Bug #2733

Domain Administrators rights not enforced by workstations

Added by Davide Principi over 5 years ago. Updated over 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-samba
Target version:v6.5
Security class: Resolution:
Affected version:v6.5-final NEEDINFO:No

Description

Steps to reproduce
  • Set NethServer as Windows Domain Controller (PDC)
  • Join a workstation with the domain

After the machine join, the admin user has no administrative privileges on the workstation.

Expected results
After joining the domain, the domadmins group members must have administrative privileges on domain workstations.

Version
nethserver-samba-1.4.2-1.ns6.noarch


Related issues

Related to NethServer 6 - Feature #2492: Move admin user in LDAP DB CLOSED 12/17/2013 12/19/2013
Related to NethServer 6 - Enhancement #2747: Decrease default Samba log verbosity CLOSED
Related to NethServer 6 - Enhancement #2792: Samba: map local users to Domain Users CLOSED

Associated revisions

Revision e2c744e4
Added by Davide Principi over 5 years ago

nethserver-samba-sam-conf: fix unexpected group RIDs. Refs #2733.

domadmins, domusers, domguests are expected to be assigned well-known
RIDs. If a group RID does not match the expectation it is re-mapped.

Revision 0735fdfb
Added by Davide Principi over 5 years ago

nethserver-samba-sam-conf: fix unexpected group RIDs. Refs #2733.

domadmins, domusers, domguests are expected to be assigned well-known
RIDs. If a group RID does not match the expectation it is re-mapped.

History

#1 Updated by Davide Principi over 5 years ago

After #2492 the domadmins is created with a wrong RID. It must be the well-known RID 512 to work.

If you have installed nethserver-samba 1.4.0, before 2014-02-07 (in other words you had a v6.4-beta2 installation) you may not be affected by this bug. Check if you have the right domadmins RID with the following command:

   # net sam show domadmins
XYZ\domadmins is a Domain Group with SID S-1-5-21-[ ... ]-512

Last three numbers must be 512.

Fix the problem

A manual fix can be applied:

  # net groupmap delete ntgroup=domadmins
  # net groupmap add rid=512 unixgroup=domadmins type=d ntgroup="Domain Admins" comment="Domain Administrators" 

#2 Updated by Davide Principi over 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#3 Updated by Davide Principi over 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case

The bug must be fixed after upgrading an affected system and must not affect a new nethserver-samba installation. Check both.

#4 Updated by Davide Principi over 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70
In nethserver-testing:
  • nethserver-samba-1.4.2-6.0gite2c744e4.ns6.noarch.rpm
  • nethserver-samba-1.4.3.1-1.ns6.noarch.rpm (rebuild for bad tag)

#5 Updated by Massimo Palazzetti over 5 years ago

  • Assignee set to Massimo Palazzetti

#6 Updated by Davide Principi over 5 years ago

#7 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee deleted (Massimo Palazzetti)

#8 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee set to Giacomo Sanchietti

#9 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

On existing machine, before update:

[root@localhost ~]# net sam show domadmins
LOCALHOST\domadmins is a Domain Group with SID S-1-5-21-2812897811-3728447170-3509983029-1003

After update:

[root@localhost ~]# net sam show domadmins
LOCALHOST\domadmins is a Domain Group with SID S-1-5-21-2812897811-3728447170-3509983029-512

On a new machine:

[root@localhost ~]# net sam show domadmins
LOCALHOST\domadmins is a Domain Group with SID S-1-5-21-1040656367-3771596389-2987552463-512

OK.

#10 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-samba-1.4.4-1.ns6.noarch.rpm

#11 Updated by Davide Principi about 5 years ago

Also available in: Atom PDF