[Samba] Domain Admin cannot access files

steve steve at steve-ss.com
Thu Aug 16 05:48:12 MDT 2012 

On 15/08/12 23:51, Rowland Penny wrote:
> On 15/08/12 22:10, Gémes Géza wrote:
>> 2012-08-15 18:59 keltezéssel, steve írta:
>>> Hi
>>> I just joined a Samba 3.6.3 machine as a file server for a Samba4
>>> domain.
>>>
>>> Normal users can login and reach the shares apart from the domain
>>> Administrator.
>>>
>>> After Administrator has logged in, any attempt to reach the file
>>> server results in a username and password prompt. Supplying the
>>> correct information still will not allow share access for Administrator.
>>>
>>> Using s3fs under Samba4, Administrator is allowed full access without
>>> being asked for a password.
>>>
>>> What am I missing?
>>>
>>> Cheers,
>>> Steve
>>>
>>> [global]
>>>         workgroup = MARINA
>>>         realm = hh3.site
>>>      security = ADS
>>>
>>> [home]
>>>         path = /home2/MARINA
>>>         read only = No
>>>
>>> [staff]
>>>         path = /home2/staff
>>>         read only = No
>> IF this is a Samba3 config file, you DO NOT need to specify a path for
>> a [homes] share. That way (a correctly configured Samba3 box (HERE
>> COMES winbind into PLAY!)) will give each user its own home share.
>>
>> I've pasted a default [homes] section from an ubuntu 12.04 box (I'm
>> using it only for running winbind on it to allow login of domain
>> users, no samba running on that box), as you can see it is still
>> commented out:
>>
>> ;[homes]
>> ;   comment = Home Directories
>> ;   browseable = no
>>
>> # By default, the home directories are exported read-only. Change the
>> # next parameter to 'no' if you want to be able to write to them.
>> ;   read only = yes
>>
>> # File creation mask is set to 0700 for security reasons. If you want to
>> # create files with group=rw permissions, set next parameter to 0775.
>> ;   create mask = 0700
>>
>> # Directory creation mask is set to 0700 for security reasons. If you
>> want to
>> # create dirs. with group=rw permissions, set next parameter to 0775.
>> ;   directory mask = 0700
>>
>> # By default, \\server\username shares can be connected to by anyone
>> # with access to the samba server. Un-comment the following parameter
>> # to make sure that only "username" can connect to \\server\username
>> # The following parameter makes sure that only "username" can connect
>> #
>> # This might need tweaking when using external authentication schemes
>> ;   valid users = %S
>>
>> Regards
>>
>> Geza Gemes
> He is not exporting the samba homes share, he is exporting a share
> called [home], that is why he needs the path statement.
>
> Administrator on my samba4 server is a member of:
> Group Policy Creator Owners
> Enterprise Admins
> Schema Admins
> Domain Admins
>
> So unless your shares are owned by Administrator or one of his groups or
> are set xx7, I do not think he should be able to get into the shares.
>
> Rowland
>
>
Hi Geza, Rowland, everyone

openSUSE 12.1
Samba 4.0.0beta7-GIT 9566786 DC
Samba 3.6.3 file server on Vbox

[homes] is not the same as [home] I do not want the restriction of 
[homes] with all home directories all having to be in the same folder.

With s3fs, Administrator has full control over all the shares.

What I'm trying to do is convert this on S4 s3fs (which works perfectly):
  [global]
         server role = domain controller
         workgroup = ALTEA
         realm = hh3.site
         netbios name = HH1
         passdb backend = samba4
         idmap_ldb:use rfc2307 = yes

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
         read only = No

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No

[home]
         path = /home2
         read only = No

[profiles]
	path = /home2/profiles
	read only = No

To something equivalent on S3 smbd. This is what I have so far:

[global]
	workgroup = ALTEA
	realm = HH3.SITE
	security = ADS
	kerberos method = secrets and keytab
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind expand groups = 2
	winbind nss info = rfc2307
	winbind refresh tickets = Yes
	idmap config ALTEA:schema_mode = rfc2307
	idmap config ALTEA:range = 20000-40000000
	idmap config ALTEA:backend = ad
	idmap config * : backend = tdb

[home]
	path = /home2/home
	read only = No

[profiles]
	path = /home2/profiles
	read only = No
	create mask = 0600
	directory mask = 0700
	store dos attributes = Yes

It works, but it's slow and roaming profiles sometimes work, sometimes 
not. And Administrator has no control over permissions. No one on m$ has 
control over anything in fact.

Could anyone give me a full s3fs to S3 smbd translation? Is there a tool 
to do so?

Going from smbd to s3fs is documented, but this seems to be breaking new 
territory. . .

What am I missing in my smb.conf translation to make this as fast and as 
reliable as s3fs?

Cheers,
Steve

More information about the samba mailing list