[Samba] Permissions issue on domain member server (samba as an appliance)
Greg Dickie
greg at justaguy.ca
Sun Oct 29 22:50:58 UTC 2023
More info. If I run robocopy with COPY:DATSO rather than /COPY:DATSOU (ie:
not copying auditing properties) it runs. That's probably fine in my case
but would like to understand why.
In any case, thank you very much for all your help.
Greg
On Sun, Oct 29, 2023 at 5:08 PM Greg Dickie <greg at justaguy.ca> wrote:
> OK I found an account with RID 500 but it has another username. I
> inherited this AD from 15+ years ago. Everything looks fine, all the
> computer management stuff works and I can manipulate permissions and
> security BUT running robocopy still gives "Error 1314 Copying N
> TFS Security to destination Directory ********* A required privilege is not
> held by the client". I just noticed it does say the user but the client.
> Hmmmm.
>
> Thanks,
> Greg
>
> On Sun, Oct 29, 2023 at 4:53 PM Luis Peromarta via samba <
> samba at lists.samba.org> wrote:
>
>> Administrator is a built in account in the AD. When you provisioned the
>> domain with a password , that was Administrators password.
>>
>> LP
>> On 29 Oct 2023 at 21:36 +0100, Greg Dickie via samba <
>> samba at lists.samba.org>, wrote:
>> > Hey Rowland,
>> >
>> > Sorry, I'm thick. I understand why you would not want to create a linux
>> > user called Administrator but then where will the credentials come
>> from? In
>> > my AD, I do not have a user called Administrator. I guess I must have a
>> > user with RID 500 though, I'll look for that.
>> >
>> > Thanks for your help,
>> > Greg
>> >
>> > On Sat, Oct 28, 2023 at 3:09 AM Rowland Penny via samba <
>> > samba at lists.samba.org> wrote:
>> >
>> > > On Fri, 27 Oct 2023 16:14:52 -0400
>> > > Greg Dickie <greg at justaguy.ca> wrote:
>> > >
>> > > > Hey Rowland,
>> > > >
>> > > > Hmmm. I may have misunderstood. I don't believe it explicitly said
>> to
>> > > > do that but I took it as that. Should I create a local Administrator
>> > > > account instead?
>> > > >
>> > >
>> > > The whole idea behind the user map on a Unix domain member is to map
>> > > the Domain Administrator account (RID 500) to the Unix user 'root'.
>> > > When you do something on Windows as 'Administrator' is done on Unix as
>> > > 'root'.
>> > >
>> > > I would never use 'Administrator' directly on Unix and here is why:
>> > >
>> > > I use the 'rid' idmap backend and if I run 'getent passwd
>> > > administrator', I get:
>> > >
>> > > administrator:*:10500:10513::/home/administrator:/bin/bash
>> > >
>> > > As you can see 'Administrator' has the ID '10500', which makes it a
>> > > normal Unix user with no special powers. However, from Windows via
>> > > Samba, the 'Administrator' ID is set to '0' by the user map and I hope
>> > > you realise what other Unix user has the ID '0'.
>> > >
>> > > If you haven't realised yet, no, do not create a local Administrator,
>> > > for one thing, you already have one :-)
>> > >
>> > > Rowland
>> > >
>> > >
>> > >
>> > > --
>> > > To unsubscribe from this list go to the following URL and read the
>> > > instructions: https://lists.samba.org/mailman/options/samba
>> > >
>> >
>> >
>> > --
>> >
>> >
>> > Greg Dickie
>> > just a guy
>> > 514-983-5400
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
> --
>
>
> Greg Dickie
> just a guy
> 514-983-5400
>
--
Greg Dickie
just a guy
514-983-5400
More information about the samba
mailing list