Hi all,
(especially @scheinig and @DirkS ;))
I am unsure if I have an issue here. At least one Windows-program has issues when installed on server instead of local disk. When installed on server it always complains of not having access or not finding a file. Even though, when using explorer I find the file and I have full access (as the same user). So I did some logwatching and found this in log.smbd:
[2021/07/28 12:45:13.944540, 0, pid=18750] ../../source4
/auth/unix_token.c:97(security_token_to_unix_token)
Unable to convert first SID (S-1-5-21-963731466-2093488295-4049041747-1120) in user token to a UID. Conversion was returned as type 0, full token:
[2021/07/28 12:45:13.944589, 0, pid=18750] ../../libcli/security/security_token.c:57(security_token_debug)
Security token SIDs (6):
SID[ 0]: S-1-5-21-963731466-2093488295-4049041747-1120
SID[ 1]: S-1-5-21-963731466-2093488295-4049041747-515
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-32-554
Privileges (0x 800000):
Privilege[ 0]: SeChangeNotifyPrivilege
Rights (0x 400):
Right[ 0]: SeRemoteInteractiveLogonRight
Strange enough. So I tried (with the help of this great Community forum ;)) wbinfo:
root@praxis:/srv/praxis# wbinfo -S S-1-5-21-963731466-2093488295-4049041747-1120
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-963731466-2093488295-4049041747-1120 to uid
Hmmmm… ok, there is an error. Now I was looking for the SID with univention-ldapsearch:
root@praxis:/srv/praxis# univention-ldapsearch sambaSID=S-1-5-21-963731466-2093488295-4049041747-1120
# extended LDIF
#
# LDAPv3
# base <dc=xxx> (default) with scope subtree
# filter: sambaSID=S-1-5-21-963731466-2093488295-4049041747-1120
# requesting: ALL
#
# ANM, computers, xxx.de
dn: cn=ANM,cn=computers,dc=xxx,dc=de
univentionServerRole: windows_client
displayName: ANM
cn: ANM
krb5PrincipalName: host/ANM.xxx.de@XXX.DE
objectClass: krb5KDCEntry
objectClass: top
objectClass: univentionHost
objectClass: univentionObject
objectClass: sambaSamAccount
objectClass: person
objectClass: shadowAccount
objectClass: univentionWindows
objectClass: krb5Principal
objectClass: posixAccount
loginShell: /bin/false
univentionObjectType: computers/windows
uidNumber: 2017
krb5KDCFlags: 126
sambaAcctFlags: [W ]
krb5MaxRenew: 604800
sn: ANM
homeDirectory: /dev/null
krb5MaxLife: 86400
uid: ANM$
gidNumber: 1005
sambaPrimaryGroupSID: S-1-5-21-963731466-2093488295-4049041747-11011
aRecord: 192.168.1.50
associatedDomain: xxx.de
univentionNetworkLink: cn=PRAXIS,cn=networks,dc=xxx,dc=de
macAddress: 54:04:a6:81:7f:74
univentionOperatingSystem: Windows 10 Pro
univentionOperatingSystemVersion: 10.0 (19042)
sambaSID: S-1-5-21-963731466-2093488295-4049041747-1120
sambaNTPassword: C7753A7CBF8785675234345987395E2C62C72
krb5Key:: MB2hGzAZoAMFGHehEgQQx3U6fL+Hhz69mHOV4sYscg==
krb5Key:: MG6hKzApoAMFGHKhIgQgSwOkpjOyjKsN3M1G/WBb0jRDhT++nhVgBttIxa+hmQKiPzA9oAMCAQOhNgQ0QUtVUFVOS1RVUlBSQVhJUy1OQi5ERWhvc3Rhbm0uYWt1cHVua3R1cnByYXhpcy1uYi5kZQ==
krb5Key:: MF6hGzAZoAMFGHGhEgQQ/uG66DkIwAnKTLS9Bh6pVaI/MD2gAwIBA6E2BDRBS1VQVU5LVFVSUFJBWElTLU5CLkRFaG9zdGFubS5ha3VwdW5rdHVycHJheGlzLW5iLmRl
krb5Key:: MFahEzARoAMCAQOhCgQImUmWSDFSiiPzA9oAMCAQOhNgQ0QUtVUFVOS1RVUlBSQVhJUy1OQi5ERWhvc3Rhbm0uYWt1cHVua3R1cnByYXhpcy1uYi5kZQ==
krb5Key:: MFahEzARoASDFSFhCgQI6M4VatV2g+iiPzA9oAMCAQOhNgQ0QUtVUFVOS1RVUlBSQVhJUy1OQi5ERWhvc3Rhbm0uYWt1cHVua3R1cnByYXhpcy1uYi5kZQ==
krb5KeyVersionNumber: 56
shadowLastChange: 18836
sambaPwdLastSet: 1627467662
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
So it appears it is the computer account for the computer ANM. Ok, fine. Yes, this can obviously not converted to a USER-ID. But why is Samba then complaining about this?
(BTW: I alread did a re-join of the Windows-PC with no change).
Any ideas?
/KNEBB
Did I mention I “love” Windoes?