[Samba] MMC issue
Rowland Penny
rpenny at samba.org
Tue Dec 5 21:13:50 UTC 2017
On Tue, 5 Dec 2017 13:15:53 -0700 (MST)
Mariusz80 via samba <samba at lists.samba.org> wrote:
> Samba - General mailing list wrote
> > On Tue, 5 Dec 2017 12:27:24 -0700 (MST)
> > Mariusz80 via samba <
>
> > samba at .samba
>
> > > wrote:
> >
> >> Samba - General mailing list wrote
> >> > On Tue, 5 Dec 2017 12:00:55 -0700 (MST)
> >> > Mariusz80 via samba <
> >>
> >> > samba at .samba
> >>
> >> > > wrote:
> >> >
> >> >> Samba - General mailing list wrote
> >> >> > On Tue, 5 Dec 2017 11:11:33 -0700 (MST)
> >> >> > Mariusz80 via samba <
> >> >>
> >> >> > samba at .samba
> >> >>
> >> >> > > wrote:
> >> >> >
> >> >> >> Samba - General mailing list wrote
> >> >> >> > On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
> >> >> >> > Mariusz80 via samba <
> >> >> >>
> >> >> >> > samba at .samba
> >> >> >>
> >> >> >> > > wrote:
> >> >> >> >
> >> >> >> >> Hi
> >> >> >> >> I have a strange problem with Shared folders in MMC.
> >> >> >> >> While I try to connect to linux machine and list Open
> >> >> >> >> files or Sessions I got a message "You do not have
> >> >> >> >> permission to view the list of sessions from Windows
> >> >> >> >> clients". The problem exists only if I try to connect to
> >> >> >> >> linux machines (Windows Server is ok), and only for
> >> >> >> >> Administrator account. From other accounts with
> >> >> >> >> Administrator priviliges there is no problem at all.
> >> >> >> >>
> >> >> >> >> In the logs there is:
> >> >> >> >>
> >> >> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
> >> >> >> >> Enumerating files only allowed for administrators
> >> >> >> >>
> >> >> >> >> Any advice?
> >> >> >> >>
> >> >> >> >> Thanks
> >> >> >> >> Mariusz
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> --
> >> >> >> >> Sent from:
> >> >> >> >> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
> >> >> >> >>
> >> >> >> >
> >> >> >> > How is Samba set up on the Linux machine ?
> >> >> >> >
> >> >> >> > Rowland
> >> >> >> >
> >> >> >> > --
> >> >> >> > To unsubscribe from this list go to the following URL and
> >> >> >> > read the instructions:
> >> >> >> > https://lists.samba.org/mailman/options/samba
> >> >> >>
> >> >> >> I did it according to:
> >> >> >>
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >> >> >> My smb.conf:
> >> >> >> [global]
> >> >> >> security = ADS
> >> >> >> workgroup = some
> >> >> >> realm = some.domain.pl
> >> >> >>
> >> >> >> allow trusted domains = Yes
> >> >> >> winbind use default domain = Yes
> >> >> >> winbind nss info = rfc2307
> >> >> >> winbind refresh tickets = Yes
> >> >> >>
> >> >> >> log file = /var/log/samba/%m.log
> >> >> >> log level = 1
> >> >> >>
> >> >> >> idmap config * : backend = tdb
> >> >> >> idmap config * : range = 3000-7999
> >> >> >>
> >> >> >> idmap config some : backend = rid
> >> >> >> idmap config some: range = 10000-999999
> >> >> >>
> >> >> >> winbind nss info = template
> >> >> >> template shell = /bin/bash
> >> >> >> template homedir = /home/%U
> >> >> >> username map = /etc/samba/user.map
> >> >> >>
> >> >> >> winbind enum users = yes
> >> >> >> winbind enum groups = yes
> >> >> >>
> >> >> >> vfs objects = acl_xattr
> >> >> >> map acl inherit = yes
> >> >> >> store dos attributes = yes
> >> >> >>
> >> >> >
> >> >> > Does 'getent passwd Administrator' give any output ?
> >> >> >
> >> >> > If it does, try adding this line to smb.conf:
> >> >> >
> >> >> > username map = /etc/samba/user.map
> >> >> >
> >> >> > Create the user.map:
> >> >> >
> >> >> > nano /etc/samba/user.map
> >> >> >
> >> >> > it should contain only:
> >> >> >
> >> >> > !root = SAMDOM\Administrator SAMDOM\administrator
> >> >> > Administrator administrator
> >> >> >
> >> >> > That is all on one line, replace 'SAMDOM' with your workgroup
> >> >> > name and, if required, change the '/etc/samba' path to the
> >> >> > path to your smb.conf.
> >> >> >
> >> >> > Rowland
> >> >> >
> >> >> > --
> >> >> > To unsubscribe from this list go to the following URL and read
> >> >> > the instructions:
> >> >> > https://lists.samba.org/mailman/options/samba
> >> >>
> >> >> getent passwd Administrator
> >> >> administrator:*:10500:10513::/home/administrator:/bin/bash
> >> >>
> >> >> smb.conf already contains user.map
> >> >>
> >> >
> >> >
> >> > The fact that 'Administrator' has an ID that isn't '0' means
> >> > that, to Linux, Administrator is just another user and can only
> >> > do what any normal user can do.
> >>
> >> In fact on my dc Administrator has an id=0 and mmc is working
> >> correctly. How can I solve that ?
> >
> > This is because on a DC, the mapping is done in idmap.ldb, so you
> > don't need the user.map on a DC
> >>
> >>
> >> > You could try running 'net cache flush'
> >>
> >> net chache flush doesn't give any output and nothing change.
> >
> > If 'doesn't give any output' means that 'getent passwd
> > Administrator' doesn't show what it did before, then try again from
> > windows, it should now work.
> >
> > If you are still getting output from 'getent passwd Administrator',
> > please post your smb.conf
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
> getent passwd Administrator still shows:
> administrator:*:10500:10513::/home/administrator:/bin/bash
>
> smb.conf:
> [global]
> security = ADS
> workgroup = some
> realm = some.domain.pl
>
> allow trusted domains = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> idmap config some : backend = rid
> idmap config some: range = 10000-999999
>
> winbind nss info = template
> template shell = /bin/bash
> template homedir = /home/%U
>
>
> username map = /etc/samba/user.map
>
> winbind enum users = yes
> winbind enum groups = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
OK, I started a VM running a Unix domain member that uses the 'rid'
backend and it does work in the same way as yours, I get the same
result for 'getent passwd Administrator'.
I then started another VM running Windows 7, logged in as
Administrator, connected to a share on the Unix domain member and via
the security tab for the share, added permissions for another user.
So, whilst I didn't expect it to work, it did.
Rowland
More information about the samba
mailing list