[Samba] Problems with administrator account

Aurélien Blachet Aurelien.Blachet at aduneo.com
Thu Aug 6 11:57:56 UTC 2015 

Hello,



I just went to migrate my fileserver from samba3 to samba4 but i have problem with the administrator account.



The group "domain admins" have the permission to manage all my shares



Administrator is member of the group "domain admins" but he can't manage the security tab of all my shares when i remove "full control" to share permissions tab.



While all the member of "Domain admins",except administrator, didn't have this problem.



I think the problem appear when we map "administrator" to "root" in the smb.conf.



Moreover the "administrator" account didn't appear with a getent passwd



[root at fileserver ~]# getent passwd |grep dministrator



[root at fileserver ~]# wbinfo -u |grep dministrator
administrator


my smb.conf :
[global]

  netbios name = XXX
  workgroup = XXX
  security = ADS
  realm = XXX.XXX
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab
  username map = /usr/local/samba/etc/samba_usermapping

  idmap config *:backend = tdb
  idmap config *:range = 300000-400000
  idmap config XXX:backend = ad
  idmap config XXX:schema_mode = rfc2307
  idmap config XXX:range = 500-200000

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes
  template homedir = /home/%U
...

[shareA]
    path =/xxx/shareA
    comment =
    hosts allow = X.X.X.
    writable = Yes
    read only = No

Local permissions
[root at fileserver]# getfacl /xxx/shareA
# file: alp-exp
# owner: root
# group: root
user::rwx
user:root:rwx
group::rwx
group:root:rwx
group:domain\040admins:rwx
group:domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040users:rwx
default:mask::rwx
default:other::r-x
And the mapping between root and administrator
[root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
!root = LAN\Administrator LAN\\Administrator LAN\administrator

More information about the samba mailing list