[Samba] XP Administrator has no access to shares

steve steve at steve-ss.com
Sat Aug 18 00:48:43 MDT 2012 

On 17/08/12 13:17, Gémes Géza wrote:
> 2012-08-17 11:44 keltezéssel, steve írta:
>> Hi
>> S4 DC with S3 fileserver.
>>
>> smb.conf on the fileserver:
>> [global]
>>     workgroup = ALTEA
>>     realm = HH3.SITE
>>     security = ADS
>>     kerberos method = secrets and keytab
>>     winbind enum users = Yes
>>     winbind enum groups = Yes
>>     idmap config *:backend = tdb
>>     idmap config *:range = 3000-4000
>>     idmap config ALTEA:backend = ad
>>     idmap config ALTEA:range = 20000-40000000
>>     idmap config ALTEA:schema_mode = rfc2307
>>     winbind nss info = rfc2307
>>     winbind expand groups = 2
>>     winbind nested groups = yes
>>     usershare allow guests = No
>>     winbind refresh tickets = yes
>>
>> [home]
>>     path = /home2/home
>>     read only = No
>>
>> [staff]
>>     path = /home2/staff
>>     read only = No
>>
>> [profiles]
>>     path = /home2/profiles
>>     read only = No
>>     store dos attributes = Yes
>>     create mask = 0600
>>     directory mask = 0700
>>
>> [dropbox]
>>     path = /home2/dropbox
>>     force create mode = 0660
>>     force directory mode = 0770
>>     read only = No
>>
>> wbinfo -u lists Administrator but getent passwd lists only those users
>> with a uidNumber and gidNumber. The latter users can login to xp and
>> enter the shares fine. Administrator can login but gets a password
>> prompt each time he hits a share. Giving the correct password results
>> in XP stating the he has no permission to access the share.
>>
>> How do I get Administrator to enter and manipulate the shares. I
>> thought that that was his purpose.
>>
>> Cheers,
>> Steve
> First: the Windows in the security model Administrator=root from the
> Unix world it is just a predefined account memeber of the Administrators
> or in a domain of the Domain Admins group and that gives access , so you
> could do all the management operation from any other user account member
> of the Domain Admins group.
> Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be
> wrong) needs that the connected user have a valid uid/gidnumber in order
> to be able to check the posix acl permissions, so if you want to connect
> to a Samba3 box with Administrator, first give it all the posix
> attributes you've give to the other user accounts (however it doesn't
> need a unixHomedirectory or loginshell if you won't login e.g. via ssh
> as Administrator)
>
> Regards
>
> Geza Gemes

Hi Geza
OK. Domain Admins and Domain Users have posixGroup and gidNumber. They 
show on getent passwd <name of group>

I login to XP as Administrator. I can do stuff like unjoin the domain 
and change the DNS address but I cannot access the shares.

Is there a user in m$ that is like the root user in Linux?

Should domain admins have a gidNumber of 0 (zero)? Should domain admins 
also have a posixAccount with a uidNumber of 0 (zero)?

What am I missing?
Cheers,
Steve

More information about the samba mailing list