Univention Bugzilla – Bug 33370
Authenticated Users idmap issues s3 memberserver
Last modified: 2018-04-12 15:11:33 CEST
A s3 Memberserver within a S4 environment is not able to handle the special group "Authenticated Users". If you set group permissions via setfacl for a share, you get "Unix Group\Authenticated Users" as effective permissions shown in windows. GPO-related things (deploying files for example) with this share will not work then. If you correct the permissions to "Authenticated Users" via Windows, it will work. "getfacl" only shows an ID then: "default:group:55002:r-x" root@member:~# univention-ldapsearch gidNumber=55002 # S-1-5-11, idmap, univention, wurst.foo dn: sambaSID=S-1-5-11,cn=idmap,cn=univention,dc=wurst,dc=foo objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 55002 sambaSID: S-1-5-11 root@member:~# univention-ldapsearch cn="Authenticated Users" dn: cn=Authenticated Users,cn=groups,dc=wurst,dc=foo objectClass: top objectClass: posixGroup objectClass: univentionGroup objectClass: sambaGroupMapping objectClass: univentionObject univentionObjectType: groups/group cn: Authenticated Users sambaSID: S-1-5-11 sambaGroupType: 2 gidNumber: 5020 uniqueMember: cn=DC Slave Hosts,cn=groups,dc=wurst,dc=foo uniqueMember: cn=Windows Hosts,cn=groups,dc=wurst,dc=foo root@member:~# getent group "Authenticated Users" Authenticated Users:*:5020:join-slave,Administrator,winclient$,WIN7PRO$,WIN7PROFLUR$,join-backup,master$
I could imagine, that the Windows client sends a security descriptor with the SID of the builtin group "Authenticated Users" S-1-5-11 and the smbd on the UCS Memberserver asks winbind to translate the SID into a Posix-ID. winbind looks into it's list of IDMAP backends per domain, as defined in smb.conf. Since the SID falls into the BUILTIN domain, it doesn't try an nss lookup (as would be dne for the domain), but uses the LDAP allocator instead, which generates the sambaIdmapEntry object. If this theory is found to be valid in a test, then it might be an option to add idmap config BUILTIN : backend = nss idmap config BUILTIN : range = 1000-54999 to smb.conf. Don't know if winbind accepts that and what other side effects that might have.
* Good: Adding the following lines to the smb.conf of the member seems to fix this for "Authenticated Users" and other SIDs in the "NT AUTHORITY" domain: =============================================== idmap config NT AUTHORITY : backend = nss idmap config NT AUTHORITY : range = 1000-54999 =============================================== It makes "wbinfo -Y S-1-5-11" return the proper gidNumber from the sambaGroupMapping object instead of creating (or picking and existing) sambaIdmapEntry. * Samba4 domain only: Somehow the Memberserver winbind behaves differently in a Samba3 domain, it cannot resolve this SID even if I manually create the corresponding group object in LDAP and apply this workaround. * Strange: This workaround works for all SIDs in the "NT AUTHORITY" domain with one exception: It doesn't for "Enterprise Domain Controllers": ===================================================== root@member43:~# wbinfo -Y S-1-5-9 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-9 to gid ===================================================== * Open: The same trick doesn't work for "BUILTIN" SIDs (S-1-5-32-*): ===================================================== root@member43:~# wbinfo -Y S-1-5-32-544 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-32-544 to gid =====================================================
Moved to UCS 3.2-4-errata.
In Samba4-Domains this workaround can be used: root@member:~# cat >> /etc/samba/local.conf <<%EOF idmap config NT AUTHORITY : backend = nss idmap config NT AUTHORITY : range = 1000-54999 %EOF root@member:~# ucr commit /etc/samba/smb.conf root@member:~# /etc/init.d/samba restart
Requested at 2015021121000159 for 3.2-4
This issue has been filed against UCS 3.2. UCS 3.2 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this is still an issue in newer UCS versions, please use "Clone this bug". In this case please provide detailed information on how this issue is affecting you.