[Samba] Problems with administrator account

Aurélien Blachet Aurelien.Blachet at aduneo.com
Thu Aug 6 14:32:24 UTC 2015 

I still have the same problem with :
[root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping
!root = DOMAIN\Administrator DOMAIN\\Administrator DOMAIN\administrator Administrator adm
inistrator

________________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com>
Envoyé : jeudi 6 août 2015 16:06
À : samba at lists.samba.org
Objet : Re: [Samba] Problems with administrator account

On 06/08/15 12:57, Aurélien Blachet wrote:
> Hello,
>
>
>
> I just went to migrate my fileserver from samba3 to samba4 but i have problem with the administrator account.
>
>
>
> The group "domain admins" have the permission to manage all my shares
>
>
>
> Administrator is member of the group "domain admins" but he can't manage the security tab of all my shares when i remove "full control" to share permissions tab.
>
>
>
> While all the member of "Domain admins",except administrator, didn't have this problem.
>
>
>
> I think the problem appear when we map "administrator" to "root" in the smb.conf.
>
>
>
> Moreover the "administrator" account didn't appear with a getent passwd
>
>
>
> [root at fileserver ~]# getent passwd |grep dministrator
>
>
>
> [root at fileserver ~]# wbinfo -u |grep dministrator
> administrator
>
>
> my smb.conf :
> [global]
>
>    netbios name = XXX
>    workgroup = XXX
>    security = ADS
>    realm = XXX.XXX
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    username map = /usr/local/samba/etc/samba_usermapping
>
>    idmap config *:backend = tdb
>    idmap config *:range = 300000-400000
>    idmap config XXX:backend = ad
>    idmap config XXX:schema_mode = rfc2307
>    idmap config XXX:range = 500-200000
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
>    template homedir = /home/%U
> ...
>
> [shareA]
>      path =/xxx/shareA
>      comment =
>      hosts allow = X.X.X.
>      writable = Yes
>      read only = No
>
> Local permissions
> [root at fileserver]# getfacl /xxx/shareA
> # file: alp-exp
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> group::rwx
> group:root:rwx
> group:domain\040admins:rwx
> group:domain\040users:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:domain\040users:rwx
> default:mask::rwx
> default:other::r-x
> And the mapping between root and administrator
> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
> !root = LAN\Administrator LAN\\Administrator LAN\administrator

Try adding 'Administrator administrator' to the line in 'samba_usermapping'

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list