[Samba] XP Administrator has no access to shares

Gémes Géza geza at kzsdabas.hu
Fri Aug 17 05:17:21 MDT 2012 

2012-08-17 11:44 keltezéssel, steve írta:
> Hi
> S4 DC with S3 fileserver.
>
> smb.conf on the fileserver:
> [global]
>     workgroup = ALTEA
>     realm = HH3.SITE
>     security = ADS
>     kerberos method = secrets and keytab
>     winbind enum users = Yes
>     winbind enum groups = Yes
>     idmap config *:backend = tdb
>     idmap config *:range = 3000-4000
>     idmap config ALTEA:backend = ad
>     idmap config ALTEA:range = 20000-40000000
>     idmap config ALTEA:schema_mode = rfc2307
>     winbind nss info = rfc2307
>     winbind expand groups = 2
>     winbind nested groups = yes
>     usershare allow guests = No
>     winbind refresh tickets = yes
>
> [home]
>     path = /home2/home
>     read only = No
>
> [staff]
>     path = /home2/staff
>     read only = No
>
> [profiles]
>     path = /home2/profiles
>     read only = No
>     store dos attributes = Yes
>     create mask = 0600
>     directory mask = 0700
>
> [dropbox]
>     path = /home2/dropbox
>     force create mode = 0660
>     force directory mode = 0770
>     read only = No
>
> wbinfo -u lists Administrator but getent passwd lists only those users 
> with a uidNumber and gidNumber. The latter users can login to xp and 
> enter the shares fine. Administrator can login but gets a password 
> prompt each time he hits a share. Giving the correct password results 
> in XP stating the he has no permission to access the share.
>
> How do I get Administrator to enter and manipulate the shares. I 
> thought that that was his purpose.
>
> Cheers,
> Steve
First: the Windows in the security model Administrator=root from the 
Unix world it is just a predefined account memeber of the Administrators 
or in a domain of the Domain Admins group and that gives access , so you 
could do all the management operation from any other user account member 
of the Domain Admins group.
Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be 
wrong) needs that the connected user have a valid uid/gidnumber in order 
to be able to check the posix acl permissions, so if you want to connect 
to a Samba3 box with Administrator, first give it all the posix 
attributes you've give to the other user accounts (however it doesn't 
need a unixHomedirectory or loginshell if you won't login e.g. via ssh 
as Administrator)

Regards

Geza Gemes

More information about the samba mailing list