[Samba] Domain Member Server: Domain Users cannot access shares
Rowland Penny
rpenny at samba.org
Wed Sep 21 16:06:22 UTC 2016
On Wed, 21 Sep 2016 11:09:15 -0400
Jason Secord <it at plymouthhistory.org> wrote:
> Hi Rowland,
>
> I've already removed all "admin users" and "valid users" entries from
> my smb.conf, they ended up there after hours of confusion trying to
> drill down to the root of the problem.
>
> To remove the aforementioned UID/GIDs, I can do that via the tab in
> ADUC, correct? Is there a document best practices when applying UNIX
> attributes to accounts?
You can do it with ADUC, or you can use ldb or ldap tools or ADSI edit.
>
> I haven't encountered any mention of creating a user.map in the
> documentation, nor have I ever created one in the past. Is this
> something that is considered a best practice a well? Can you point
> me to any documentation on user.maps?
Not too sure about the documentation, There is some in 'man smb.conf',
but it is easier to describe it to you.
On a Samba AD DC, Administrator gets mapped to root automatically, but
on a domain member it isn't. There are two schools of thought here,
one is to give Administrator a uidNumber, but I don't recommend this.
If you do give Administrator a uidNumber, it becomes just another
Unix user with just the same permissions as any other user and it
breaks the DC. The other option is to use a 'username map', this will
do what the DC does and maps Administrator to the root user.
> I will make this adjustments
> tonight and update you along with the results of that getfacl command
> you requested.
>
> I have applied ACLs to all shares already.
>
More information about the samba
mailing list