Re: [Samba] net rpc file checks in 3.5.x

2010-10-14 Thread Michal Soltys

This is in-reply to older question of mine:
http://www.mail-archive.com/samba@lists.samba.org/msg109014.html

On 10-06-30 18:48, Michal Soltys wrote:

When doing simple:

net rpc file -Untadmin

With ntadmin being a user belonging to properly groupmapped domain admins,
  (with rid 512), including cases with ntadmin being rid=500 itself,
I always get:

[2010/06/30 15:06:46.272578,  2] auth/auth.c:304(check_ntlm_password)
   check_ntlm_password:  authentication for user [ntadmin] ->  [ntadmin] ->  
[ntadmin] succeeded
[2010/06/30 15:06:46.276232,  1] 
rpc_server/srv_srvsvc_nt.c:1039(_srvsvc_NetFileEnum)
   Enumerating files only allowed for administrators


I've peeked into srv_srvsvc_nt.c and the main difference from earlier
samba versions (in the function mentioned in logs) is the addition
of the following check:

 if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
 p->server_info->ptok)) {
 DEBUG(1, ("Enumerating files only allowed for "
   "administrators\n"));
 return WERR_ACCESS_DENIED;
 }

Judging from variables' names it checks if a user belongs to builtin group. 
Assuming
this kind of check is intended in this place - how to actually make 
[functionally
working] builtin group ? groupmap allows mapping to local and builtins groups, 
and
I've also tested some net rpc group variations - but so far to no actual effect.


Actually, I mistyped sid - groupmap can handle buitlin groups just fine.

Overall it turned out, that the culprit (in my case) was a brief run of 
winbindd in the past. Basically once BUILTIN domain showed up in 
gencache.tdb, I had to do net groupmap and add the user used with the 
net tool (admin) to builtin administrators group (regardless if winbindd 
was or wasn't running after that). Alternative option was to simply stop 
samba / remove gencache.tdb / start again.


Earlier samba versions didn't perform this kind of check, so it never 
was an issue.


Should it be assumed these days, that groupmapping of builtin groups is 
no longer optional (or at least it is advised to have it in place) ?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] net rpc file checks in 3.5.x

2010-06-30 Thread Michal Soltys
When doing simple:

net rpc file -Untadmin

With ntadmin being a user belonging to properly groupmapped domain admins,
 (with rid 512), including cases with ntadmin being rid=500 itself, 
I always get:

[2010/06/30 15:06:46.272578,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [ntadmin] -> [ntadmin] -> 
[ntadmin] succeeded
[2010/06/30 15:06:46.276232,  1] 
rpc_server/srv_srvsvc_nt.c:1039(_srvsvc_NetFileEnum)
  Enumerating files only allowed for administrators


I've peeked into srv_srvsvc_nt.c and the main difference from earlier 
samba versions (in the function mentioned in logs) is the addition 
of the following check:

if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
p->server_info->ptok)) {
DEBUG(1, ("Enumerating files only allowed for "
  "administrators\n"));
return WERR_ACCESS_DENIED;
}

Judging from variables' names it checks if a user belongs to builtin group. 
Assuming 
this kind of check is intended in this place - how to actually make 
[functionally 
working] builtin group ? groupmap allows mapping to local and builtins groups, 
and 
I've also tested some net rpc group variations - but so far to no actual 
effect. 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba