Bug 11997 - Request: Add resolving to group names for well known security principals via libnss-winbind
Request: Add resolving to group names for well known security principals via ...
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
unspecified
All All
: P5 enhancement
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-26 11:41 UTC by Achim Gottinger
Modified: 2016-07-07 13:10 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Achim Gottinger 2016-06-26 11:41:49 UTC
Since 4.2 samba can resolve BUILTIN groups via libwinbind-nss. But it still does not resolve "well known security principals" like "Authenticated Users".
On an AD DC the sysvol folder is created with read rights for "Authenticated Users" and Read/Write Rights for "Local System".
They get mapped by winbindd to local uid/gid in idmap.ldb but do not resolve to names.

Below are the default acl's after domain provision.

dc1#~getfacl /var/lib/samba/sysvol

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

dc1#~getfacl -n /var/lib/samba/sysvol

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: 0
# group: 3000000
user::rwx
user:0:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:0:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---


getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: 0
# group: 3000000
user::rwx
user:0:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:0:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---


Via idmap.ldb
3000002 maps to S-1-5-11 (Local System)
3000003 maps to S-1-5-18 (Authenticated Users)

BUILTIN\Administrators map to 3000000
BUILTIN\Server Operators map to 3000001

If I copy the sysvol folder to an second dc (dc2) with rsync

dc2#~rsync -XAavz -e ssh root@dc1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/

The two BUILTIN groups map to the proper gid's from the local idmap.ldb but the "Local System" and "Authenticated Users" keep the gid's from the source server.

dc2#~getfacl /var/lib/samba/sysvol

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:BUILTIN\134server\040operators:rwx
user:group\040policy\040creator\040owners:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:BUILTIN\134server\040operators:rwx
group:group\040policy\040creator\040owners:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:BUILTIN\134server\040operators:rwx
default:user:group\040policy\040creator\040owners:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:BUILTIN\134server\040operators:rwx
default:group:group\040policy\040creator\040owners:r-x
default:mask::rwx
default:other::---

dc2#~getfacl -n /var/lib/samba/sysvol

# file: var/lib/samba/sysvol/
# owner: 0
# group: 3000000
user::rwx
user:0:rwx
user:3000000:rwx
user:3000002:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000002:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:0:rwx
default:user:3000000:rwx
default:user:3000002:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000002:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

In this example on dc2 "BUILTIN\Server Operators" map to 3000002 and "Group Policy Creator Owners" map to 3000003.

Via idmap.ldb on dc2
3000007 maps to S-1-5-18 (Local System)
3000009 maps to S-1-5-11 (Authenticated Users)

This results in no read access rights for "Authenticated Users" means normal users can not access the sysvol share and can not read the gpo's.
Also "BUILTIN\Server Operators" now gained write access th sysvol on dc2.

getfacl after "samba-tool ntacl sysvolreset" on dc2:

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000007:r-x
user:3000009:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000007:r-x
group:3000009:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000007:r-x
default:user:3000009:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000007:r-x
default:group:3000009:rwx
default:mask::rwx
default:other::---

Since the posix acl's are still mandatory to access the share it does not help that the extended acl's in security.NTACL are not affected by this mapping problem. 
Even with acl_xattr:ignore system acls = Yes set an domain user can not access the sysvol share on dc2 without running sysvolreset or keeping idmap.ldb in sync.

If the "well known security principals" would be resolved like the BUILTIN groups via winbindd above problems would be fixed.
Comment 1 Louis 2016-07-07 13:09:37 UTC
Hai, i'am testing atm with win7 and win10 systems and this "enhancement" should be a bug. 

Below it tested on samba 4.4.3-Debian a rebuilded Debian Stretch version. 

I just tested a win10 upgrade with a new policy and again im getting denied messages, from witin windows all things resolve good, but i see the following. 

( tested on the DC with FSMO roles ) 
wbinfo --gid-info 3000000
BUILTIN\administrators:x:3000000:

wbinfo --gid-info 3000001
BUILTIN\server operators:x:3000001:

wbinfo --gid-info 3000002
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000002

wbinfo --gid-info 3000003
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000003


getfacl -n /home/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/sysvol/
# owner: 0
# group: 3000000
user::rwx
user:0:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:0:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

im using 2 dc's as Achim also shows here. I also sync. 
i dont have any out of syncs with rights between the 2 servers
and im also using : 
acl_xattr:ignore system acls = Yes  
on the sysvol share.