[Samba] domain user mapped to unix/root via smbmap
Rowland Penny
rowlandpenny at googlemail.com
Thu Oct 30 02:59:06 MDT 2014
On 29/10/14 23:30, ?icro MEGAS wrote:
> Hi list,
>
> I am experimenting with two member servers (both samba4). I am using following configuration:
>
> membersrv:/etc/samba/smb.conf:
> ==========================
> [...]
> username map = /etc/samba/smbmap
> [...]
>
> membersrv:/etc/samba/smbmap:
> =========================
> !root = MYDOM\johndoe MYDOM\foo MYDOM\bar MYDOM\Administrator
> Administrator
>
> So the domain users from my AD called "John Doe", "Foo" and "Bar" as well as the default samba4 AD "Administrator" account all are mapped to the local "root" account on that particular memberserver. That takes effect, I tested it. When I am logged in with "John Doe" and creating a directory or file, it has owner=root and group=root. If I don't user smbmap the owner would be "johndoe" and group would be "domain users". So far so good ...
>
> Note: the ad users "johndoe", "foo", "bar" and "administrator" are members of the group "MYDOM\Domain Admins"
>
> Now I create a [test] share in smb.conf and the directory on my member server with "mkdir -p /some/dir". This directory has file mode 0755 and owner=root group=root. Through my windows machine I right-click on "Computer", choose "Manage" and "Connect to..." my member server where I can see all the shares. I double-click on that new created share called [test]. On the top of the window properties I choose the tab {Sharing} and setup following objects:
>
> MYDOM\Domain Admins ==> Full
> MYDOM\Domain Users ==> Full
> SYSTEM ==> Full
>
> But with these share settings, the user "JohnDoe", "Foo" or "Bar" *cannot* access the [test] share because he's not allowed to.
>
> When I use "EVERYONE" as a standalone setting in the {sharing} tab...
>
> EVERYONE ==> Full
>
> *it works* ! JohnDoe, Foo or Bar can access the share. But let's go ahead ...
>
> When I replace "Domain Admins" from the initial example with "Authenticated Users":
>
> Authenticated Users ==> Full
> MYDOM\Domain Users ==> Full
> SYSTEM ==> Full
>
> *it works* ! That means the {sharing} tab *needs* to have authenticated users in, else the mapped root account is not recognized and takes no effect. I'd like to know, why it doesn't work on the first example, where I have MYDOM\Domain Admins in the list??? Any please anyone also explain to me what SYSTEM is good for and what exactly it is related to.
>
> Thanks in advance,
> Mirco
OK, when you map somebody to 'root', they become 'root', so it doesn't
matter that the original users are members of 'Domain Admins', root
isn't. When you use 'EVERYONE' this does what it says on the tin, it
lets anybody connect, it is similar for 'Authenticated Users'
Rowland
More information about the samba
mailing list