[Samba] domain user mapped to unix/root via smbmap
L.P.H. van Belle
belle at bazuin.nl
Thu Oct 30 01:44:17 MDT 2014
Great, you found it.
it was the
>Authenticated Users ==> Full
yes !
Good job.
>MYDOM\Domain Admins ==> Full
>MYDOM\Domain Users ==> Full
>SYSTEM ==> Full
In the above example, you computer account cannot access the share.
the computer is not in "Domain Admin" "Domain Users" or SYSTEM.
BUT
Your computer account is a member of "Authenicated users"
thats the only explanation im having, if its right.. no
The first example should work also imo, but it does not.
Louis
>-----Oorspronkelijk bericht-----
>Van: micromegas at mail333.com
>[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS
>Verzonden: donderdag 30 oktober 2014 0:30
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] domain user mapped to unix/root via smbmap
>
>Hi list,
>
>I am experimenting with two member servers (both samba4). I am
>using following configuration:
>
>membersrv:/etc/samba/smb.conf:
>==========================
>[...]
>username map = /etc/samba/smbmap
>[...]
>
>membersrv:/etc/samba/smbmap:
>=========================
>!root = MYDOM\johndoe MYDOM\foo MYDOM\bar MYDOM\Administrator
>Administrator
>
>So the domain users from my AD called "John Doe", "Foo" and
>"Bar" as well as the default samba4 AD "Administrator" account
>all are mapped to the local "root" account on that particular
>memberserver. That takes effect, I tested it. When I am logged
>in with "John Doe" and creating a directory or file, it has
>owner=root and group=root. If I don't user smbmap the owner
>would be "johndoe" and group would be "domain users". So far
>so good ...
>
>Note: the ad users "johndoe", "foo", "bar" and "administrator"
>are members of the group "MYDOM\Domain Admins"
>
>Now I create a [test] share in smb.conf and the directory on
>my member server with "mkdir -p /some/dir". This directory has
>file mode 0755 and owner=root group=root. Through my windows
>machine I right-click on "Computer", choose "Manage" and
>"Connect to..." my member server where I can see all the
>shares. I double-click on that new created share called
>[test]. On the top of the window properties I choose the tab
>{Sharing} and setup following objects:
>
>MYDOM\Domain Admins ==> Full
>MYDOM\Domain Users ==> Full
>SYSTEM ==> Full
>
>But with these share settings, the user "JohnDoe", "Foo" or
>"Bar" *cannot* access the [test] share because he's not allowed to.
>
>When I use "EVERYONE" as a standalone setting in the {sharing} tab...
>
>EVERYONE ==> Full
>
>*it works* ! JohnDoe, Foo or Bar can access the share. But
>let's go ahead ...
>
>When I replace "Domain Admins" from the initial example with
>"Authenticated Users":
>
>Authenticated Users ==> Full
>MYDOM\Domain Users ==> Full
>SYSTEM ==> Full
>
>*it works* ! That means the {sharing} tab *needs* to have
>authenticated users in, else the mapped root account is not
>recognized and takes no effect. I'd like to know, why it
>doesn't work on the first example, where I have MYDOM\Domain
>Admins in the list??? Any please anyone also explain to me
>what SYSTEM is good for and what exactly it is related to.
>
>Thanks in advance,
>Mirco
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list