Tâche #32953
Scénario #32254: Étudier la possibilté de renommer le poste client en plus de la clé Salt
autoriser eole-workstation-manager a renommer un PC
100%
Description
Sur un PC connecté en pcadmin, Si on utilise le compte du domaine 'eole-workstation-manager' pour vouloir renommer le PC, un problème de droits apparait
Si on utilise le compte admin, cela fonctionne normalement.
Donc, il manque un droit sur le compte 'eole-workstation-manager'
Cf. : image écran
Demandes liées
Historique
#1 Mis à jour par Gilles Grandgérard il y a presque 3 ans
tentative de renommage de PC-609788B$ en PC-609788C$
notez que l'objet AD n'est pas modifié
notez que seul l'attribut 'samAccountName' est modifié
==> log.samba <==
[2021/07/16 10:30:00.695557, 4] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
Successful AuthZ: [DCE/RPC,ncacn_np] user [DOMPEDAGO]\[eole-workstation-manager] [S-1-5-21-156656394-1840216754-3105095414-1110] at [Fri, 16 Jul 2021 10:30:00.695534 CEST] Remote host [ipv4:10.1.2.50:50985] local host [ipv4:10.1.3.11:445]
{"timestamp": "2021-07-16T10:30:00.695620+0200", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": "ipv4:10.1.3.11:445", "remoteAddress": "ipv4:10.1.2.50:50985", "serviceDescription": "DCE/RPC", "authType": "ncacn_np", "domain": "DOMPEDAGO", "account": "eole-workstation-manager", "sid": "S-1-5-21-156656394-1840216754-3105095414-1110", "sessionId": "ed715813-c7c9-40c2-951c-6fe389713778", "logonServer": "ADDC", "transportProtection": "SMB", "accountFlags": "0x00000210"}}
[2021/07/16 10:30:00.698995, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of privilege.ldb
[2021/07/16 10:30:00.702271, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2021/07/16 10:30:00.704652, 4] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
Successful AuthZ: [DCE/RPC,ncacn_np] user [DOMPEDAGO]\[eole-workstation-manager] [S-1-5-21-156656394-1840216754-3105095414-1110] at [Fri, 16 Jul 2021 10:30:00.704637 CEST] Remote host [ipv4:10.1.2.50:50985] local host [ipv4:10.1.3.11:445]
{"timestamp": "2021-07-16T10:30:00.704710+0200", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": "ipv4:10.1.3.11:445", "remoteAddress": "ipv4:10.1.2.50:50985", "serviceDescription": "DCE/RPC", "authType": "ncacn_np", "domain": "DOMPEDAGO", "account": "eole-workstation-manager", "sid": "S-1-5-21-156656394-1840216754-3105095414-1110", "sessionId": "ed715813-c7c9-40c2-951c-6fe389713778", "logonServer": "ADDC", "transportProtection": "SMB", "accountFlags": "0x00000210"}}
[2021/07/16 10:30:00.714463, 5] ../../lib/audit_logging/audit_logging.c:95(audit_log_human_text)
DSDB Change [Modify] at [Fri, 16 Jul 2021 10:30:00.714421 CEST] status [insufficient access rights] remote host [ipv4:10.1.2.50:50985] SID [S-1-5-21-156656394-1840216754-3105095414-1110] DN [CN=PC-609788,OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan] attributes
[replace: samAccountName [PC-609788C$]]
{"timestamp": "2021-07-16T10:30:00.714516+0200", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 50, "status": "insufficient access rights", "operation": "Modify", "remoteAddress": "ipv4:10.1.2.50:50985", "performedAsSystem": false, "userSid": "S-1-5-21-156656394-1840216754-3105095414-1110", "dn": "CN=PC-609788,OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan", "transactionId": "22a18d08-bcfa-4311-b6f2-39524506d7b4", "sessionId": "ed715813-c7c9-40c2-951c-6fe389713778", "attributes": {"samAccountName": {"actions": [{"action": "replace", "values": [{"value": "PC-609788C$"}]}]}}}}
[2021/07/16 10:30:00.714565, 5] ../../lib/audit_logging/audit_logging.c:95(audit_log_human_text)
DSDB Transaction [rollback] at [Fri, 16 Jul 2021 10:30:00.714558 CEST] duration [1432]
{"timestamp": "2021-07-16T10:30:00.714579+0200", "type": "dsdbTransaction", "dsdbTransaction": {"version": {"major": 1, "minor": 0}, "action": "rollback", "transactionId": "22a18d08-bcfa-4311-b6f2-39524506d7b4", "duration": 1432}}
[2021/07/16 10:30:00.714636, 1] ../../source4/rpc_server/samr/dcesrv_samr.c:3971(dcesrv_samr_SetUserInfo)
Failed to modify record CN=PC-609788,OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan: Object CN=PC-609788, *OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan has no write property access*
[2021/07/16 10:30:00.717321, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
#3 Mis à jour par Gilles Grandgérard il y a presque 3 ans
Manip extraction :
sur le ADDC :
SID_ADMIN="$(wbinfo --name-to-sid admin |awk '{print $1;}')"
SID_EOLE_WORKSTATION_MANAGER="$(wbinfo --name-to-sid eole-workstation-manager |awk '{print $1;}')"
samba-tool dsacl get | sed -e "s/$SID_ADMIN/admin/g" | sed -e "s/$SID_EOLE_WORKSTATION_MANAGER/eole-workstation-manager/g" | sed -e 's/)(/)\n(/g' >/tmp/dsacl_all
samba-tool dsacl get --objectdn="CN=Computers,DC=dompedago,DC=etb1,DC=lan" | sed -e "s/$SID_ADMIN/admin/g" | sed -e "s/$SID_EOLE_WORKSTATION_MANAGER/eole-workstation-manager/g" | sed -e 's/)(/)\n(/g' >/tmp/dsacl_Computers
samba-tool dsacl get --objectdn="CN=Users,DC=dompedago,DC=etb1,DC=lan" | sed -e "s/$SID_ADMIN/admin/g" | sed -e "s/$SID_EOLE_WORKSTATION_MANAGER/eole-workstation-manager/g" | sed -e 's/)(/)\n(/g' >/tmp/dsacl_Users
samba-tool dsacl get --objectdn="OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan" | sed -e "s/$SID_ADMIN/admin/g" | sed -e "s/$SID_EOLE_WORKSTATION_MANAGER/eole-workstation-manager/g" | sed -e 's/)(/)\n(/g' >/tmp/dsacl_Ordinateurs_du_Domaine
samba-tool dsacl get --objectdn="OU=Utilisateurs du Domaine,DC=dompedago,DC=etb1,DC=lan" | sed -e "s/$SID_ADMIN/admin/g" | sed -e "s/$SID_EOLE_WORKSTATION_MANAGER/eole-workstation-manager/g" | sed -e 's/)(/)\n(/g' >/tmp/dsacl_Utilisateurs_du_Domaine
sur le Scribe:
. getVMContext.sh
cp -f /var/lib/lxc/addc/rootfs/tmp/dsacl_* /mnt/eole-ci-tests/output/$VM_OWNER/
sur le PC developpeur:
meld /mnt/eole-ci-tests/output/$VM_OWNER/dsacl_*
Donne sans/avec:
diff /mnt/eole-ci-tests/output/ggrandgerard/dsacl_Utilisateurs_du_Domaine /mnt/eole-ci-tests/output/ggrandgerard/dsacl_Ordinateurs_du_Domaine
1,2c1,12
< descriptor for OU=Utilisateurs du Domaine,DC=dompedago,DC=etb1,DC=lan:
< O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
---
> descriptor for OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan:
> O:DAG:DAD:ARAI(OA;CI;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;admin)
> (OA;CIIO;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;bf967a86-0de6-11d0-a285-00aa003049e2;admin)
> (OA;CIIO;CR;00299570-246d-11d0-a768-00aa006e0529;bf967a86-0de6-11d0-a285-00aa003049e2;admin)
> (OA;CIIO;RPWP;4c164200-20c0-11d0-a768-00aa006e0529;bf967a86-0de6-11d0-a285-00aa003049e2;admin)
> (OA;CIIO;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;bf967a86-0de6-11d0-a285-00aa003049e2;admin)
> (OA;CI;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;eole-workstation-manager)
> (OA;CIIO;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;bf967a86-0de6-11d0-a285-00aa003049e2;eole-workstation-manager)
> (OA;CIIO;CR;00299570-246d-11d0-a768-00aa006e0529;bf967a86-0de6-11d0-a285-00aa003049e2;eole-workstation-manager)
> (OA;CIIO;RPWP;4c164200-20c0-11d0-a768-00aa006e0529;bf967a86-0de6-11d0-a285-00aa003049e2;eole-workstation-manager)
> (OA;CIIO;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;bf967a86-0de6-11d0-a285-00aa003049e2;eole-workstation-manager)
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
Vérifiction GUIDs:
DDC790AC-AF4D-442A-8F0F-A1D4CAA7DD92 -> APPLICATION_VERSION cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/c-applicationversion
bf967a86-0de6-11d0-a285-00aa003049e2 -> COMPUTER_OBJECT cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/c-computer
f3a64788-5306-11d1-a9c5-0000f80367c1 -> "Validated-SPN" cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/r-validated-spn
72e39547-7b18-11d1-adef-00c04fd8d5cd -> "Valid-DNS-Host-Name" cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/r-validated-dns-host-name
00299570-246d-11d0-a768-00aa006e0529 -> "User-Force-Change-Password" cf.: https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-force-change-password
4c164200-20c0-11d0-a768-00aa006e0529 -> "User-Account-Restrictions" cf.: https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-account-restrictions
Donc il faut :
COMPUTER_OBJECT="{BF967A86-0DE6-11D0-A285-00AA003049E2}"
APPLICATION_VERSION="{DDC790AC-AF4D-442A-8F0F-A1D4CAA7DD92}"
USER_FORCE_CHANGE_PASSWORD="00299570-246d-11d0-a768-00aa006e0529"
USER_ACCOUNT_RESTRICTIONS="4c164200-20c0-11d0-a768-00aa006e0529"
ECRITURE_VALIDEE_DNS_HOST_NAME="72e39547-7b18-11d1-adef-00c04fd8d5cd"
ECRITURE_VALIDEE_SPN="f3a64788-5306-11d1-a9c5-0000f80367c1"
SDDL="ARAI(OA;CI;CC;${COMPUTER_OBJECT};;${SID_ACCOUNT_JONCTION})(OA;CIIO;CC;${APPLICATION_VERSION};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;CC;;${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;SW;${ECRITURE_VALIDEE_DNS_HOST_NAME};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;CR;${USER_FORCE_CHANGE_PASSWORD};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;RPWP;${USER_ACCOUNT_RESTRICTIONS};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;SW;${ECRITURE_VALIDEE_SPN};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})"
#4 Mis à jour par Gilles Grandgérard il y a presque 3 ans
- Statut changé de Nouveau à En cours
#5 Mis à jour par Gilles Grandgérard il y a plus de 2 ans
- Lié à Scénario #33527: Problème d'inversion de postes avec Veyon ajouté
#6 Mis à jour par Gilles Grandgérard il y a environ 2 ans
eole-workstation-manager n'est plus "Domain Admin" donc il n'a pas de droits sur l'OU Computers.
La premiere étape est sur le poste client :
1°) L'erreur est normal sur le poste (elle prouve que le compte n'a plus les droits).
2°) La modification décrite correspond à l'ajout dans 'Utilisateurs et groupes AD' d'un rôle de délégation pour 'eole-workstation-manager' sur l'OU Computers.
3°) Note #3, j'ai rappelé les commandes sur le scribe pour se souvenir comment récupérer la différence du point de vue Samba/Seth.
#7 Mis à jour par Joël Cuissinat il y a presque 2 ans
- Statut changé de En cours à Fermé
- Assigné à mis à Gilles Grandgérard
- % réalisé changé de 0 à 100
- Restant à faire (heures) mis à 0.0