[Samba] Expected behaviour of domain\administrator on Linux AD domain member

L.P.H. van Belle belle at bazuin.nl
Tue Apr 21 08:02:22 UTC 2020 

Hai, 

Few things. 
The Share Permissions, add SYSTEM Full controll.

Which rights did you set on : /samba ?  ( show getfacl of that one. ) 

And try changing "default:group:unix\040admins:--- "  To BUILTIN\Administrators 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rob 
> Tho via samba
> Verzonden: maandag 20 april 2020 23:51
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Expected behaviour of domain\administrator 
> on Linux AD domain member
> 
> Dear all,
> 
> I have set a small test domain in virtualbox.
> 
> 1. Samba AD DC on Debian bullseye testing 4.11.6
> 2. Samba domain member Debian Stretch 4.10.14
> 3. Windows 10 Enterprise evaluation version 1909
> 
> Roaming profiles with folder redirection setup.
> PAM working.
> 
> The above was setup basically using guides in wiki.samba.org, 
> with nearly
> the only thing changed was SAMDOM to SAMBA. "Unix Admins" 
> group added as
> per guide.
> 
> Everything works the way I expect apart from:
> 
> SAMBA\Administrator account cannot access or modify the 
> shares on the Samba
> domain member from the windows 10 machine. If I add share access to
> "Everyone, Full control" *, then the administrator account 
> can change the
> share and security properties.
> 
> * From Computer Management console connected to the domain 
> member in the
> windows 10 machine, logged as SAMBA\Administrator
> 
> If I add my test domain user to the "Domain Admins" group, 
> that user can
> modify the shares on the domain member (as  expected).
> 
> Domain member smb.conf
> [global]
>   workgroup = SAMBA
>   security = ADS
>   realm = SAMBA.RTNET
>   netbios name = LAU-FILES
> 
>   winbind refresh tickets = Yes
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes
> 
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
> 
>    winbind use default domain = yes
> 
>    winbind enum users = yes
>    winbind enum groups = yes
> 
>    log file = /var/log/samba/%m.log
>    log level = 3
> 
>    # Default ID mapping configuration for local BUILTIN accounts
>    # and groups on a domain member. The default (*) domain:
>    # - must not overlap with any domain ID mapping configuration!
>    # - must use a read-write-enabled back end, such as tdb.
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999
>    # - You must set a DOMAIN backend configuration
>    # idmap config for the SAMDOM domain
>    idmap config SAMBA:backend = ad
>    idmap config SAMBA:schema_mode = rfc2307
>    idmap config SAMBA:range = 10000-999999
>    idmap config SAMBA:unix_nss_info = yes
>    idmap config SAMBA: unix_primary_group = yes
> 
> 
>  username map = /etc/samba/user.map
> 
> 
> [Profiles]
> path=/samba/profiles
> read only = no
> 
> 
> Window ACL:
> Share Permissions
> Domain Admins (SAMBA\Domain Admins) -- Full Control
> Domain Admins (SAMBA\Domain Users) -- Change
> 
> Security
> Creator Owner
> System
> Domain Admins
> Domain Users
> as per samba wiki
> 
> filesystem:
> 
> drwxrwx---+ 3 root unix admins 4096 Apr 18 23:38 profiles
>  getfattr profiles
> # file: profiles
> user.SAMBA_PAI
> 
> # getfacl profiles
> # file: profiles
> # owner: root
> # group: unix\040admins
> user::rwx
> user:root:rwx
> group::---
> group:NT\040Authority\134system:rwx
> group:domain\040users:rwx
> group:unix\040admins:---
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:NT\040Authority\134system:rwx
> default:group:unix\040admins:---
> default:mask::rwx
> default:other::---
> 
> 
> With usermap ! root = SAMBA\Administrator SAMBA\administrator, the
> administrator account can list the shares on the domain 
> member, but can't
> access them.
> Log level 3 shows this:
> 
>    Mapped user SAMBA\administrator to root
> 
>  check_user_share_access: user root connection to Profiles 
> denied due to
> share security descriptor.
> 
> 
> With no usermap, the administrator account can't access the 
> domain member
> at all.
> Logs show this:
>  Kerberos ticket principal name is [Administrator at SAMBA.RTNET]
> [2020/04/20 22:35:34.532127,  3]
> ../../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>   get_user_from_kerberos_info: Username SAMBA\Administrator 
> is invalid on
> this system
> [2020/04/20 22:35:34.532154,  3]
> ../../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
>   auth3_generate_session_info_pac: Failed to map kerberos principal to
> system user (NT_STATUS_LOGON_FAILURE)
> 
> 
> Is this the expected behaviour of the domain\administrator acccount?
> I would preferably want to do all domain admin from the
> domain\administrator account logged into a windows 10 machine 
> if that is possible.

Thats what i do also yes. 

Greetz,

Louis

More information about the samba mailing list