[Samba] domain user mapped to unix/root via smbmap

?icro MEGAS micromegas at mail333.com
Wed Oct 29 17:30:02 MDT 2014 

Hi list,

I am experimenting with two member servers (both samba4). I am using following configuration:

membersrv:/etc/samba/smb.conf:
==========================
[...]
username map = /etc/samba/smbmap
[...]

membersrv:/etc/samba/smbmap:
=========================
!root = MYDOM\johndoe MYDOM\foo MYDOM\bar MYDOM\Administrator
Administrator

So the domain users from my AD called "John Doe", "Foo" and "Bar" as well as the default samba4 AD "Administrator" account all are mapped to the local "root" account on that particular memberserver. That takes effect, I tested it. When I am logged in with "John Doe" and creating a directory or file, it has owner=root and group=root. If I don't user smbmap the owner would be "johndoe" and group would be "domain users". So far so good ...

Note: the ad users "johndoe", "foo", "bar" and "administrator" are members of the group "MYDOM\Domain Admins"

Now I create a [test] share in smb.conf and the directory on my member server with "mkdir -p /some/dir". This directory has file mode 0755 and owner=root group=root. Through my windows machine I right-click on "Computer", choose "Manage" and "Connect to..." my member server where I can see all the shares. I double-click on that new created share called [test]. On the top of the window properties I choose the tab {Sharing} and setup following objects:

MYDOM\Domain Admins ==> Full
MYDOM\Domain Users ==> Full
SYSTEM ==> Full

But with these share settings, the user "JohnDoe", "Foo" or "Bar" *cannot* access the [test] share because he's not allowed to.

When I use "EVERYONE" as a standalone setting in the {sharing} tab...

EVERYONE ==> Full

*it works* ! JohnDoe, Foo or Bar can access the share. But let's go ahead ...
 
When I replace "Domain Admins" from the initial example with "Authenticated Users":

Authenticated Users ==> Full
MYDOM\Domain Users ==> Full
SYSTEM ==> Full

*it works* ! That means the {sharing} tab *needs* to have authenticated users in, else the mapped root account is not recognized and takes no effect. I'd like to know, why it doesn't work on the first example, where I have MYDOM\Domain Admins in the list??? Any please anyone also explain to me what SYSTEM is good for and what exactly it is related to.

Thanks in advance,
Mirco

More information about the samba mailing list