[Samba] Problems with administrator account
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Aug 6 14:06:30 UTC 2015
On 06/08/15 12:57, Aurélien Blachet wrote:
> Hello,
>
>
>
> I just went to migrate my fileserver from samba3 to samba4 but i have problem with the administrator account.
>
>
>
> The group "domain admins" have the permission to manage all my shares
>
>
>
> Administrator is member of the group "domain admins" but he can't manage the security tab of all my shares when i remove "full control" to share permissions tab.
>
>
>
> While all the member of "Domain admins",except administrator, didn't have this problem.
>
>
>
> I think the problem appear when we map "administrator" to "root" in the smb.conf.
>
>
>
> Moreover the "administrator" account didn't appear with a getent passwd
>
>
>
> [root at fileserver ~]# getent passwd |grep dministrator
>
>
>
> [root at fileserver ~]# wbinfo -u |grep dministrator
> administrator
>
>
> my smb.conf :
> [global]
>
> netbios name = XXX
> workgroup = XXX
> security = ADS
> realm = XXX.XXX
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> username map = /usr/local/samba/etc/samba_usermapping
>
> idmap config *:backend = tdb
> idmap config *:range = 300000-400000
> idmap config XXX:backend = ad
> idmap config XXX:schema_mode = rfc2307
> idmap config XXX:range = 500-200000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> template homedir = /home/%U
> ...
>
> [shareA]
> path =/xxx/shareA
> comment =
> hosts allow = X.X.X.
> writable = Yes
> read only = No
>
> Local permissions
> [root at fileserver]# getfacl /xxx/shareA
> # file: alp-exp
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> group::rwx
> group:root:rwx
> group:domain\040admins:rwx
> group:domain\040users:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:domain\040users:rwx
> default:mask::rwx
> default:other::r-x
> And the mapping between root and administrator
> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
> !root = LAN\Administrator LAN\\Administrator LAN\administrator
Try adding 'Administrator administrator' to the line in 'samba_usermapping'
Rowland
More information about the samba
mailing list