[Samba] Problems with administrator account

dashi fico dashifico at gmail.com
Fri Aug 7 15:08:33 UTC 2015


Hi guys,

I am working with Aurelien.

On the DC, there is no UID/GID mapping (nsswitch not being modify as the
wiki say that on a DC it's not needed).

The primary group of Administrator is 513 (taken from the Attribute editor
on ADUC) primaryGroupID : 513 (Domain Users)

If i add Everybody to the Share tab, i can access to the security Tab and
edit permissions. As he said the only user impacted with this is
Administrator, we got 3 others accounts in the Domain Admins Group and they
can edit all the share freely even when Everybody is removed.

Rowland, here is the usermapping file :

!root = LAN\Administrator LAN\\Administrator LAN\administrator
Administrator administrator


Here the result of getent group :

[root at fileserv]# getent group |grep domain
domain computers:x:515:
domain admins:x:512:
domain guests:x:514:
domain users:x:513:

The administrator account has never been edited and came from a S3 > S4
migration

Thanks

2015-08-07 16:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:

> > So id administrator didn't return anything on DC or on Fileserver.
>
> ow.. but administrator on a DC should retun id 0 ..
> without any mappings.
>
> try setting or "authenticated users", or put "everybody" back on the share
> rights and test again.
> whats the primary group of the Administrator?
> Did you leave it at "domain user" or did you change it to the "domain
> Admins" group.
>
> Greetz,
>
> Louis
>
>
> >-----Oorspronkelijk bericht-----
> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >Aurélien Blachet
> >Verzonden: vrijdag 7 augustus 2015 15:59
> >Aan: Rowland Penny; samba at lists.samba.org
> >Onderwerp: Re: [Samba] Problems with administrator account
> >
> >I have a mapping beetween administrator and root on my
> >fileserver, i sent you yesterday. My administrator account
> >didn't have uid.
> >
> >I didnt have mapping or winbindd on my DC. The wiki says it's
> >optional and i have separate my fileserver to my DC.
> >So id administrator didn't return anything on DC or on Fileserver.
> >
> >My probleme is that :
> >
> >Administrator is a member of "domain admins".
> >When i create a share, I remove everybody to "share
> >permission", i give the full access to "domain admin" but
> >"administrator" is the only account of domain admin who can't
> >access to the security tab.
> >Give the full access to administrator didn't resolve the problem.
> >
> >
> >-----Message d'origine-----
> >De : samba [mailto:samba-bounces at lists.samba.org] De la part
> >de Rowland Penny
> >Envoyé : vendredi 7 août 2015 15:31
> >À : samba at lists.samba.org
> >Objet : Re: [Samba] Problems with administrator account
> >
> >On 07/08/15 14:07, Aurélien Blachet wrote:
> >> I guess you want getent group, so i give you both. But
> >administrator is the only user of "domain admin" group with problems.
> >
> >OOPS, yes 'getent group Domain\ Admins'
> >
> >> [root at fileserver ~]# getent passwd Domain\ Admins
> >[root at fileserver ~]#
> >> getent group Domain\ Admins
> >> domain admins:x:512:
> >>
> >> [root at fileserver ~]# ls -la /partages/share total 181260
> >> drwxrwxrwx+  2 root  root              4096 26 mars   2013 .
> >> drwxr-xr-x  13 root  root              4096  5 août  13:14 ..
> >> -rwxrwxrw-+  1 37313 domain users 185597486 26 mars   2013
> >fichier.rar
> >>
> >> The user with uid 37313 has been deleted.
> >>
> >> [root at fileserver ~]# getfacl /partages/share getfacl :
> >suppression du
> >> premier « / » des noms de chemins absolus # file: partages/share #
> >> owner: root # group: root user::rwx user:root:rwx group::rwx
> >> group:root:rwx group:domain\040admins:rwx group:domain\040users:rwx
> >> mask::rwx other::rwx default:user::rwx default:user:root:rwx
> >> default:group::rwx default:group:root:r-x
> >> default:group:domain\040admins:rwx
> >> default:group:domain\040users:rwx
> >> default:mask::rwx
> >> default:other::rwx
> >>
> >
> >Hmm, there doesn't seem to be anything wrong there, Domain
> >Admins is known to Unix and there is an ACL set to allow
> >control, this is strange.
> >
> >Lets see if I understand what you are trying to do:
> >You have a share that has permissions to allow Administrator
> >(via root) to control permissions from windows.
> >The share can also be controlled from windows with members of
> >Domain Admins.
> >But if you remove Administrator from controlling the share in
> >windows, you would expect Administrator to still be able to
> >control via Domain Admins but it cannot.
> >
> >All I can think of is, does Administrator have a uidNumber?
> >from the smb.conf you posted earlier, you do not seem to have
> >a usermap mapping Administrator to root.
> >
> >If Administrator is not known to Unix, either via a uidNumber
> >or by being mapped to root, it may be ignored and its group
> >membership not searched for.
> >
> >I map Administrator to root and if I run 'id Administrator' on
> >a member server, I get nothing returned, the same command on a
> >DC returns:
> >root at dc03:~# id Administrator
> >uid=0(root) gid=10000(domain users)
> >groups=0(root),10000(domain users),3000009(group policy
> >creator owners),3000010(enterprise admins),10002(domain
> >admins),3000011(schema admins),3000012(denied rodc password replication
> >group),3000001(BUILTIN\users),3000000(BUILTIN\administrators)
> >
> >Rowland
> >
> >
> >>
> >> -----Message d'origine-----
> >> De : samba [mailto:samba-bounces at lists.samba.org] De la part de
> >> Rowland Penny Envoyé : vendredi 7 août 2015 14:52 À :
> >> samba at lists.samba.org Objet : Re: [Samba] Problems with
> >administrator
> >> account
> >>
> >> On 07/08/15 13:25, Aurélien Blachet wrote:
> >>> Sorry for my mistake.
> >>>
> >>> It resolve the groupmap problem :
> >>> [root at fileserver ~]# net groupmap list Administrators (S-1-5-32-544)
> >>> -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users
> >>>
> >>> But i still have the administrator problem. I have follow
> >the wiki.samba doc and i have set the SeDiskOperatorPrivilege :
> >>> net rpc rights list accounts -U'DOMAIN\administrator'
> >>> DOMAIN\Domain Admins
> >>> SeDiskOperatorPrivilege
> >>>
> >>> but administrator is still the only user of the group
> >'domain admins' who can't manage the security tab of my shares
> >on windows when i remove "everyone" to the "share permissions" tab.
> >>> Even if i add directly the administrator "account" in this tab.
> >>> ________________________________________
> >>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland
> >>> Penny <rowlandpenny241155 at gmail.com> Envoyé : vendredi 7
> >août 2015 11:53 À :
> >>> samba at lists.samba.org Objet : Re: [Samba] Problems with
> >administrator
> >>> account
> >>>
> >>> On 07/08/15 09:37, Aurélien Blachet wrote:
> >>>> Oh thank you
> >>>>
> >>>> Just to be sure to understand :
> >>>> -getent passwd | grep administrator and id administrator
> >didn't work
> >>>> on Fileserver because administrator account didn't have uidNumber
> >>> If Administrator doesn't have a uidNumber, it will not be known to
> >>> the Unix host, this is why you either have to give Administrator a
> >>> uidNumber OR as you are doing, map Administrator to root.
> >>> You should be able to change the settings using Administrator (as a
> >>> member of Domain Admins) from windows, providing you have set the
> >>> required disk operating privileges.
> >>> See here for more info:
> >>>
> >https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with
> >>> _
> >>> Windows_ACLs
> >>>
> >>>> -it also why administrator account can't manage filserver with
> >>>> windows permissions
> >>>>
> >>>> Just one more thing please :
> >>>>
> >>>> Why my administrators group is mapped on unix users ?
> >>>> [root#fileserver ~]#  net groupmap list Administrators
> >>>> (S-1-5-32-544)
> >>>> -> users Users (S-1-5-32-545) -> BUILTIN\users
> >>> Er, it shouldn't be:
> >>> rowland at ThinkPad ~ $ sudo net groupmap list Administrators
> >>> (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) ->
> >>> BUILTIN\users
> >>>
> >>> I would change this, try:
> >>>
> >>> net groupmap modify ntgroup="Administrators"
> >>> unixgroup="BUILTIN\administrators"
> >>>
> >>> One other thing I noticed was your use of 'sanitizing', you use
> >>> 'XXX', 'LAN' and 'DOMAIN' . As long as these are all
> >replacements for
> >>> your workgroup, this shouldn't be a problem.
> >>>
> >>> Lastly, this is my usermap, replace 'EXAMPLE' with your uppercase
> >>> workgroup name, this works for me.
> >>>
> >>> !root = EXAMPLE\Administrator Administrator administrator
> >>>
> >>> Note: I also have this line in smb.conf:     winbind
> >normalize names = Yes
> >>>
> >>> Rowland
> >>>> [root at massy01 ~]#  net groupmap list verbose Administrators
> >>>>            SID       : S-1-5-32-544
> >>>>            Unix gid  : 100
> >>>>            Unix group: users
> >>>>            Group type: Local Group
> >>>>            Comment   :
> >>>> Users
> >>>>            SID       : S-1-5-32-545
> >>>>            Unix gid  : 101
> >>>>            Unix group: BUILTIN\users
> >>>>            Group type: Local Group
> >>>>            Comment   :
> >>>>
> >>>>
> >>>> ________________________________________
> >>>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland
> >>>> Penny <rowlandpenny241155 at gmail.com> Envoyé : jeudi 6 août 2015
> >>>> 17:51 À : samba at lists.samba.org Objet : Re: [Samba] Problems with
> >>>> administrator account
> >>>>
> >>>> On 06/08/15 15:32, Aurélien Blachet wrote:
> >>>>> I still have the same problem with :
> >>>>> [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping
> >>>>> !root = DOMAIN\Administrator DOMAIN\\Administrator
> >>>>> DOMAIN\administrator Administrator adm inistrator
> >>>>>
> >>>>> ________________________________________
> >>>>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland
> >>>>> Penny <rowlandpenny241155 at gmail.com> Envoyé : jeudi 6 août 2015
> >>>>> 16:06 À : samba at lists.samba.org Objet : Re: [Samba] Problems with
> >>>>> administrator account
> >>>>>
> >>>>> On 06/08/15 12:57, Aurélien Blachet wrote:
> >>>>>> Hello,
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> I just went to migrate my fileserver from samba3 to
> >samba4 but i have problem with the administrator account.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> The group "domain admins" have the permission to manage all my
> >>>>>> shares
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Administrator is member of the group "domain admins" but
> >he can't manage the security tab of all my shares when i
> >remove "full control" to share permissions tab.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> While all the member of "Domain admins",except
> >administrator, didn't have this problem.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> I think the problem appear when we map "administrator"
> >to "root" in the smb.conf.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Moreover the "administrator" account didn't appear with a getent
> >>>>>> passwd
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> [root at fileserver ~]# getent passwd |grep dministrator
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> [root at fileserver ~]# wbinfo -u |grep dministrator administrator
> >>>>>>
> >>>>>>
> >>>>>> my smb.conf :
> >>>>>> [global]
> >>>>>>
> >>>>>>        netbios name = XXX
> >>>>>>        workgroup = XXX
> >>>>>>        security = ADS
> >>>>>>        realm = XXX.XXX
> >>>>>>        dedicated keytab file = /etc/krb5.keytab
> >>>>>>        kerberos method = secrets and keytab
> >>>>>>        username map = /usr/local/samba/etc/samba_usermapping
> >>>>>>
> >>>>>>        idmap config *:backend = tdb
> >>>>>>        idmap config *:range = 300000-400000
> >>>>>>        idmap config XXX:backend = ad
> >>>>>>        idmap config XXX:schema_mode = rfc2307
> >>>>>>        idmap config XXX:range = 500-200000
> >>>>>>
> >>>>>>        winbind nss info = rfc2307
> >>>>>>        winbind trusted domains only = no
> >>>>>>        winbind use default domain = yes
> >>>>>>        winbind enum users  = yes
> >>>>>>        winbind enum groups = yes
> >>>>>>        winbind refresh tickets = Yes
> >>>>>>        vfs objects = acl_xattr
> >>>>>>        map acl inherit = Yes
> >>>>>>        store dos attributes = Yes
> >>>>>>        template homedir = /home/%U
> >>>>>> ...
> >>>>>>
> >>>>>> [shareA]
> >>>>>>          path =/xxx/shareA
> >>>>>>          comment =
> >>>>>>          hosts allow = X.X.X.
> >>>>>>          writable = Yes
> >>>>>>          read only = No
> >>>>>>
> >>>>>> Local permissions
> >>>>>> [root at fileserver]# getfacl /xxx/shareA
> >>>>>> # file: alp-exp
> >>>>>> # owner: root
> >>>>>> # group: root
> >>>>>> user::rwx
> >>>>>> user:root:rwx
> >>>>>> group::rwx
> >>>>>> group:root:rwx
> >>>>>> group:domain\040admins:rwx
> >>>>>> group:domain\040users:rwx
> >>>>>> mask::rwx
> >>>>>> other::rwx
> >>>>>> default:user::rwx
> >>>>>> default:user:root:rwx
> >>>>>> default:group::r-x
> >>>>>> default:group:root:r-x
> >>>>>> default:group:domain\040users:rwx
> >>>>>> default:mask::rwx
> >>>>>> default:other::r-x
> >>>>>> And the mapping between root and administrator
> >>>>>> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
> >>>>>> !root = LAN\Administrator LAN\\Administrator LAN\administrator
> >>>>> Try adding 'Administrator administrator'  to the line in
> >'samba_usermapping'
> >>>>>
> >>>>> Rowland
> >>>>>
> >>>>>
> >>>>> --
> >>>>> To unsubscribe from this list go to the following URL and read the
> >>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>
> >>>> Ah, I think you are mixing up Unix permissions and windows
> >permissions.
> >>>> You will only get 'Administrator' to show up with getent
> >if you give the
> >>>> Administrator user a uidNumber and use the 'ad' backend. As you are
> >>>> mapping 'Administrator' to root it will get the UID of '0'
> >which is also
> >>>> the UID of 'root'. From windows you will set the permissions of
> >>>> 'Administrator' , but on the unix side using getfacl it
> >will show as 'root'
> >>>>
> >>>> Rowland
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >> OK, I think you may be having a similar problem to another
> >user on here,
> >> Domain Admins is unknown to the underlying Unix OS, what does 'getent
> >> passwd Domain\ Admins' produce when run on the Unix machine?
> >>
> >> can you also post the outcome of these two commands:
> >>
> >> ls -la /path/to/shared/directory
> >>
> >> getfacl  /path/to/shared/directory
> >>
> >> Rowland
> >>
> >>
> >
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list