[Samba] Mapping the Domain Administrator Account to the Local root User

Rowland Penny rpenny at samba.org
Tue Nov 28 11:46:55 UTC 2023 

On Mon, 27 Nov 2023 18:47:56 +0000
Luis Peromarta via samba <samba at lists.samba.org> wrote:

> Glad to hear it’s working. The min uid setting is documented in the
> Samba Wiki in the “troubleshooting member server” page I think.
> 
> LP
> On 27 Nov 2023 at 18:46 +0000, mail at rhizomatic-nomad.net, wrote:
> >
> > The user rights I've granted, but this "min domain uid = 0”
> > parameter seems to be important and is not documented in the Samba
> > wiki.

I did some investigating and, whilst with earlier versions of Samba you
did need a user.map, this doesn't seem to be the case anymore. It may
be that you do need it with 'ad' idmap backend, but I do not need it
with the 'rid' idmap backend.

If I use a smb.conf that DOES NOT have:

username map = /etc/samba/user.map
min domain uid = 0

in it and then create a share:

[admin_share]
  path = /srv/samba/Demo
  read only = no

I can then create the share with:

sudo mkdir -p /srv/samba/Demo
sudo chown root:"Domain Admins" /srv/samba/Demo/
sudo chmod 0770 /srv/samba/Demo/

Then restart Samba:
sudo systemctl restart winbind smbd

I can then check the shared directory permissions:

ls -lad /srv/samba/Demo/
drwxrwx--- 2 root domain admins 4096 Nov 28 10:50 /srv/samba/Demo/

Now ensure that Domain Admins has the 'SeDiskOperatorPrivilege', grant
the privilege if not.

Now go to a Windows computer, log in as a member of Domain Admins, you
should be able to connect to the Samba server and set your required
permissions.

If you return to the Unix domain member after changing the permissions
and check the shared directory permissions again, you should find
something like this:

ls -lad /srv/samba/Demo/
drwxrwx---+ 2 root domain admins 4096 Nov 28 10:50 /srv/samba/Demo/

Note the '+' sign at the end of the permissions, it wasn't there before, lets read it with 'getfacl':

getfacl /srv/samba/Demo/
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/Demo/
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
user:domain\040admins:rwx
user:rowland:rwx
group::rwx
group:domain\040admins:rwx
group:rowland:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:rowland:rwx
default:group::r-x
default:group:domain\040admins:r-x
default:group:rowland:rwx
default:mask::rwx
default:other::r-x

And with samba-tool:

sudo samba-tool ntacl get /srv/samba/Demo --as-sddl
O:S-1-22-1-0G:DAD:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1-0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;S-1-5-21-123456789-1234567890-12345678-1104)

Rowland

More information about the samba mailing list