[Samba] XP Administrator has no access to shares

Sun Aug 19 01:28:59 MDT 2012

On 18/08/12 23:00, Gémes Géza wrote:
> 2012-08-18 08:48 keltezéssel, steve írta:
>> On 17/08/12 13:17, Gémes Géza wrote:
>>> 2012-08-17 11:44 keltezéssel, steve írta:
>>>> Hi
>>>> S4 DC with S3 fileserver.
>>>>
>>>> smb.conf on the fileserver:
>>>> [global]
>>>>     workgroup = ALTEA
>>>>     realm = HH3.SITE
>>>>     security = ADS
>>>>     kerberos method = secrets and keytab
>>>>     winbind enum users = Yes
>>>>     winbind enum groups = Yes
>>>>     idmap config *:backend = tdb
>>>>     idmap config *:range = 3000-4000
>>>>     idmap config ALTEA:backend = ad
>>>>     idmap config ALTEA:range = 20000-40000000
>>>>     idmap config ALTEA:schema_mode = rfc2307
>>>>     winbind nss info = rfc2307
>>>>     winbind expand groups = 2
>>>>     winbind nested groups = yes
>>>>     usershare allow guests = No
>>>>     winbind refresh tickets = yes
>>>>
>>>> [home]
>>>>     path = /home2/home
>>>>     read only = No
>>>>
>>>> [staff]
>>>>     path = /home2/staff
>>>>     read only = No
>>>>
>>>> [profiles]
>>>>     path = /home2/profiles
>>>>     read only = No
>>>>     store dos attributes = Yes
>>>>     create mask = 0600
>>>>     directory mask = 0700
>>>>
>>>> [dropbox]
>>>>     path = /home2/dropbox
>>>>     force create mode = 0660
>>>>     force directory mode = 0770
>>>>     read only = No
>>>>
>>>> wbinfo -u lists Administrator but getent passwd lists only those users
>>>> with a uidNumber and gidNumber. The latter users can login to xp and
>>>> enter the shares fine. Administrator can login but gets a password
>>>> prompt each time he hits a share. Giving the correct password results
>>>> in XP stating the he has no permission to access the share.
>>>>
>>>> How do I get Administrator to enter and manipulate the shares. I
>>>> thought that that was his purpose.
>>>>
>>>> Cheers,
>>>> Steve
>>> First: the Windows in the security model Administrator=root from the
>>> Unix world it is just a predefined account memeber of the Administrators
>>> or in a domain of the Domain Admins group and that gives access , so you
>>> could do all the management operation from any other user account member
>>> of the Domain Admins group.
>>> Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be
>>> wrong) needs that the connected user have a valid uid/gidnumber in order
>>> to be able to check the posix acl permissions, so if you want to connect
>>> to a Samba3 box with Administrator, first give it all the posix
>>> attributes you've give to the other user accounts (however it doesn't
>>> need a unixHomedirectory or loginshell if you won't login e.g. via ssh
>>> as Administrator)
>>>
>>> Regards
>>>
>>> Geza Gemes
>>
>> Hi Geza
>> OK. Domain Admins and Domain Users have posixGroup and gidNumber. They
>> show on getent passwd <name of group>
>>
>> I login to XP as Administrator. I can do stuff like unjoin the domain
>> and change the DNS address but I cannot access the shares.
>>
>> Is there a user in m$ that is like the root user in Linux?
>>
>> Should domain admins have a gidNumber of 0 (zero)? Should domain
>> admins also have a posixAccount with a uidNumber of 0 (zero)?
>>
>> What am I missing?
>> Cheers,
>> Steve
> Hi Steve,
>
> First check if the user has permissions on the box running samba3
> Second check if you have in the share definition any of valid user,
> write list, read list, readable, writable paramaters
>
> Regards
>
> Geza Gemes

Hi Géza

Thanks for your patience.
Lets take this share:
[home]
path = /home2/home
read only = No

1. Could you tell me what I need to add to enable Administrator to have 
full control over it?
2. is there a user in the Domain (like root in Linux) who has control 
over everything? Shares, users, network, the lot?
3. Is there a global way of enabling Administrator to be allowed write 
acess and be able to change permisiions and acl's from the scurity tab? 
Or must this be done on a per share basis.

I made one change to the [global] section:

winbind use default domain = Yes

This drops the ALTEA\ part of the name. Otherwise users cannot 
authenticate via Kerberos because PAM passes the name as ALTEAuser 
rather than ALTEA\user to the KDC. with the default domain line it 
passes the name correctly as just name and krb5 auth works again.

Cheers,
Steve