[Samba] Problems with administrator account

Aurélien Blachet Aurelien.Blachet at aduneo.com
Fri Aug 7 12:25:37 UTC 2015 

Sorry for my mistake. 

It resolve the groupmap problem :
[root at fileserver ~]# net groupmap list
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users

But i still have the administrator problem. I have follow the wiki.samba doc and i have set the SeDiskOperatorPrivilege :
net rpc rights list accounts -U'DOMAIN\administrator'
DOMAIN\Domain Admins
SeDiskOperatorPrivilege

but administrator is still the only user of the group 'domain admins' who can't manage the security tab of my shares on windows when i remove "everyone" to the "share permissions" tab.
Even if i add directly the administrator "account" in this tab.
________________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com>
Envoyé : vendredi 7 août 2015 11:53
À : samba at lists.samba.org
Objet : Re: [Samba] Problems with administrator account

On 07/08/15 09:37, Aurélien Blachet wrote:
> Oh thank you
>
> Just to be sure to understand :
> -getent passwd | grep administrator and id administrator didn't work on Fileserver because administrator account didn't have uidNumber

If Administrator doesn't have a uidNumber, it will not be known to the
Unix host, this is why you either have to give Administrator a uidNumber
OR as you are doing, map Administrator to root.
You should be able to change the settings using Administrator (as a
member of Domain Admins) from windows, providing you have set the
required disk operating privileges.
See here for more info:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

>
> -it also why administrator account can't manage filserver with windows permissions
>
> Just one more thing please :
>
> Why my administrators group is mapped on unix users ?
> [root#fileserver ~]#  net groupmap list
> Administrators (S-1-5-32-544) -> users
> Users (S-1-5-32-545) -> BUILTIN\users

Er, it shouldn't be:
rowland at ThinkPad ~ $ sudo net groupmap list
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users

I would change this, try:

net groupmap modify ntgroup="Administrators"
unixgroup="BUILTIN\administrators"

One other thing I noticed was your use of 'sanitizing', you use 'XXX',
'LAN' and 'DOMAIN' . As long as these are all replacements for your
workgroup, this shouldn't be a problem.

Lastly, this is my usermap, replace 'EXAMPLE' with your uppercase
workgroup name, this works for me.

!root = EXAMPLE\Administrator Administrator administrator

Note: I also have this line in smb.conf:     winbind normalize names = Yes

Rowland
>
> [root at massy01 ~]#  net groupmap list verbose
> Administrators
>          SID       : S-1-5-32-544
>          Unix gid  : 100
>          Unix group: users
>          Group type: Local Group
>          Comment   :
> Users
>          SID       : S-1-5-32-545
>          Unix gid  : 101
>          Unix group: BUILTIN\users
>          Group type: Local Group
>          Comment   :
>
>
> ________________________________________
> De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com>
> Envoyé : jeudi 6 août 2015 17:51
> À : samba at lists.samba.org
> Objet : Re: [Samba] Problems with administrator account
>
> On 06/08/15 15:32, Aurélien Blachet wrote:
>> I still have the same problem with :
>> [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>> !root = DOMAIN\Administrator DOMAIN\\Administrator DOMAIN\administrator Administrator adm
>> inistrator
>>
>> ________________________________________
>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com>
>> Envoyé : jeudi 6 août 2015 16:06
>> À : samba at lists.samba.org
>> Objet : Re: [Samba] Problems with administrator account
>>
>> On 06/08/15 12:57, Aurélien Blachet wrote:
>>> Hello,
>>>
>>>
>>>
>>> I just went to migrate my fileserver from samba3 to samba4 but i have problem with the administrator account.
>>>
>>>
>>>
>>> The group "domain admins" have the permission to manage all my shares
>>>
>>>
>>>
>>> Administrator is member of the group "domain admins" but he can't manage the security tab of all my shares when i remove "full control" to share permissions tab.
>>>
>>>
>>>
>>> While all the member of "Domain admins",except administrator, didn't have this problem.
>>>
>>>
>>>
>>> I think the problem appear when we map "administrator" to "root" in the smb.conf.
>>>
>>>
>>>
>>> Moreover the "administrator" account didn't appear with a getent passwd
>>>
>>>
>>>
>>> [root at fileserver ~]# getent passwd |grep dministrator
>>>
>>>
>>>
>>> [root at fileserver ~]# wbinfo -u |grep dministrator
>>> administrator
>>>
>>>
>>> my smb.conf :
>>> [global]
>>>
>>>      netbios name = XXX
>>>      workgroup = XXX
>>>      security = ADS
>>>      realm = XXX.XXX
>>>      dedicated keytab file = /etc/krb5.keytab
>>>      kerberos method = secrets and keytab
>>>      username map = /usr/local/samba/etc/samba_usermapping
>>>
>>>      idmap config *:backend = tdb
>>>      idmap config *:range = 300000-400000
>>>      idmap config XXX:backend = ad
>>>      idmap config XXX:schema_mode = rfc2307
>>>      idmap config XXX:range = 500-200000
>>>
>>>      winbind nss info = rfc2307
>>>      winbind trusted domains only = no
>>>      winbind use default domain = yes
>>>      winbind enum users  = yes
>>>      winbind enum groups = yes
>>>      winbind refresh tickets = Yes
>>>      vfs objects = acl_xattr
>>>      map acl inherit = Yes
>>>      store dos attributes = Yes
>>>      template homedir = /home/%U
>>> ...
>>>
>>> [shareA]
>>>        path =/xxx/shareA
>>>        comment =
>>>        hosts allow = X.X.X.
>>>        writable = Yes
>>>        read only = No
>>>
>>> Local permissions
>>> [root at fileserver]# getfacl /xxx/shareA
>>> # file: alp-exp
>>> # owner: root
>>> # group: root
>>> user::rwx
>>> user:root:rwx
>>> group::rwx
>>> group:root:rwx
>>> group:domain\040admins:rwx
>>> group:domain\040users:rwx
>>> mask::rwx
>>> other::rwx
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:group::r-x
>>> default:group:root:r-x
>>> default:group:domain\040users:rwx
>>> default:mask::rwx
>>> default:other::r-x
>>> And the mapping between root and administrator
>>> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>>> !root = LAN\Administrator LAN\\Administrator LAN\administrator
>> Try adding 'Administrator administrator'  to the line in 'samba_usermapping'
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> Ah, I think you are mixing up Unix permissions and windows permissions.
> You will only get 'Administrator' to show up with getent if you give the
> Administrator user a uidNumber and use the 'ad' backend. As you are
> mapping 'Administrator' to root it will get the UID of '0' which is also
> the UID of 'root'. From windows you will set the permissions of
> 'Administrator' , but on the unix side using getfacl it will show as 'root'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list