[Samba] XP Administrator has no access to shares

Gémes Géza geza at kzsdabas.hu
Sat Aug 18 15:00:42 MDT 2012 

2012-08-18 08:48 keltezéssel, steve írta:
> On 17/08/12 13:17, Gémes Géza wrote:
>> 2012-08-17 11:44 keltezéssel, steve írta:
>>> Hi
>>> S4 DC with S3 fileserver.
>>>
>>> smb.conf on the fileserver:
>>> [global]
>>>     workgroup = ALTEA
>>>     realm = HH3.SITE
>>>     security = ADS
>>>     kerberos method = secrets and keytab
>>>     winbind enum users = Yes
>>>     winbind enum groups = Yes
>>>     idmap config *:backend = tdb
>>>     idmap config *:range = 3000-4000
>>>     idmap config ALTEA:backend = ad
>>>     idmap config ALTEA:range = 20000-40000000
>>>     idmap config ALTEA:schema_mode = rfc2307
>>>     winbind nss info = rfc2307
>>>     winbind expand groups = 2
>>>     winbind nested groups = yes
>>>     usershare allow guests = No
>>>     winbind refresh tickets = yes
>>>
>>> [home]
>>>     path = /home2/home
>>>     read only = No
>>>
>>> [staff]
>>>     path = /home2/staff
>>>     read only = No
>>>
>>> [profiles]
>>>     path = /home2/profiles
>>>     read only = No
>>>     store dos attributes = Yes
>>>     create mask = 0600
>>>     directory mask = 0700
>>>
>>> [dropbox]
>>>     path = /home2/dropbox
>>>     force create mode = 0660
>>>     force directory mode = 0770
>>>     read only = No
>>>
>>> wbinfo -u lists Administrator but getent passwd lists only those users
>>> with a uidNumber and gidNumber. The latter users can login to xp and
>>> enter the shares fine. Administrator can login but gets a password
>>> prompt each time he hits a share. Giving the correct password results
>>> in XP stating the he has no permission to access the share.
>>>
>>> How do I get Administrator to enter and manipulate the shares. I
>>> thought that that was his purpose.
>>>
>>> Cheers,
>>> Steve
>> First: the Windows in the security model Administrator=root from the
>> Unix world it is just a predefined account memeber of the Administrators
>> or in a domain of the Domain Admins group and that gives access , so you
>> could do all the management operation from any other user account member
>> of the Domain Admins group.
>> Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be
>> wrong) needs that the connected user have a valid uid/gidnumber in order
>> to be able to check the posix acl permissions, so if you want to connect
>> to a Samba3 box with Administrator, first give it all the posix
>> attributes you've give to the other user accounts (however it doesn't
>> need a unixHomedirectory or loginshell if you won't login e.g. via ssh
>> as Administrator)
>>
>> Regards
>>
>> Geza Gemes
>
> Hi Geza
> OK. Domain Admins and Domain Users have posixGroup and gidNumber. They 
> show on getent passwd <name of group>
>
> I login to XP as Administrator. I can do stuff like unjoin the domain 
> and change the DNS address but I cannot access the shares.
>
> Is there a user in m$ that is like the root user in Linux?
>
> Should domain admins have a gidNumber of 0 (zero)? Should domain 
> admins also have a posixAccount with a uidNumber of 0 (zero)?
>
> What am I missing?
> Cheers,
> Steve
Hi Steve,

First check if the user has permissions on the box running samba3
Second check if you have in the share definition any of valid user, 
write list, read list, readable, writable paramaters

Regards

Geza Gemes

More information about the samba mailing list