3000002 to sid
wbinfo --sid-to-uid=S-1-5-32-549
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-549 to uid
wbinfo --sid-to-uid=S-1-5-18
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-18 to uid
wbinfo --sid-to-gid=S-1-5-32-549
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-549 to gid
wbinfo --sid-to-gid=S-1-5-18
2000
wbinfo --sid-to-name=S-1-5-32-549
BUILTIN\Server Operators 4
wbinfo --sid-to-name=S-1-5-18
NT AUTHORITY\SYSTEM 5
wbinfo --sid-to-fullname=S-1-5-32-549
BUILTIN\Server Operators 4
wbinfo --sid-to-fullname=S-1-5-18
NT AUTHORITY\SYSTEM 5
wbinfo --name-to-sid=BUILTIN\Server Operators
S-1-5-32-549 SID_ALIAS (4)
wbinfo --name-to-sid=NTDOM\Server Operators
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NTDOM\Server Operators
wbinfo --name-to-sid=BUILDIN\SYSTEM
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name BUILDIN\SYSTEM
wbinfo --name-to-sid=NTDOM\SYSTEM
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NTDOM\SYSTEM
wbinfo --lookup-sids=S-1-5-32-549
S-1-5-32-549 -> <none>\Server Operators 4
wbinfo --lookup-sids=S-1-5-18
wbcLookupSids failed: WBC_ERR_INVALID_SID
Could not lookup SIDs S-1-5-18
To me this confirms this bug, why would the member server give back :
wbinfo --sid-to-name=S-1-5-18
NT AUTHORITY\SYSTEM 5
But the DC which really needs it :
wbinfo --sid-to-name=S-1-5-18
Could not lookup sid S-1-5-18
And can someone confirm this problem still exists on there system and
gives the same results as mine so im sure its not something from and older samba.
My setup runs as of 4.1.x and is upgraded multiple times something like
to 4.2.3 ( and some others. )
to 4.2.10 => 4.3.x
to 4.3.x => 4.4.3
to 4.4.5 => 4.5.3
Greetz,
Louis
L.P.H. van Belle via samba
I go test that now, report back in few mins, if it works that would really help me out here.
And when you look here :
https://technet.microsoft.com/en-us/library/cc778824(v=ws.10).aspx
look at the example sid S-1-5-32-544
This SID has four components:
• A revision level (1)
• An identifier authority value (5, NT Authority)
• A domain identifier (32, Builtin)
• A relative identifier (544, Administrators)
And here you have the " NT Authority" and "Builtin" in one line.
;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpe...@samba.org]
> Verzonden: woensdag 25 januari 2017 11:53
> Aan: L.P.H. van Belle
>
> On Tue, 24 Jan 2017 15:02:14 +0100
> "L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
>
>
> >
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-18
> >
>
> bit of thinking and testing, I now get:
>
> root@devstation:~# wbinfo --sid-to-name=S-1-5-18
> NT AUTHORITY\SYSTEM 5
>
> How did I do this ?
>
> Easy, first create a system group on the Unix machine:
>
> root@devstation:~# addgroup --system system
> Adding group `system' (GID 125) ...
> Done.
>
> Then add a line to the user map:
>
> !system = SYSTEM system
>
> Restart Samba
>
> Now I don't know if this will work with your GPOs, but it is worth
> trying (you may have to alter the Unix 'system' groups permissions)
>
> Rowland
L.P.H. van Belle via samba
Tried it out, but
wbcLookupSids failed: WBC_ERR_INVALID_SID
Could not lookup SIDs S-1-5-18
Im on a AD setup.
Selecting the users SYSTEM though search still resolve back to NTDOM\System
:-)
Well.. lunch first.
Greetz,
L.P.H. van Belle via samba
For the domain member, its not a problem.
I have a workaround now for my PC which have joined my domain, so i can go ahead with what im testing.
Thanks for haveing a look into it.
Greetz,
Louis
> Verzonden: woensdag 25 januari 2017 12:41
> Onderwerp: Re: [Samba] Security Principals, and SID's mapping bug
>
> "L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
>
> > Are you sure that was the only change? :-/
> >
> > Tried it out, but
> > wbinfo --lookup-sids=S-1-5-18
> > wbcLookupSids failed: WBC_ERR_INVALID_SID
> > Could not lookup SIDs S-1-5-18
> >
> > Does this possible has anything todo with AD/RID setups?
> > Im on a AD setup.
> >
> > Selecting the users SYSTEM though search still resolve back to
> > NTDOM\System
> >
> > :-)
> > Well.. lunch first.
> >
> > Greetz,
> >
>
> it doesn't, back to thinking ;-)
L.P.H. van Belle via samba
it started here :
Nov 2013 https://lists.samba.org/archive/samba/2013-November/177110.html
Then https://lists.samba.org/archive/samba/2014-June/182429.html
On this link, test there shows on the DC..
root at DC2:~# wbinfo -G 3000002
S-1-5-18
root at DC2:~# wbinfo -s S-1-5-18
NT AUTHORITY+SYSTEM 5
root at DC2:~#
so it was working in 2014. that was samba 4.1.x or begin of 4.2.x
again
https://lists.samba.org/archive/samba/2015-November/195637.html
and there are more.
If we can track this bug down, it will make lots of people happy.
So anything i can do to helpout.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens L.P.H. van Belle
> via samba
> Verzonden: woensdag 25 januari 2017 13:01
> Aan: sa...@lists.samba.org
L.P.H. van Belle via samba
Try this:
1.Viewing/Edit a GPO,
go to Computer Configuration > Control Panel Settings > Scheduled Tasks.
2.Right-click in the window and choose
New > Scheduled Task (At least Windows 7).
3.On the General tab:
a.Set the name to TestSchedule.
b.Run the task as NT AUTHORITY\System. Check Run with highest privileges.
c.Click OK.
3b, try, klik change user/group.
Next window, type : system, klik ok.
It changes to NTDOM\system which should be BUILTIN\SYSTEM
3b, again, change user/group,
Next window, type : Server Operators, and klik ok.
That reports correcty : BUILTIN\Server Operators
All other values dont matter.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens L.P.H. van Belle
> via samba
mathias dufresne via samba
BUILTIN\System and NTDOM\System are either aliases for NT Authority\System
or just bad way to display that SID's name.
Sorry, I have nothing relevant and clear enough to make that affirmation
more convincible...
2017-01-25 13:45 GMT+01:00 L.P.H. van Belle via samba <sa...@lists.samba.org
>: