Project

General

Profile

Bug #10981

Can't remove the Domain Admin from the local administrators group

Added by Gordon Ross 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
2019-05-14
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

oot@ns3135:/export/home/admin# smbadm remove-member -m S-1-5-21-2474407876-1406958945-3323148532-512 administrator
failed to remove S-1-5-21-2474407876-1406958945-3323148532-512 (group not found)
root@ns3135:/export/home/admin# smbadm show -m
administrators (Members can fully administer the computer/domain)
SID: S-1-5-32-544
Members:
S-1-5-21-2474407876-1406958945-3323148532-512 [NONE_MAPPED]
backup operators (Members can bypass file security to back up files)
SID: S-1-5-32-551
No members
power users (Members can share directories)
SID: S-1-5-32-547
No members
root@ns3135:/export/home/admin# smbadm remove-member -m S-1-5-21-2474407876-1406958945-3323148532-512 administrators
failed to remove S-1-5-21-2474407876-1406958945-3323148532-512 (not a member)

History

#1

Updated by Gordon Ross 5 months ago

  • Description updated (diff)
  • Status changed from New to In Progress
#2

Updated by Gordon Ross 5 months ago

OK, I've figured out how this happens. As P. discovered, we get a group member you can't remove when adding a group member by SID immediately after joining a domain. At that point we can't yet lookup names to get SIDs. In that scenario, when NMV/NMS adds the SID for "Domain Admins" to the administrators group, in smbadm.c : smbadm_group_add_del_member() we recognize that we're adding by SID and try to get the "SID type". That fails, so we continue with "SID type" = SidTypeUnknown and add the member with that SID type. Later, when we try to remove that member from the group, we again lookup the account, which normally now works, and for "Domain Admins" we get SID_type = SidTypeGroup. We search the member list for that SID+type combination and don't find it (because the entry was added with SidTypeUnknown).

This "SID type" baloney has no business being here, but we'll have to work around that until we can get rid of "SID types".
Two parts: (a) Make a better guess (for now) about the SID type (guess SidTypeGroup) when we can't lookup the account.
(b) Ignore the SID type when looking for an account to remove from a group.

#3

Updated by Gordon Ross 5 months ago

Testing: Add a member to an SMB group where the "SID type" is unknown then try to remove it.
The easiest way to reproduce this is to directly edit the smbgroups.db file using sql, to force a sid type of unknown.
Fix in production since late 2016

#4

Updated by Electric Monk 5 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit d4c7367e08269b5554f55db1e77ddeb28a011771

commit  d4c7367e08269b5554f55db1e77ddeb28a011771
Author: Gordon Ross <gwr@nexenta.com>
Date:   2019-05-28T17:34:10.000Z

    10981 Can't remove the Domain Admin from the local administrators group
    Reviewed by: Dan Fields <dan.fields@nexenta.com>
    Reviewed by: Matt Barden <matt.barden@nexenta.com>
    Reviewed by: Evan Layton <evan.layton@nexenta.com>
    Approved by: Garrett D'Amore <garrett@damore.org>

Also available in: Atom PDF