Bug #2733
Domain Administrators rights not enforced by workstations
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-samba | |||
| Target version: | v6.5 | |||
| Security class: | Resolution: | |||
| Affected version: | v6.5-final | NEEDINFO: | No |
Description
- Set NethServer as Windows Domain Controller (PDC)
- Join a workstation with the domain
After the machine join, the admin user has no administrative privileges on the workstation.
Expected results
After joining the domain, the domadmins group members must have administrative privileges on domain workstations.
Version
nethserver-samba-1.4.2-1.ns6.noarch
Related issues
Associated revisions
nethserver-samba-sam-conf: fix unexpected group RIDs. Refs #2733.
domadmins, domusers, domguests are expected to be assigned well-known
RIDs. If a group RID does not match the expectation it is re-mapped.
nethserver-samba-sam-conf: fix unexpected group RIDs. Refs #2733.
domadmins, domusers, domguests are expected to be assigned well-known
RIDs. If a group RID does not match the expectation it is re-mapped.
History
#1
Updated by Davide Principi over 7 years ago
After #2492 the domadmins is created with a wrong RID. It must be the well-known RID 512 to work.
If you have installed nethserver-samba 1.4.0, before 2014-02-07 (in other words you had a v6.4-beta2 installation) you may not be affected by this bug. Check if you have the right domadmins RID with the following command:
# net sam show domadmins XYZ\domadmins is a Domain Group with SID S-1-5-21-[ ... ]-512
Last three numbers must be 512.
Fix the problem¶
A manual fix can be applied:
# net groupmap delete ntgroup=domadmins # net groupmap add rid=512 unixgroup=domadmins type=d ntgroup="Domain Admins" comment="Domain Administrators"
#2
Updated by Davide Principi about 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#3
Updated by Davide Principi about 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case
The bug must be fixed after upgrading an affected system and must not affect a new nethserver-samba installation. Check both.
#4
Updated by Davide Principi about 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
nethserver-samba-1.4.2-6.0gite2c744e4.ns6.noarch.rpm- nethserver-samba-1.4.3.1-1.ns6.noarch.rpm (rebuild for bad tag)
#5
Updated by Massimo Palazzetti about 7 years ago
- Assignee set to Massimo Palazzetti
#6
Updated by Davide Principi about 7 years ago
- Related to Enhancement #2747: Decrease default Samba log verbosity added
#7
Updated by Giacomo Sanchietti about 7 years ago
- Assignee deleted (
Massimo Palazzetti)
#8
Updated by Giacomo Sanchietti about 7 years ago
- Assignee set to Giacomo Sanchietti
#9
Updated by Giacomo Sanchietti about 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
On existing machine, before update:
[root@localhost ~]# net sam show domadmins LOCALHOST\domadmins is a Domain Group with SID S-1-5-21-2812897811-3728447170-3509983029-1003
After update:
[root@localhost ~]# net sam show domadmins LOCALHOST\domadmins is a Domain Group with SID S-1-5-21-2812897811-3728447170-3509983029-512
On a new machine:
[root@localhost ~]# net sam show domadmins LOCALHOST\domadmins is a Domain Group with SID S-1-5-21-1040656367-3771596389-2987552463-512
OK.
#10
Updated by Giacomo Sanchietti about 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-samba-1.4.4-1.ns6.noarch.rpm
#11
Updated by Davide Principi almost 7 years ago
- Related to Enhancement #2792: Samba: map local users to Domain Users added