[Samba] Problems with administrator account
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Aug 7 09:53:17 UTC 2015
On 07/08/15 09:37, Aurélien Blachet wrote:
> Oh thank you
>
> Just to be sure to understand :
> -getent passwd | grep administrator and id administrator didn't work on Fileserver because administrator account didn't have uidNumber
If Administrator doesn't have a uidNumber, it will not be known to the
Unix host, this is why you either have to give Administrator a uidNumber
OR as you are doing, map Administrator to root.
You should be able to change the settings using Administrator (as a
member of Domain Admins) from windows, providing you have set the
required disk operating privileges.
See here for more info:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>
> -it also why administrator account can't manage filserver with windows permissions
>
> Just one more thing please :
>
> Why my administrators group is mapped on unix users ?
> [root#fileserver ~]# net groupmap list
> Administrators (S-1-5-32-544) -> users
> Users (S-1-5-32-545) -> BUILTIN\users
Er, it shouldn't be:
rowland at ThinkPad ~ $ sudo net groupmap list
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
I would change this, try:
net groupmap modify ntgroup="Administrators"
unixgroup="BUILTIN\administrators"
One other thing I noticed was your use of 'sanitizing', you use 'XXX',
'LAN' and 'DOMAIN' . As long as these are all replacements for your
workgroup, this shouldn't be a problem.
Lastly, this is my usermap, replace 'EXAMPLE' with your uppercase
workgroup name, this works for me.
!root = EXAMPLE\Administrator Administrator administrator
Note: I also have this line in smb.conf: winbind normalize names = Yes
Rowland
>
> [root at massy01 ~]# net groupmap list verbose
> Administrators
> SID : S-1-5-32-544
> Unix gid : 100
> Unix group: users
> Group type: Local Group
> Comment :
> Users
> SID : S-1-5-32-545
> Unix gid : 101
> Unix group: BUILTIN\users
> Group type: Local Group
> Comment :
>
>
> ________________________________________
> De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com>
> Envoyé : jeudi 6 août 2015 17:51
> À : samba at lists.samba.org
> Objet : Re: [Samba] Problems with administrator account
>
> On 06/08/15 15:32, Aurélien Blachet wrote:
>> I still have the same problem with :
>> [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>> !root = DOMAIN\Administrator DOMAIN\\Administrator DOMAIN\administrator Administrator adm
>> inistrator
>>
>> ________________________________________
>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com>
>> Envoyé : jeudi 6 août 2015 16:06
>> À : samba at lists.samba.org
>> Objet : Re: [Samba] Problems with administrator account
>>
>> On 06/08/15 12:57, Aurélien Blachet wrote:
>>> Hello,
>>>
>>>
>>>
>>> I just went to migrate my fileserver from samba3 to samba4 but i have problem with the administrator account.
>>>
>>>
>>>
>>> The group "domain admins" have the permission to manage all my shares
>>>
>>>
>>>
>>> Administrator is member of the group "domain admins" but he can't manage the security tab of all my shares when i remove "full control" to share permissions tab.
>>>
>>>
>>>
>>> While all the member of "Domain admins",except administrator, didn't have this problem.
>>>
>>>
>>>
>>> I think the problem appear when we map "administrator" to "root" in the smb.conf.
>>>
>>>
>>>
>>> Moreover the "administrator" account didn't appear with a getent passwd
>>>
>>>
>>>
>>> [root at fileserver ~]# getent passwd |grep dministrator
>>>
>>>
>>>
>>> [root at fileserver ~]# wbinfo -u |grep dministrator
>>> administrator
>>>
>>>
>>> my smb.conf :
>>> [global]
>>>
>>> netbios name = XXX
>>> workgroup = XXX
>>> security = ADS
>>> realm = XXX.XXX
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> username map = /usr/local/samba/etc/samba_usermapping
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 300000-400000
>>> idmap config XXX:backend = ad
>>> idmap config XXX:schema_mode = rfc2307
>>> idmap config XXX:range = 500-200000
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind refresh tickets = Yes
>>> vfs objects = acl_xattr
>>> map acl inherit = Yes
>>> store dos attributes = Yes
>>> template homedir = /home/%U
>>> ...
>>>
>>> [shareA]
>>> path =/xxx/shareA
>>> comment =
>>> hosts allow = X.X.X.
>>> writable = Yes
>>> read only = No
>>>
>>> Local permissions
>>> [root at fileserver]# getfacl /xxx/shareA
>>> # file: alp-exp
>>> # owner: root
>>> # group: root
>>> user::rwx
>>> user:root:rwx
>>> group::rwx
>>> group:root:rwx
>>> group:domain\040admins:rwx
>>> group:domain\040users:rwx
>>> mask::rwx
>>> other::rwx
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:group::r-x
>>> default:group:root:r-x
>>> default:group:domain\040users:rwx
>>> default:mask::rwx
>>> default:other::r-x
>>> And the mapping between root and administrator
>>> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>>> !root = LAN\Administrator LAN\\Administrator LAN\administrator
>> Try adding 'Administrator administrator' to the line in 'samba_usermapping'
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
> Ah, I think you are mixing up Unix permissions and windows permissions.
> You will only get 'Administrator' to show up with getent if you give the
> Administrator user a uidNumber and use the 'ad' backend. As you are
> mapping 'Administrator' to root it will get the UID of '0' which is also
> the UID of 'root'. From windows you will set the permissions of
> 'Administrator' , but on the unix side using getfacl it will show as 'root'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list