[Samba] Problems with administrator account
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Aug 7 14:54:04 UTC 2015
On 07/08/15 14:58, Aurélien Blachet wrote:
> I have a mapping beetween administrator and root on my fileserver, i sent you yesterday. My administrator account didn't have uid.
>
> I didnt have mapping or winbindd on my DC. The wiki says it's optional and i have separate my fileserver to my DC.
> So id administrator didn't return anything on DC or on Fileserver.
>
> My probleme is that :
>
> Administrator is a member of "domain admins".
> When i create a share, I remove everybody to "share permission", i give the full access to "domain admin" but "administrator" is the only account of domain admin who can't access to the security tab.
> Give the full access to administrator didn't resolve the problem.
OK, I have done some testing on a member server, I created a share in
smb.conf
[admintest]
path = /home/admin
read only = no
I then created the actual directory and then altered the ownership away
from root after I added Domain Admins from windows
rowland at ThinkPad ~ $ ls -la /home/admin
total 12
drwxrwx---+ 2 rowland unixgroup1 4096 Aug 6 16:24 .
drwxr-xr-x 20 root root 4096 Aug 6 16:24 ..
Now looking at the file Security tab in windows, I have this:
CREATOR OWNER
CREATOR GROUP
Domain_Admins (EXAMPLE\Domain_Admins)
Domain_Users (EXAMPLE\Domain_Users)
Rowland Penny (EXAMPLE\rowland)
unixgroup1 (EXAMPLE\unixgroup1)
And from Unix:
rowland at ThinkPad ~ $ getfacl /home/admin
getfacl: Removing leading '/' from absolute path names
# file: home/admin
# owner: rowland
# group: unixgroup1
user::rwx
group::---
group:domain_users:r-x
group:domain_admins:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:domain_users:r-x
default:group:domain_admins:rwx
default:mask::rwx
default:other::---
Now, as you can see, root & Administrator have no permission to change
anything, but Administrator logged into a windows machine has no problem
adding or deleting users & groups to the Security tab
I have Administrator mapped to root via a usermap file include in smb.conf
!root = EXAMPLE\Administrator Administrator administrator
getent passwd Administrator produces nothing
getent group Domain\ Admins
domain_admins:x:10002:s4admin,rowland,administrator
getent group Domain\ Users
domain_users:x:10000:
So, I can only surmise that you have something incorrectly set, check
your usermap file, is it similar to mine? Does Domain Users have a
gidNumber (winbind will not work without it), do you get similar results
for the getent commands above?
Rowland
>
> -----Message d'origine-----
> De : samba [mailto:samba-bounces at lists.samba.org] De la part de Rowland Penny
> Envoyé : vendredi 7 août 2015 15:31
> À : samba at lists.samba.org
> Objet : Re: [Samba] Problems with administrator account
>
> On 07/08/15 14:07, Aurélien Blachet wrote:
>> I guess you want getent group, so i give you both. But administrator is the only user of "domain admin" group with problems.
> OOPS, yes 'getent group Domain\ Admins'
>
>> [root at fileserver ~]# getent passwd Domain\ Admins [root at fileserver ~]#
>> getent group Domain\ Admins
>> domain admins:x:512:
>>
>> [root at fileserver ~]# ls -la /partages/share total 181260
>> drwxrwxrwx+ 2 root root 4096 26 mars 2013 .
>> drwxr-xr-x 13 root root 4096 5 août 13:14 ..
>> -rwxrwxrw-+ 1 37313 domain users 185597486 26 mars 2013 fichier.rar
>>
>> The user with uid 37313 has been deleted.
>>
>> [root at fileserver ~]# getfacl /partages/share getfacl : suppression du
>> premier « / » des noms de chemins absolus # file: partages/share #
>> owner: root # group: root user::rwx user:root:rwx group::rwx
>> group:root:rwx group:domain\040admins:rwx group:domain\040users:rwx
>> mask::rwx other::rwx default:user::rwx default:user:root:rwx
>> default:group::rwx default:group:root:r-x
>> default:group:domain\040admins:rwx
>> default:group:domain\040users:rwx
>> default:mask::rwx
>> default:other::rwx
>>
> Hmm, there doesn't seem to be anything wrong there, Domain Admins is known to Unix and there is an ACL set to allow control, this is strange.
>
> Lets see if I understand what you are trying to do:
> You have a share that has permissions to allow Administrator (via root) to control permissions from windows.
> The share can also be controlled from windows with members of Domain Admins.
> But if you remove Administrator from controlling the share in windows, you would expect Administrator to still be able to control via Domain Admins but it cannot.
>
> All I can think of is, does Administrator have a uidNumber? from the smb.conf you posted earlier, you do not seem to have a usermap mapping Administrator to root.
>
> If Administrator is not known to Unix, either via a uidNumber or by being mapped to root, it may be ignored and its group membership not searched for.
>
> I map Administrator to root and if I run 'id Administrator' on a member server, I get nothing returned, the same command on a DC returns:
> root at dc03:~# id Administrator
> uid=0(root) gid=10000(domain users) groups=0(root),10000(domain users),3000009(group policy creator owners),3000010(enterprise admins),10002(domain admins),3000011(schema admins),3000012(denied rodc password replication
> group),3000001(BUILTIN\users),3000000(BUILTIN\administrators)
>
> Rowland
>
>
>> -----Message d'origine-----
>> De : samba [mailto:samba-bounces at lists.samba.org] De la part de
>> Rowland Penny Envoyé : vendredi 7 août 2015 14:52 À :
>> samba at lists.samba.org Objet : Re: [Samba] Problems with administrator
>> account
>>
>> On 07/08/15 13:25, Aurélien Blachet wrote:
>>> Sorry for my mistake.
>>>
>>> It resolve the groupmap problem :
>>> [root at fileserver ~]# net groupmap list Administrators (S-1-5-32-544)
>>> -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users
>>>
>>> But i still have the administrator problem. I have follow the wiki.samba doc and i have set the SeDiskOperatorPrivilege :
>>> net rpc rights list accounts -U'DOMAIN\administrator'
>>> DOMAIN\Domain Admins
>>> SeDiskOperatorPrivilege
>>>
>>> but administrator is still the only user of the group 'domain admins' who can't manage the security tab of my shares on windows when i remove "everyone" to the "share permissions" tab.
>>> Even if i add directly the administrator "account" in this tab.
>>> ________________________________________
>>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland
>>> Penny <rowlandpenny241155 at gmail.com> Envoyé : vendredi 7 août 2015 11:53 À :
>>> samba at lists.samba.org Objet : Re: [Samba] Problems with administrator
>>> account
>>>
>>> On 07/08/15 09:37, Aurélien Blachet wrote:
>>>> Oh thank you
>>>>
>>>> Just to be sure to understand :
>>>> -getent passwd | grep administrator and id administrator didn't work
>>>> on Fileserver because administrator account didn't have uidNumber
>>> If Administrator doesn't have a uidNumber, it will not be known to
>>> the Unix host, this is why you either have to give Administrator a
>>> uidNumber OR as you are doing, map Administrator to root.
>>> You should be able to change the settings using Administrator (as a
>>> member of Domain Admins) from windows, providing you have set the
>>> required disk operating privileges.
>>> See here for more info:
>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with
>>> _
>>> Windows_ACLs
>>>
>>>> -it also why administrator account can't manage filserver with
>>>> windows permissions
>>>>
>>>> Just one more thing please :
>>>>
>>>> Why my administrators group is mapped on unix users ?
>>>> [root#fileserver ~]# net groupmap list Administrators
>>>> (S-1-5-32-544)
>>>> -> users Users (S-1-5-32-545) -> BUILTIN\users
>>> Er, it shouldn't be:
>>> rowland at ThinkPad ~ $ sudo net groupmap list Administrators
>>> (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) ->
>>> BUILTIN\users
>>>
>>> I would change this, try:
>>>
>>> net groupmap modify ntgroup="Administrators"
>>> unixgroup="BUILTIN\administrators"
>>>
>>> One other thing I noticed was your use of 'sanitizing', you use
>>> 'XXX', 'LAN' and 'DOMAIN' . As long as these are all replacements for
>>> your workgroup, this shouldn't be a problem.
>>>
>>> Lastly, this is my usermap, replace 'EXAMPLE' with your uppercase
>>> workgroup name, this works for me.
>>>
>>> !root = EXAMPLE\Administrator Administrator administrator
>>>
>>> Note: I also have this line in smb.conf: winbind normalize names = Yes
>>>
>>> Rowland
>>>> [root at massy01 ~]# net groupmap list verbose Administrators
>>>> SID : S-1-5-32-544
>>>> Unix gid : 100
>>>> Unix group: users
>>>> Group type: Local Group
>>>> Comment :
>>>> Users
>>>> SID : S-1-5-32-545
>>>> Unix gid : 101
>>>> Unix group: BUILTIN\users
>>>> Group type: Local Group
>>>> Comment :
>>>>
>>>>
>>>> ________________________________________
>>>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland
>>>> Penny <rowlandpenny241155 at gmail.com> Envoyé : jeudi 6 août 2015
>>>> 17:51 À : samba at lists.samba.org Objet : Re: [Samba] Problems with
>>>> administrator account
>>>>
>>>> On 06/08/15 15:32, Aurélien Blachet wrote:
>>>>> I still have the same problem with :
>>>>> [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>>>>> !root = DOMAIN\Administrator DOMAIN\\Administrator
>>>>> DOMAIN\administrator Administrator adm inistrator
>>>>>
>>>>> ________________________________________
>>>>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland
>>>>> Penny <rowlandpenny241155 at gmail.com> Envoyé : jeudi 6 août 2015
>>>>> 16:06 À : samba at lists.samba.org Objet : Re: [Samba] Problems with
>>>>> administrator account
>>>>>
>>>>> On 06/08/15 12:57, Aurélien Blachet wrote:
>>>>>> Hello,
>>>>>>
>>>>>>
>>>>>>
>>>>>> I just went to migrate my fileserver from samba3 to samba4 but i have problem with the administrator account.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The group "domain admins" have the permission to manage all my
>>>>>> shares
>>>>>>
>>>>>>
>>>>>>
>>>>>> Administrator is member of the group "domain admins" but he can't manage the security tab of all my shares when i remove "full control" to share permissions tab.
>>>>>>
>>>>>>
>>>>>>
>>>>>> While all the member of "Domain admins",except administrator, didn't have this problem.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I think the problem appear when we map "administrator" to "root" in the smb.conf.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Moreover the "administrator" account didn't appear with a getent
>>>>>> passwd
>>>>>>
>>>>>>
>>>>>>
>>>>>> [root at fileserver ~]# getent passwd |grep dministrator
>>>>>>
>>>>>>
>>>>>>
>>>>>> [root at fileserver ~]# wbinfo -u |grep dministrator administrator
>>>>>>
>>>>>>
>>>>>> my smb.conf :
>>>>>> [global]
>>>>>>
>>>>>> netbios name = XXX
>>>>>> workgroup = XXX
>>>>>> security = ADS
>>>>>> realm = XXX.XXX
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> kerberos method = secrets and keytab
>>>>>> username map = /usr/local/samba/etc/samba_usermapping
>>>>>>
>>>>>> idmap config *:backend = tdb
>>>>>> idmap config *:range = 300000-400000
>>>>>> idmap config XXX:backend = ad
>>>>>> idmap config XXX:schema_mode = rfc2307
>>>>>> idmap config XXX:range = 500-200000
>>>>>>
>>>>>> winbind nss info = rfc2307
>>>>>> winbind trusted domains only = no
>>>>>> winbind use default domain = yes
>>>>>> winbind enum users = yes
>>>>>> winbind enum groups = yes
>>>>>> winbind refresh tickets = Yes
>>>>>> vfs objects = acl_xattr
>>>>>> map acl inherit = Yes
>>>>>> store dos attributes = Yes
>>>>>> template homedir = /home/%U
>>>>>> ...
>>>>>>
>>>>>> [shareA]
>>>>>> path =/xxx/shareA
>>>>>> comment =
>>>>>> hosts allow = X.X.X.
>>>>>> writable = Yes
>>>>>> read only = No
>>>>>>
>>>>>> Local permissions
>>>>>> [root at fileserver]# getfacl /xxx/shareA
>>>>>> # file: alp-exp
>>>>>> # owner: root
>>>>>> # group: root
>>>>>> user::rwx
>>>>>> user:root:rwx
>>>>>> group::rwx
>>>>>> group:root:rwx
>>>>>> group:domain\040admins:rwx
>>>>>> group:domain\040users:rwx
>>>>>> mask::rwx
>>>>>> other::rwx
>>>>>> default:user::rwx
>>>>>> default:user:root:rwx
>>>>>> default:group::r-x
>>>>>> default:group:root:r-x
>>>>>> default:group:domain\040users:rwx
>>>>>> default:mask::rwx
>>>>>> default:other::r-x
>>>>>> And the mapping between root and administrator
>>>>>> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>>>>>> !root = LAN\Administrator LAN\\Administrator LAN\administrator
>>>>> Try adding 'Administrator administrator' to the line in 'samba_usermapping'
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>> Ah, I think you are mixing up Unix permissions and windows permissions.
>>>> You will only get 'Administrator' to show up with getent if you give the
>>>> Administrator user a uidNumber and use the 'ad' backend. As you are
>>>> mapping 'Administrator' to root it will get the UID of '0' which is also
>>>> the UID of 'root'. From windows you will set the permissions of
>>>> 'Administrator' , but on the unix side using getfacl it will show as 'root'
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> OK, I think you may be having a similar problem to another user on here,
>> Domain Admins is unknown to the underlying Unix OS, what does 'getent
>> passwd Domain\ Admins' produce when run on the Unix machine?
>>
>> can you also post the outcome of these two commands:
>>
>> ls -la /path/to/shared/directory
>>
>> getfacl /path/to/shared/directory
>>
>> Rowland
>>
>>
>
More information about the samba
mailing list