[Samba] MMC issue

Rowland Penny rpenny at samba.org
Tue Dec 5 21:13:50 UTC 2017


On Tue, 5 Dec 2017 13:15:53 -0700 (MST)
Mariusz80 via samba <samba at lists.samba.org> wrote:

> Samba - General mailing list wrote
> > On Tue, 5 Dec 2017 12:27:24 -0700 (MST)
> > Mariusz80 via samba <
> 
> > samba at .samba
> 
> > > wrote:
> > 
> >> Samba - General mailing list wrote
> >> > On Tue, 5 Dec 2017 12:00:55 -0700 (MST)
> >> > Mariusz80 via samba <
> >> 
> >> > samba at .samba
> >> 
> >> > > wrote:
> >> > 
> >> >> Samba - General mailing list wrote
> >> >> > On Tue, 5 Dec 2017 11:11:33 -0700 (MST)
> >> >> > Mariusz80 via samba <
> >> >> 
> >> >> > samba at .samba
> >> >> 
> >> >> > > wrote:
> >> >> > 
> >> >> >> Samba - General mailing list wrote
> >> >> >> > On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
> >> >> >> > Mariusz80 via samba <
> >> >> >> 
> >> >> >> > samba at .samba
> >> >> >> 
> >> >> >> > > wrote:
> >> >> >> > 
> >> >> >> >> Hi
> >> >> >> >> I have a strange problem with Shared folders in MMC.
> >> >> >> >> While I try to connect to linux machine and list Open
> >> >> >> >> files or Sessions I got a message "You do not have
> >> >> >> >> permission to view the list of sessions from Windows
> >> >> >> >> clients". The problem exists only if I try to connect to
> >> >> >> >> linux machines (Windows Server is ok), and only for
> >> >> >> >> Administrator account. From other accounts with
> >> >> >> >> Administrator priviliges there is no problem at all.
> >> >> >> >> 
> >> >> >> >> In the logs there is:
> >> >> >> >>
> >> >> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
> >> >> >> >>   Enumerating files only allowed for administrators
> >> >> >> >> 
> >> >> >> >> Any advice?
> >> >> >> >> 
> >> >> >> >> Thanks
> >> >> >> >> Mariusz
> >> >> >> >> 
> >> >> >> >> 
> >> >> >> >> 
> >> >> >> >> --
> >> >> >> >> Sent from:
> >> >> >> >> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
> >> >> >> >> 
> >> >> >> > 
> >> >> >> > How is Samba set up on the Linux machine ?
> >> >> >> > 
> >> >> >> > Rowland
> >> >> >> > 
> >> >> >> > -- 
> >> >> >> > To unsubscribe from this list go to the following URL and
> >> >> >> > read the instructions:
> >> >> >> > https://lists.samba.org/mailman/options/samba
> >> >> >> 
> >> >> >> I did it according to:
> >> >> >>
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >> >> >> My smb.conf:
> >> >> >> [global]
> >> >> >>        security = ADS
> >> >> >>        workgroup = some
> >> >> >>        realm = some.domain.pl
> >> >> >> 	   
> >> >> >> 		allow trusted domains = Yes
> >> >> >> 		winbind use default domain = Yes
> >> >> >>         winbind nss info = rfc2307
> >> >> >>         winbind refresh tickets = Yes
> >> >> >> 
> >> >> >>        log file = /var/log/samba/%m.log
> >> >> >>        log level = 1
> >> >> >> 	
> >> >> >>        idmap config * : backend = tdb
> >> >> >>        idmap config * : range = 3000-7999
> >> >> >> 	
> >> >> >> 	idmap config some : backend = rid
> >> >> >> 	idmap config some: range = 10000-999999
> >> >> >> 
> >> >> >> 	winbind nss info = template
> >> >> >> 	template shell = /bin/bash
> >> >> >> 	template homedir = /home/%U
> >> >> >> 	username map = /etc/samba/user.map
> >> >> >> 	
> >> >> >> 	winbind enum users = yes
> >> >> >> 	winbind enum groups = yes
> >> >> >> 
> >> >> >> 	vfs objects = acl_xattr
> >> >> >>        map acl inherit = yes
> >> >> >>        store dos attributes = yes
> >> >> >> 
> >> >> > 
> >> >> > Does 'getent passwd Administrator' give any output ?
> >> >> > 
> >> >> > If it does, try adding this line to smb.conf:
> >> >> > 
> >> >> > username map = /etc/samba/user.map
> >> >> > 
> >> >> > Create the user.map:
> >> >> > 
> >> >> > nano /etc/samba/user.map
> >> >> > 
> >> >> > it should contain only:
> >> >> > 
> >> >> > !root = SAMDOM\Administrator SAMDOM\administrator
> >> >> > Administrator administrator
> >> >> > 
> >> >> > That is all on one line, replace 'SAMDOM' with your workgroup
> >> >> > name and, if required, change the '/etc/samba' path to the
> >> >> > path to your smb.conf.
> >> >> > 
> >> >> > Rowland
> >> >> > 
> >> >> > -- 
> >> >> > To unsubscribe from this list go to the following URL and read
> >> >> > the instructions:
> >> >> > https://lists.samba.org/mailman/options/samba
> >> >> 
> >> >> getent passwd Administrator
> >> >> administrator:*:10500:10513::/home/administrator:/bin/bash
> >> >> 
> >> >> smb.conf already contains user.map
> >> >> 
> >> > 
> >> > 
> >> > The fact that 'Administrator' has an ID that isn't '0' means
> >> > that, to Linux, Administrator is just another user and can only
> >> > do what any normal user can do.
> >> 
> >> In fact on my dc Administrator has an id=0 and mmc is working
> >> correctly. How can I solve that ? 
> > 
> > This is because on a DC, the mapping is done in idmap.ldb, so you
> > don't need the user.map on a DC
> >> 
> >> 
> >> > You could try running 'net cache flush'
> >> 
> >> net chache flush  doesn't give any output and nothing change.
> > 
> > If 'doesn't give any output' means that 'getent passwd
> > Administrator' doesn't show what it did before, then try again from
> > windows, it should now work.
> > 
> > If you are still getting output from 'getent passwd Administrator',
> > please post your smb.conf
> > 
> > Rowland
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> getent passwd Administrator still shows:
> administrator:*:10500:10513::/home/administrator:/bin/bash
> 
> smb.conf:
> [global]
>        security = ADS
>        workgroup = some
>        realm = some.domain.pl
> 	   
> 		allow trusted domains = Yes
> 		winbind use default domain = Yes
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
> 
>        log file = /var/log/samba/%m.log
>        log level = 1
> 	
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
> 	
> 	idmap config some : backend = rid
> 	idmap config some: range = 10000-999999
> 
> 	winbind nss info = template
> 	template shell = /bin/bash
> 	template homedir = /home/%U
> 
> 
> 	username map = /etc/samba/user.map
> 	
> 	winbind enum users = yes
> 	winbind enum groups = yes
> 
> 	vfs objects = acl_xattr
>        map acl inherit = yes
>        store dos attributes = yes

OK, I started a VM running a Unix domain member that uses the 'rid'
backend and it does work in the same way as yours, I get the same
result for 'getent passwd Administrator'.

I then started another VM running Windows 7, logged in as
Administrator, connected to a share on the Unix domain member and via
the security tab for the share, added permissions for another user.

So, whilst I didn't expect it to work, it did.

Rowland
 



More information about the samba mailing list