[Samba] Domain Admin cannot access files

Rowland Penny rpenny at f2s.com
Wed Aug 15 15:51:34 MDT 2012 

On 15/08/12 22:10, Gémes Géza wrote:
> 2012-08-15 18:59 keltezéssel, steve írta:
>> Hi
>> I just joined a Samba 3.6.3 machine as a file server for a Samba4 
>> domain.
>>
>> Normal users can login and reach the shares apart from the domain 
>> Administrator.
>>
>> After Administrator has logged in, any attempt to reach the file 
>> server results in a username and password prompt. Supplying the 
>> correct information still will not allow share access for Administrator.
>>
>> Using s3fs under Samba4, Administrator is allowed full access without 
>> being asked for a password.
>>
>> What am I missing?
>>
>> Cheers,
>> Steve
>>
>> [global]
>>         workgroup = MARINA
>>         realm = hh3.site
>>      security = ADS
>>
>> [home]
>>         path = /home2/MARINA
>>         read only = No
>>
>> [staff]
>>         path = /home2/staff
>>         read only = No
> IF this is a Samba3 config file, you DO NOT need to specify a path for 
> a [homes] share. That way (a correctly configured Samba3 box (HERE 
> COMES winbind into PLAY!)) will give each user its own home share.
>
> I've pasted a default [homes] section from an ubuntu 12.04 box (I'm 
> using it only for running winbind on it to allow login of domain 
> users, no samba running on that box), as you can see it is still 
> commented out:
>
> ;[homes]
> ;   comment = Home Directories
> ;   browseable = no
>
> # By default, the home directories are exported read-only. Change the
> # next parameter to 'no' if you want to be able to write to them.
> ;   read only = yes
>
> # File creation mask is set to 0700 for security reasons. If you want to
> # create files with group=rw permissions, set next parameter to 0775.
> ;   create mask = 0700
>
> # Directory creation mask is set to 0700 for security reasons. If you 
> want to
> # create dirs. with group=rw permissions, set next parameter to 0775.
> ;   directory mask = 0700
>
> # By default, \\server\username shares can be connected to by anyone
> # with access to the samba server. Un-comment the following parameter
> # to make sure that only "username" can connect to \\server\username
> # The following parameter makes sure that only "username" can connect
> #
> # This might need tweaking when using external authentication schemes
> ;   valid users = %S
>
> Regards
>
> Geza Gemes
He is not exporting the samba homes share, he is exporting a share 
called [home], that is why he needs the path statement.

Administrator on my samba4 server is a member of:
Group Policy Creator Owners
Enterprise Admins
Schema Admins
Domain Admins

So unless your shares are owned by Administrator or one of his groups or 
are set xx7, I do not think he should be able to get into the shares.

Rowland


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list