[Samba] XP Administrator has no access to shares
steve
steve at steve-ss.com
Sat Aug 18 00:48:43 MDT 2012
On 17/08/12 13:17, Gémes Géza wrote:
> 2012-08-17 11:44 keltezéssel, steve írta:
>> Hi
>> S4 DC with S3 fileserver.
>>
>> smb.conf on the fileserver:
>> [global]
>> workgroup = ALTEA
>> realm = HH3.SITE
>> security = ADS
>> kerberos method = secrets and keytab
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> idmap config *:backend = tdb
>> idmap config *:range = 3000-4000
>> idmap config ALTEA:backend = ad
>> idmap config ALTEA:range = 20000-40000000
>> idmap config ALTEA:schema_mode = rfc2307
>> winbind nss info = rfc2307
>> winbind expand groups = 2
>> winbind nested groups = yes
>> usershare allow guests = No
>> winbind refresh tickets = yes
>>
>> [home]
>> path = /home2/home
>> read only = No
>>
>> [staff]
>> path = /home2/staff
>> read only = No
>>
>> [profiles]
>> path = /home2/profiles
>> read only = No
>> store dos attributes = Yes
>> create mask = 0600
>> directory mask = 0700
>>
>> [dropbox]
>> path = /home2/dropbox
>> force create mode = 0660
>> force directory mode = 0770
>> read only = No
>>
>> wbinfo -u lists Administrator but getent passwd lists only those users
>> with a uidNumber and gidNumber. The latter users can login to xp and
>> enter the shares fine. Administrator can login but gets a password
>> prompt each time he hits a share. Giving the correct password results
>> in XP stating the he has no permission to access the share.
>>
>> How do I get Administrator to enter and manipulate the shares. I
>> thought that that was his purpose.
>>
>> Cheers,
>> Steve
> First: the Windows in the security model Administrator=root from the
> Unix world it is just a predefined account memeber of the Administrators
> or in a domain of the Domain Admins group and that gives access , so you
> could do all the management operation from any other user account member
> of the Domain Admins group.
> Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be
> wrong) needs that the connected user have a valid uid/gidnumber in order
> to be able to check the posix acl permissions, so if you want to connect
> to a Samba3 box with Administrator, first give it all the posix
> attributes you've give to the other user accounts (however it doesn't
> need a unixHomedirectory or loginshell if you won't login e.g. via ssh
> as Administrator)
>
> Regards
>
> Geza Gemes
Hi Geza
OK. Domain Admins and Domain Users have posixGroup and gidNumber. They
show on getent passwd <name of group>
I login to XP as Administrator. I can do stuff like unjoin the domain
and change the DNS address but I cannot access the shares.
Is there a user in m$ that is like the root user in Linux?
Should domain admins have a gidNumber of 0 (zero)? Should domain admins
also have a posixAccount with a uidNumber of 0 (zero)?
What am I missing?
Cheers,
Steve
More information about the samba
mailing list