[Samba] Problems with administrator account

Rowland Penny rowlandpenny241155 at gmail.com
Fri Aug 7 15:20:24 UTC 2015 

On 07/08/15 16:08, dashi fico wrote:
> Hi guys,
>
> I am working with Aurelien.
>
> On the DC, there is no UID/GID mapping (nsswitch not being modify as the
> wiki say that on a DC it's not needed).
>
> The primary group of Administrator is 513 (taken from the Attribute editor
> on ADUC) primaryGroupID : 513 (Domain Users)
>
> If i add Everybody to the Share tab, i can access to the security Tab and
> edit permissions. As he said the only user impacted with this is
> Administrator, we got 3 others accounts in the Domain Admins Group and they
> can edit all the share freely even when Everybody is removed.
>
> Rowland, here is the usermapping file :
>
> !root = LAN\Administrator LAN\\Administrator LAN\administrator
> Administrator administrator
>

Is 'LAN' a replacement for your workgroup name? if not, is 'LAN' your 
workgroup name?

The line must be:

!root = EXAMPLE\Administrator Administrator administrator

Where 'EXAMPLE' is your workgroup name in uppercase.

Rowland

> Here the result of getent group :
>
> [root at fileserv]# getent group |grep domain
> domain computers:x:515:
> domain admins:x:512:
> domain guests:x:514:
> domain users:x:513:
>
> The administrator account has never been edited and came from a S3 > S4
> migration
>
> Thanks
>
> 2015-08-07 16:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>
>>> So id administrator didn't return anything on DC or on Fileserver.
>> ow.. but administrator on a DC should retun id 0 ..
>> without any mappings.
>>
>> try setting or "authenticated users", or put "everybody" back on the share
>> rights and test again.
>> whats the primary group of the Administrator?
>> Did you leave it at "domain user" or did you change it to the "domain
>> Admins" group.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Aurélien Blachet
>>> Verzonden: vrijdag 7 augustus 2015 15:59
>>> Aan: Rowland Penny; samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Problems with administrator account
>>>
>>> I have a mapping beetween administrator and root on my
>>> fileserver, i sent you yesterday. My administrator account
>>> didn't have uid.
>>>
>>> I didnt have mapping or winbindd on my DC. The wiki says it's
>>> optional and i have separate my fileserver to my DC.
>>> So id administrator didn't return anything on DC or on Fileserver.
>>>
>>> My probleme is that :
>>>
>>> Administrator is a member of "domain admins".
>>> When i create a share, I remove everybody to "share
>>> permission", i give the full access to "domain admin" but
>>> "administrator" is the only account of domain admin who can't
>>> access to the security tab.
>>> Give the full access to administrator didn't resolve the problem.
>>>
>>>
>>> -----Message d'origine-----
>>> De : samba [mailto:samba-bounces at lists.samba.org] De la part
>>> de Rowland Penny
>>> Envoyé : vendredi 7 août 2015 15:31
>>> À : samba at lists.samba.org
>>> Objet : Re: [Samba] Problems with administrator account
>>>
>>> On 07/08/15 14:07, Aurélien Blachet wrote:
>>>> I guess you want getent group, so i give you both. But
>>> administrator is the only user of "domain admin" group with problems.
>>>
>>> OOPS, yes 'getent group Domain\ Admins'
>>>
>>>> [root at fileserver ~]# getent passwd Domain\ Admins
>>> [root at fileserver ~]#
>>>> getent group Domain\ Admins
>>>> domain admins:x:512:
>>>>
>>>> [root at fileserver ~]# ls -la /partages/share total 181260
>>>> drwxrwxrwx+  2 root  root              4096 26 mars   2013 .
>>>> drwxr-xr-x  13 root  root              4096  5 août  13:14 ..
>>>> -rwxrwxrw-+  1 37313 domain users 185597486 26 mars   2013
>>> fichier.rar
>>>> The user with uid 37313 has been deleted.
>>>>
>>>> [root at fileserver ~]# getfacl /partages/share getfacl :
>>> suppression du
>>>> premier « / » des noms de chemins absolus # file: partages/share #
>>>> owner: root # group: root user::rwx user:root:rwx group::rwx
>>>> group:root:rwx group:domain\040admins:rwx group:domain\040users:rwx
>>>> mask::rwx other::rwx default:user::rwx default:user:root:rwx
>>>> default:group::rwx default:group:root:r-x
>>>> default:group:domain\040admins:rwx
>>>> default:group:domain\040users:rwx
>>>> default:mask::rwx
>>>> default:other::rwx
>>>>
>>> Hmm, there doesn't seem to be anything wrong there, Domain
>>> Admins is known to Unix and there is an ACL set to allow
>>> control, this is strange.
>>>
>>> Lets see if I understand what you are trying to do:
>>> You have a share that has permissions to allow Administrator
>>> (via root) to control permissions from windows.
>>> The share can also be controlled from windows with members of
>>> Domain Admins.
>>> But if you remove Administrator from controlling the share in
>>> windows, you would expect Administrator to still be able to
>>> control via Domain Admins but it cannot.
>>>
>>> All I can think of is, does Administrator have a uidNumber?
>> >from the smb.conf you posted earlier, you do not seem to have
>>> a usermap mapping Administrator to root.
>>>
>>> If Administrator is not known to Unix, either via a uidNumber
>>> or by being mapped to root, it may be ignored and its group
>>> membership not searched for.
>>>
>>> I map Administrator to root and if I run 'id Administrator' on
>>> a member server, I get nothing returned, the same command on a
>>> DC returns:
>>> root at dc03:~# id Administrator
>>> uid=0(root) gid=10000(domain users)
>>> groups=0(root),10000(domain users),3000009(group policy
>>> creator owners),3000010(enterprise admins),10002(domain
>>> admins),3000011(schema admins),3000012(denied rodc password replication
>>> group),3000001(BUILTIN\users),3000000(BUILTIN\administrators)
>>>
>>> Rowland
>>>
>>>
>>>> -----Message d'origine-----
>>>> De : samba [mailto:samba-bounces at lists.samba.org] De la part de
>>>> Rowland Penny Envoyé : vendredi 7 août 2015 14:52 À :
>>>> samba at lists.samba.org Objet : Re: [Samba] Problems with
>>> administrator
>>>> account
>>>>
>>>> On 07/08/15 13:25, Aurélien Blachet wrote:
>>>>> Sorry for my mistake.
>>>>>
>>>>> It resolve the groupmap problem :
>>>>> [root at fileserver ~]# net groupmap list Administrators (S-1-5-32-544)
>>>>> -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users
>>>>>
>>>>> But i still have the administrator problem. I have follow
>>> the wiki.samba doc and i have set the SeDiskOperatorPrivilege :
>>>>> net rpc rights list accounts -U'DOMAIN\administrator'
>>>>> DOMAIN\Domain Admins
>>>>> SeDiskOperatorPrivilege
>>>>>
>>>>> but administrator is still the only user of the group
>>> 'domain admins' who can't manage the security tab of my shares
>>> on windows when i remove "everyone" to the "share permissions" tab.
>>>>> Even if i add directly the administrator "account" in this tab.
>>>>> ________________________________________
>>>>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland
>>>>> Penny <rowlandpenny241155 at gmail.com> Envoyé : vendredi 7
>>> août 2015 11:53 À :
>>>>> samba at lists.samba.org Objet : Re: [Samba] Problems with
>>> administrator
>>>>> account
>>>>>
>>>>> On 07/08/15 09:37, Aurélien Blachet wrote:
>>>>>> Oh thank you
>>>>>>
>>>>>> Just to be sure to understand :
>>>>>> -getent passwd | grep administrator and id administrator
>>> didn't work
>>>>>> on Fileserver because administrator account didn't have uidNumber
>>>>> If Administrator doesn't have a uidNumber, it will not be known to
>>>>> the Unix host, this is why you either have to give Administrator a
>>>>> uidNumber OR as you are doing, map Administrator to root.
>>>>> You should be able to change the settings using Administrator (as a
>>>>> member of Domain Admins) from windows, providing you have set the
>>>>> required disk operating privileges.
>>>>> See here for more info:
>>>>>
>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with
>>>>> _
>>>>> Windows_ACLs
>>>>>
>>>>>> -it also why administrator account can't manage filserver with
>>>>>> windows permissions
>>>>>>
>>>>>> Just one more thing please :
>>>>>>
>>>>>> Why my administrators group is mapped on unix users ?
>>>>>> [root#fileserver ~]#  net groupmap list Administrators
>>>>>> (S-1-5-32-544)
>>>>>> -> users Users (S-1-5-32-545) -> BUILTIN\users
>>>>> Er, it shouldn't be:
>>>>> rowland at ThinkPad ~ $ sudo net groupmap list Administrators
>>>>> (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) ->
>>>>> BUILTIN\users
>>>>>
>>>>> I would change this, try:
>>>>>
>>>>> net groupmap modify ntgroup="Administrators"
>>>>> unixgroup="BUILTIN\administrators"
>>>>>
>>>>> One other thing I noticed was your use of 'sanitizing', you use
>>>>> 'XXX', 'LAN' and 'DOMAIN' . As long as these are all
>>> replacements for
>>>>> your workgroup, this shouldn't be a problem.
>>>>>
>>>>> Lastly, this is my usermap, replace 'EXAMPLE' with your uppercase
>>>>> workgroup name, this works for me.
>>>>>
>>>>> !root = EXAMPLE\Administrator Administrator administrator
>>>>>
>>>>> Note: I also have this line in smb.conf:     winbind
>>> normalize names = Yes
>>>>> Rowland
>>>>>> [root at massy01 ~]#  net groupmap list verbose Administrators
>>>>>>             SID       : S-1-5-32-544
>>>>>>             Unix gid  : 100
>>>>>>             Unix group: users
>>>>>>             Group type: Local Group
>>>>>>             Comment   :
>>>>>> Users
>>>>>>             SID       : S-1-5-32-545
>>>>>>             Unix gid  : 101
>>>>>>             Unix group: BUILTIN\users
>>>>>>             Group type: Local Group
>>>>>>             Comment   :
>>>>>>
>>>>>>
>>>>>> ________________________________________
>>>>>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland
>>>>>> Penny <rowlandpenny241155 at gmail.com> Envoyé : jeudi 6 août 2015
>>>>>> 17:51 À : samba at lists.samba.org Objet : Re: [Samba] Problems with
>>>>>> administrator account
>>>>>>
>>>>>> On 06/08/15 15:32, Aurélien Blachet wrote:
>>>>>>> I still have the same problem with :
>>>>>>> [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>>>>>>> !root = DOMAIN\Administrator DOMAIN\\Administrator
>>>>>>> DOMAIN\administrator Administrator adm inistrator
>>>>>>>
>>>>>>> ________________________________________
>>>>>>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland
>>>>>>> Penny <rowlandpenny241155 at gmail.com> Envoyé : jeudi 6 août 2015
>>>>>>> 16:06 À : samba at lists.samba.org Objet : Re: [Samba] Problems with
>>>>>>> administrator account
>>>>>>>
>>>>>>> On 06/08/15 12:57, Aurélien Blachet wrote:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I just went to migrate my fileserver from samba3 to
>>> samba4 but i have problem with the administrator account.
>>>>>>>>
>>>>>>>>
>>>>>>>> The group "domain admins" have the permission to manage all my
>>>>>>>> shares
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Administrator is member of the group "domain admins" but
>>> he can't manage the security tab of all my shares when i
>>> remove "full control" to share permissions tab.
>>>>>>>>
>>>>>>>>
>>>>>>>> While all the member of "Domain admins",except
>>> administrator, didn't have this problem.
>>>>>>>>
>>>>>>>>
>>>>>>>> I think the problem appear when we map "administrator"
>>> to "root" in the smb.conf.
>>>>>>>>
>>>>>>>>
>>>>>>>> Moreover the "administrator" account didn't appear with a getent
>>>>>>>> passwd
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> [root at fileserver ~]# getent passwd |grep dministrator
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> [root at fileserver ~]# wbinfo -u |grep dministrator administrator
>>>>>>>>
>>>>>>>>
>>>>>>>> my smb.conf :
>>>>>>>> [global]
>>>>>>>>
>>>>>>>>         netbios name = XXX
>>>>>>>>         workgroup = XXX
>>>>>>>>         security = ADS
>>>>>>>>         realm = XXX.XXX
>>>>>>>>         dedicated keytab file = /etc/krb5.keytab
>>>>>>>>         kerberos method = secrets and keytab
>>>>>>>>         username map = /usr/local/samba/etc/samba_usermapping
>>>>>>>>
>>>>>>>>         idmap config *:backend = tdb
>>>>>>>>         idmap config *:range = 300000-400000
>>>>>>>>         idmap config XXX:backend = ad
>>>>>>>>         idmap config XXX:schema_mode = rfc2307
>>>>>>>>         idmap config XXX:range = 500-200000
>>>>>>>>
>>>>>>>>         winbind nss info = rfc2307
>>>>>>>>         winbind trusted domains only = no
>>>>>>>>         winbind use default domain = yes
>>>>>>>>         winbind enum users  = yes
>>>>>>>>         winbind enum groups = yes
>>>>>>>>         winbind refresh tickets = Yes
>>>>>>>>         vfs objects = acl_xattr
>>>>>>>>         map acl inherit = Yes
>>>>>>>>         store dos attributes = Yes
>>>>>>>>         template homedir = /home/%U
>>>>>>>> ...
>>>>>>>>
>>>>>>>> [shareA]
>>>>>>>>           path =/xxx/shareA
>>>>>>>>           comment =
>>>>>>>>           hosts allow = X.X.X.
>>>>>>>>           writable = Yes
>>>>>>>>           read only = No
>>>>>>>>
>>>>>>>> Local permissions
>>>>>>>> [root at fileserver]# getfacl /xxx/shareA
>>>>>>>> # file: alp-exp
>>>>>>>> # owner: root
>>>>>>>> # group: root
>>>>>>>> user::rwx
>>>>>>>> user:root:rwx
>>>>>>>> group::rwx
>>>>>>>> group:root:rwx
>>>>>>>> group:domain\040admins:rwx
>>>>>>>> group:domain\040users:rwx
>>>>>>>> mask::rwx
>>>>>>>> other::rwx
>>>>>>>> default:user::rwx
>>>>>>>> default:user:root:rwx
>>>>>>>> default:group::r-x
>>>>>>>> default:group:root:r-x
>>>>>>>> default:group:domain\040users:rwx
>>>>>>>> default:mask::rwx
>>>>>>>> default:other::r-x
>>>>>>>> And the mapping between root and administrator
>>>>>>>> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>>>>>>>> !root = LAN\Administrator LAN\\Administrator LAN\administrator
>>>>>>> Try adding 'Administrator administrator'  to the line in
>>> 'samba_usermapping'
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>> Ah, I think you are mixing up Unix permissions and windows
>>> permissions.
>>>>>> You will only get 'Administrator' to show up with getent
>>> if you give the
>>>>>> Administrator user a uidNumber and use the 'ad' backend. As you are
>>>>>> mapping 'Administrator' to root it will get the UID of '0'
>>> which is also
>>>>>> the UID of 'root'. From windows you will set the permissions of
>>>>>> 'Administrator' , but on the unix side using getfacl it
>>> will show as 'root'
>>>>>> Rowland
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>> OK, I think you may be having a similar problem to another
>>> user on here,
>>>> Domain Admins is unknown to the underlying Unix OS, what does 'getent
>>>> passwd Domain\ Admins' produce when run on the Unix machine?
>>>>
>>>> can you also post the outcome of these two commands:
>>>>
>>>> ls -la /path/to/shared/directory
>>>>
>>>> getfacl  /path/to/shared/directory
>>>>
>>>> Rowland
>>>>
>>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

More information about the samba mailing list