Can't remove the Domain Admin from the local administrators group
oot@ns3135:/export/home/admin# smbadm remove-member -m S-1-5-21-2474407876-1406958945-3323148532-512 administrator
failed to remove S-1-5-21-2474407876-1406958945-3323148532-512 (group not found)
root@ns3135:/export/home/admin# smbadm show -m
administrators (Members can fully administer the computer/domain)
backup operators (Members can bypass file security to back up files)
power users (Members can share directories)
root@ns3135:/export/home/admin# smbadm remove-member -m S-1-5-21-2474407876-1406958945-3323148532-512 administrators
failed to remove S-1-5-21-2474407876-1406958945-3323148532-512 (not a member)
Updated by Gordon Ross over 1 year ago
OK, I've figured out how this happens. As P. discovered, we get a group member you can't remove when adding a group member by SID immediately after joining a domain. At that point we can't yet lookup names to get SIDs. In that scenario, when NMV/NMS adds the SID for "Domain Admins" to the administrators group, in smbadm.c : smbadm_group_add_del_member() we recognize that we're adding by SID and try to get the "SID type". That fails, so we continue with "SID type" = SidTypeUnknown and add the member with that SID type. Later, when we try to remove that member from the group, we again lookup the account, which normally now works, and for "Domain Admins" we get SID_type = SidTypeGroup. We search the member list for that SID+type combination and don't find it (because the entry was added with SidTypeUnknown).
This "SID type" baloney has no business being here, but we'll have to work around that until we can get rid of "SID types".
Two parts: (a) Make a better guess (for now) about the SID type (guess SidTypeGroup) when we can't lookup the account.
(b) Ignore the SID type when looking for an account to remove from a group.
Updated by Electric Monk over 1 year ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit d4c7367e08269b5554f55db1e77ddeb28a011771 Author: Gordon Ross <firstname.lastname@example.org> Date: 2019-05-28T17:34:10.000Z 10981 Can't remove the Domain Admin from the local administrators group Reviewed by: Dan Fields <email@example.com> Reviewed by: Matt Barden <firstname.lastname@example.org> Reviewed by: Evan Layton <email@example.com> Approved by: Garrett D'Amore <firstname.lastname@example.org>