[Samba] Domain Admin cannot access files
Rowland Penny
rpenny at f2s.com
Wed Aug 15 15:51:34 MDT 2012
On 15/08/12 22:10, Gémes Géza wrote:
> 2012-08-15 18:59 keltezéssel, steve írta:
>> Hi
>> I just joined a Samba 3.6.3 machine as a file server for a Samba4
>> domain.
>>
>> Normal users can login and reach the shares apart from the domain
>> Administrator.
>>
>> After Administrator has logged in, any attempt to reach the file
>> server results in a username and password prompt. Supplying the
>> correct information still will not allow share access for Administrator.
>>
>> Using s3fs under Samba4, Administrator is allowed full access without
>> being asked for a password.
>>
>> What am I missing?
>>
>> Cheers,
>> Steve
>>
>> [global]
>> workgroup = MARINA
>> realm = hh3.site
>> security = ADS
>>
>> [home]
>> path = /home2/MARINA
>> read only = No
>>
>> [staff]
>> path = /home2/staff
>> read only = No
> IF this is a Samba3 config file, you DO NOT need to specify a path for
> a [homes] share. That way (a correctly configured Samba3 box (HERE
> COMES winbind into PLAY!)) will give each user its own home share.
>
> I've pasted a default [homes] section from an ubuntu 12.04 box (I'm
> using it only for running winbind on it to allow login of domain
> users, no samba running on that box), as you can see it is still
> commented out:
>
> ;[homes]
> ; comment = Home Directories
> ; browseable = no
>
> # By default, the home directories are exported read-only. Change the
> # next parameter to 'no' if you want to be able to write to them.
> ; read only = yes
>
> # File creation mask is set to 0700 for security reasons. If you want to
> # create files with group=rw permissions, set next parameter to 0775.
> ; create mask = 0700
>
> # Directory creation mask is set to 0700 for security reasons. If you
> want to
> # create dirs. with group=rw permissions, set next parameter to 0775.
> ; directory mask = 0700
>
> # By default, \\server\username shares can be connected to by anyone
> # with access to the samba server. Un-comment the following parameter
> # to make sure that only "username" can connect to \\server\username
> # The following parameter makes sure that only "username" can connect
> #
> # This might need tweaking when using external authentication schemes
> ; valid users = %S
>
> Regards
>
> Geza Gemes
He is not exporting the samba homes share, he is exporting a share
called [home], that is why he needs the path statement.
Administrator on my samba4 server is a member of:
Group Policy Creator Owners
Enterprise Admins
Schema Admins
Domain Admins
So unless your shares are owned by Administrator or one of his groups or
are set xx7, I do not think he should be able to get into the shares.
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list