[Samba] User Administrator (and only it) access denied on member server
Alex Wakizashi
alex at wakizashi.info
Sun Oct 27 07:59:04 MDT 2013
Hello,
2013/10/27 steve <steve at steve-ss.com>:
>> Why for "Administrator" it looking for "SAMBA\Administrator", rather
>> than "Administrator", but for other accounts it's working correctly?
> Do you want the domain admin to be root of the linux member?
No, and I even have changed it's UID later.
Just after clean install, user "Administrator" have UID=0 - both
through winbind and nslcd.
So, "<DOMAIN>\Administrator" equals to Linux "root" by default (Which,
IMHO, is wrong - who ever trust Windows administrators? ;-) ).
But problem still exist - if connecting as domain user
"Administrator", Samba trying to start process as user
"<DOMAIN_NAME>\Administrator", while all other users are treated
normally.
It seems to be some hardcoded buggy behavior in the Samba4 code.
> If so, make a username map e.g. /home/alex/smbmap:
> !root = SAMBA\Administrator SAMBA\administrator SAMBA\\Administrator
> SAMBA\administrator
>
> (I've put the alternatives because I'm not sure if you need to escape
> the \)
>
> then put it in smb.conf:
> username map = /home/alex/smbmap
Yes, thanks a lot! Completely forgot about username mapping :)
Have created username mapping to existing user "Administrator", and
it's working now:
[2013/10/27 17:47:51.465624, 3]
../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2013/10/27 17:47:51.465652, 3]
../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2013/10/27 17:47:51.478131, 3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
Found account name from PAC: Administrator []
[2013/10/27 17:47:51.478176, 3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [administrator at SAMBA.LOCAL.NET]
[2013/10/27 17:47:51.478224, 3] ../source3/auth/user_util.c:404(map_username)
Mapped user SAMBA\administrator to Administrator
> I'm sure there must be an easier way but anyway. . .
Well, I'm not sure - username mapping seems to be easiest way.
But IMHO it's a BUG - and such buggy behavior somehow hardcoded somewhere...
It should work same way as for any other users, without workarounds
such as username mapping, IMHO.
> HTH
> Steve
Thanks a lot!
Regards,
Alex
More information about the samba
mailing list