[Samba] domain user mapped to unix/root via smbmap

L.P.H. van Belle belle at bazuin.nl
Thu Oct 30 01:44:17 MDT 2014


Great, you found it. 
it was the 
>Authenticated Users ==> Full 
yes ! 

Good job. 

>MYDOM\Domain Admins ==> Full
>MYDOM\Domain Users ==> Full
>SYSTEM ==> Full

In the above example, you computer account cannot access the share. 
the computer is not in "Domain Admin" "Domain Users" or SYSTEM.
BUT 

Your computer account is a member of "Authenicated users" 
thats the only explanation im having, if its right.. no
The first example should work also imo, but it does not. 

Louis

 

>-----Oorspronkelijk bericht-----
>Van: micromegas at mail333.com 
>[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS
>Verzonden: donderdag 30 oktober 2014 0:30
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] domain user mapped to unix/root via smbmap
>
>Hi list,
>
>I am experimenting with two member servers (both samba4). I am 
>using following configuration:
>
>membersrv:/etc/samba/smb.conf:
>==========================
>[...]
>username map = /etc/samba/smbmap
>[...]
>
>membersrv:/etc/samba/smbmap:
>=========================
>!root = MYDOM\johndoe MYDOM\foo MYDOM\bar MYDOM\Administrator
>Administrator
>
>So the domain users from my AD called "John Doe", "Foo" and 
>"Bar" as well as the default samba4 AD "Administrator" account 
>all are mapped to the local "root" account on that particular 
>memberserver. That takes effect, I tested it. When I am logged 
>in with "John Doe" and creating a directory or file, it has 
>owner=root and group=root. If I don't user smbmap the owner 
>would be "johndoe" and group would be "domain users". So far 
>so good ...
>
>Note: the ad users "johndoe", "foo", "bar" and "administrator" 
>are members of the group "MYDOM\Domain Admins"
>
>Now I create a [test] share in smb.conf and the directory on 
>my member server with "mkdir -p /some/dir". This directory has 
>file mode 0755 and owner=root group=root. Through my windows 
>machine I right-click on "Computer", choose "Manage" and 
>"Connect to..." my member server where I can see all the 
>shares. I double-click on that new created share called 
>[test]. On the top of the window properties I choose the tab 
>{Sharing} and setup following objects:
>
>MYDOM\Domain Admins ==> Full
>MYDOM\Domain Users ==> Full
>SYSTEM ==> Full
>
>But with these share settings, the user "JohnDoe", "Foo" or 
>"Bar" *cannot* access the [test] share because he's not allowed to.
>
>When I use "EVERYONE" as a standalone setting in the {sharing} tab...
>
>EVERYONE ==> Full
>
>*it works* ! JohnDoe, Foo or Bar can access the share. But 
>let's go ahead ...
> 
>When I replace "Domain Admins" from the initial example with 
>"Authenticated Users":
>
>Authenticated Users ==> Full
>MYDOM\Domain Users ==> Full
>SYSTEM ==> Full
>
>*it works* ! That means the {sharing} tab *needs* to have 
>authenticated users in, else the mapped root account is not 
>recognized and takes no effect. I'd like to know, why it 
>doesn't work on the first example, where I have MYDOM\Domain 
>Admins in the list??? Any please anyone also explain to me 
>what SYSTEM is good for and what exactly it is related to.
>
>Thanks in advance,
>Mirco
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list