[Samba] Problems with administrator account
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 7 14:00:25 UTC 2015
Hai,
to compaire.. On my member server..
id admin
uid=10000(admin) gid=10000(domain users) groups=10000(domain users),10001(domain admins),2001(BUILTIN\users),2000(BUILTIN\administrators)
id administrator
id: administrator: no such user
so give "domain users" "domain admins" always a GID and your problem should be fixed.
And i can manage all my rights with "administrator" ..
if you remove "everyone" from the share, what did you replace it with?
I guest, your share rights, ( so NOT the security tab ) are not setup correctly.
and i think Rowland typed this one wrong..
What does 'getent passwd Domain\ Admins'
try
getent group "Domain Admins"
or
getent group Domain\ Admins
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 7 augustus 2015 15:31
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Problems with administrator account
>
>On 07/08/15 14:07, Aurélien Blachet wrote:
>> I guess you want getent group, so i give you both. But
>administrator is the only user of "domain admin" group with problems.
>
>OOPS, yes 'getent group Domain\ Admins'
>
>> [root at fileserver ~]# getent passwd Domain\ Admins
>> [root at fileserver ~]# getent group Domain\ Admins
>> domain admins:x:512:
>>
>> [root at fileserver ~]# ls -la /partages/share
>> total 181260
>> drwxrwxrwx+ 2 root root 4096 26 mars 2013 .
>> drwxr-xr-x 13 root root 4096 5 août 13:14 ..
>> -rwxrwxrw-+ 1 37313 domain users 185597486 26 mars 2013
>fichier.rar
>>
>> The user with uid 37313 has been deleted.
>>
>> [root at fileserver ~]# getfacl /partages/share
>> getfacl : suppression du premier « / » des noms de chemins absolus
>> # file: partages/share
>> # owner: root
>> # group: root
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:root:rwx
>> group:domain\040admins:rwx
>> group:domain\040users:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:root:rwx
>> default:group::rwx
>> default:group:root:r-x
>> default:group:domain\040admins:rwx
>> default:group:domain\040users:rwx
>> default:mask::rwx
>> default:other::rwx
>>
>
>Hmm, there doesn't seem to be anything wrong there, Domain Admins is
>known to Unix and there is an ACL set to allow control, this
>is strange.
>
>Lets see if I understand what you are trying to do:
>You have a share that has permissions to allow Administrator
>(via root)
>to control permissions from windows.
>The share can also be controlled from windows with members of
>Domain Admins.
>But if you remove Administrator from controlling the share in windows,
>you would expect Administrator to still be able to control via Domain
>Admins but it cannot.
>
>All I can think of is, does Administrator have a uidNumber? from the
>smb.conf you posted earlier, you do not seem to have a usermap mapping
>Administrator to root.
>
>If Administrator is not known to Unix, either via a uidNumber or by
>being mapped to root, it may be ignored and its group membership not
>searched for.
>
>I map Administrator to root and if I run 'id Administrator' on
>a member
>server, I get nothing returned, the same command on a DC returns:
>root at dc03:~# id Administrator
>uid=0(root) gid=10000(domain users) groups=0(root),10000(domain
>users),3000009(group policy creator owners),3000010(enterprise
>admins),10002(domain admins),3000011(schema
>admins),3000012(denied rodc
>password replication
>group),3000001(BUILTIN\users),3000000(BUILTIN\administrators)
>
>Rowland
>
>
>>
>> -----Message d'origine-----
>> De : samba [mailto:samba-bounces at lists.samba.org] De la part
>de Rowland Penny
>> Envoyé : vendredi 7 août 2015 14:52
>> À : samba at lists.samba.org
>> Objet : Re: [Samba] Problems with administrator account
>>
>> On 07/08/15 13:25, Aurélien Blachet wrote:
>>> Sorry for my mistake.
>>>
>>> It resolve the groupmap problem :
>>> [root at fileserver ~]# net groupmap list Administrators (S-1-5-32-544)
>>> -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users
>>>
>>> But i still have the administrator problem. I have follow
>the wiki.samba doc and i have set the SeDiskOperatorPrivilege :
>>> net rpc rights list accounts -U'DOMAIN\administrator'
>>> DOMAIN\Domain Admins
>>> SeDiskOperatorPrivilege
>>>
>>> but administrator is still the only user of the group
>'domain admins' who can't manage the security tab of my shares
>on windows when i remove "everyone" to the "share permissions" tab.
>>> Even if i add directly the administrator "account" in this tab.
>>> ________________________________________
>>> De : samba <samba-bounces at lists.samba.org> de la part de
>Rowland Penny
>>> <rowlandpenny241155 at gmail.com> Envoyé : vendredi 7 août
>2015 11:53 À :
>>> samba at lists.samba.org Objet : Re: [Samba] Problems with
>administrator
>>> account
>>>
>>> On 07/08/15 09:37, Aurélien Blachet wrote:
>>>> Oh thank you
>>>>
>>>> Just to be sure to understand :
>>>> -getent passwd | grep administrator and id administrator
>didn't work
>>>> on Fileserver because administrator account didn't have uidNumber
>>> If Administrator doesn't have a uidNumber, it will not be
>known to the
>>> Unix host, this is why you either have to give Administrator a
>>> uidNumber OR as you are doing, map Administrator to root.
>>> You should be able to change the settings using Administrator (as a
>>> member of Domain Admins) from windows, providing you have set the
>>> required disk operating privileges.
>>> See here for more info:
>>>
>https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_
>>> Windows_ACLs
>>>
>>>> -it also why administrator account can't manage filserver with
>>>> windows permissions
>>>>
>>>> Just one more thing please :
>>>>
>>>> Why my administrators group is mapped on unix users ?
>>>> [root#fileserver ~]# net groupmap list Administrators
>(S-1-5-32-544)
>>>> -> users Users (S-1-5-32-545) -> BUILTIN\users
>>> Er, it shouldn't be:
>>> rowland at ThinkPad ~ $ sudo net groupmap list Administrators
>>> (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) ->
>>> BUILTIN\users
>>>
>>> I would change this, try:
>>>
>>> net groupmap modify ntgroup="Administrators"
>>> unixgroup="BUILTIN\administrators"
>>>
>>> One other thing I noticed was your use of 'sanitizing', you
>use 'XXX',
>>> 'LAN' and 'DOMAIN' . As long as these are all replacements for your
>>> workgroup, this shouldn't be a problem.
>>>
>>> Lastly, this is my usermap, replace 'EXAMPLE' with your uppercase
>>> workgroup name, this works for me.
>>>
>>> !root = EXAMPLE\Administrator Administrator administrator
>>>
>>> Note: I also have this line in smb.conf: winbind
>normalize names = Yes
>>>
>>> Rowland
>>>> [root at massy01 ~]# net groupmap list verbose Administrators
>>>> SID : S-1-5-32-544
>>>> Unix gid : 100
>>>> Unix group: users
>>>> Group type: Local Group
>>>> Comment :
>>>> Users
>>>> SID : S-1-5-32-545
>>>> Unix gid : 101
>>>> Unix group: BUILTIN\users
>>>> Group type: Local Group
>>>> Comment :
>>>>
>>>>
>>>> ________________________________________
>>>> De : samba <samba-bounces at lists.samba.org> de la part de
>Rowland Penny <rowlandpenny241155 at gmail.com>
>>>> Envoyé : jeudi 6 août 2015 17:51
>>>> À : samba at lists.samba.org
>>>> Objet : Re: [Samba] Problems with administrator account
>>>>
>>>> On 06/08/15 15:32, Aurélien Blachet wrote:
>>>>> I still have the same problem with :
>>>>> [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>>>>> !root = DOMAIN\Administrator DOMAIN\\Administrator
>DOMAIN\administrator Administrator adm
>>>>> inistrator
>>>>>
>>>>> ________________________________________
>>>>> De : samba <samba-bounces at lists.samba.org> de la part de
>Rowland Penny <rowlandpenny241155 at gmail.com>
>>>>> Envoyé : jeudi 6 août 2015 16:06
>>>>> À : samba at lists.samba.org
>>>>> Objet : Re: [Samba] Problems with administrator account
>>>>>
>>>>> On 06/08/15 12:57, Aurélien Blachet wrote:
>>>>>> Hello,
>>>>>>
>>>>>>
>>>>>>
>>>>>> I just went to migrate my fileserver from samba3 to
>samba4 but i have problem with the administrator account.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The group "domain admins" have the permission to manage
>all my shares
>>>>>>
>>>>>>
>>>>>>
>>>>>> Administrator is member of the group "domain admins" but
>he can't manage the security tab of all my shares when i
>remove "full control" to share permissions tab.
>>>>>>
>>>>>>
>>>>>>
>>>>>> While all the member of "Domain admins",except
>administrator, didn't have this problem.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I think the problem appear when we map "administrator"
>to "root" in the smb.conf.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Moreover the "administrator" account didn't appear with
>a getent passwd
>>>>>>
>>>>>>
>>>>>>
>>>>>> [root at fileserver ~]# getent passwd |grep dministrator
>>>>>>
>>>>>>
>>>>>>
>>>>>> [root at fileserver ~]# wbinfo -u |grep dministrator
>>>>>> administrator
>>>>>>
>>>>>>
>>>>>> my smb.conf :
>>>>>> [global]
>>>>>>
>>>>>> netbios name = XXX
>>>>>> workgroup = XXX
>>>>>> security = ADS
>>>>>> realm = XXX.XXX
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> kerberos method = secrets and keytab
>>>>>> username map = /usr/local/samba/etc/samba_usermapping
>>>>>>
>>>>>> idmap config *:backend = tdb
>>>>>> idmap config *:range = 300000-400000
>>>>>> idmap config XXX:backend = ad
>>>>>> idmap config XXX:schema_mode = rfc2307
>>>>>> idmap config XXX:range = 500-200000
>>>>>>
>>>>>> winbind nss info = rfc2307
>>>>>> winbind trusted domains only = no
>>>>>> winbind use default domain = yes
>>>>>> winbind enum users = yes
>>>>>> winbind enum groups = yes
>>>>>> winbind refresh tickets = Yes
>>>>>> vfs objects = acl_xattr
>>>>>> map acl inherit = Yes
>>>>>> store dos attributes = Yes
>>>>>> template homedir = /home/%U
>>>>>> ...
>>>>>>
>>>>>> [shareA]
>>>>>> path =/xxx/shareA
>>>>>> comment =
>>>>>> hosts allow = X.X.X.
>>>>>> writable = Yes
>>>>>> read only = No
>>>>>>
>>>>>> Local permissions
>>>>>> [root at fileserver]# getfacl /xxx/shareA
>>>>>> # file: alp-exp
>>>>>> # owner: root
>>>>>> # group: root
>>>>>> user::rwx
>>>>>> user:root:rwx
>>>>>> group::rwx
>>>>>> group:root:rwx
>>>>>> group:domain\040admins:rwx
>>>>>> group:domain\040users:rwx
>>>>>> mask::rwx
>>>>>> other::rwx
>>>>>> default:user::rwx
>>>>>> default:user:root:rwx
>>>>>> default:group::r-x
>>>>>> default:group:root:r-x
>>>>>> default:group:domain\040users:rwx
>>>>>> default:mask::rwx
>>>>>> default:other::r-x
>>>>>> And the mapping between root and administrator
>>>>>> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>>>>>> !root = LAN\Administrator LAN\\Administrator LAN\administrator
>>>>> Try adding 'Administrator administrator' to the line in
>'samba_usermapping'
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>> Ah, I think you are mixing up Unix permissions and windows
>permissions.
>>>> You will only get 'Administrator' to show up with getent
>if you give the
>>>> Administrator user a uidNumber and use the 'ad' backend. As you are
>>>> mapping 'Administrator' to root it will get the UID of '0'
>which is also
>>>> the UID of 'root'. From windows you will set the permissions of
>>>> 'Administrator' , but on the unix side using getfacl it
>will show as 'root'
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> OK, I think you may be having a similar problem to another
>user on here,
>> Domain Admins is unknown to the underlying Unix OS, what does 'getent
>> passwd Domain\ Admins' produce when run on the Unix machine?
>>
>> can you also post the outcome of these two commands:
>>
>> ls -la /path/to/shared/directory
>>
>> getfacl /path/to/shared/directory
>>
>> Rowland
>>
>>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list