[Samba] Domain Member Server: Domain Users cannot access shares

Rowland Penny rpenny at samba.org
Wed Sep 21 16:06:22 UTC 2016

On Wed, 21 Sep 2016 11:09:15 -0400
Jason Secord <it at plymouthhistory.org> wrote:

> Hi Rowland,
> I've already removed all "admin users" and "valid users" entries from
> my smb.conf, they ended up there after hours of confusion trying to
> drill down to the root of the problem.
> To remove the aforementioned UID/GIDs, I can do that via the tab in
> ADUC, correct?  Is there a document best practices when applying UNIX
> attributes to accounts?

You can do it with ADUC, or you can use ldb or ldap tools or ADSI edit.

> I haven't encountered any mention of creating a user.map in the
> documentation, nor have I ever created one in the past.  Is this
> something that is considered a best practice a well?  Can you point
> me to any documentation on user.maps?  

Not too sure about the documentation, There is some in 'man smb.conf',
but it is easier to describe it to you.

On a Samba AD DC, Administrator gets mapped to root automatically, but
on a domain member it isn't. There are two schools of thought here,
one is to give Administrator a uidNumber, but I don't recommend this.
If you do give Administrator a uidNumber, it becomes just another
Unix user with just the same permissions as any other user and it
breaks the DC. The other option is to use a 'username map', this will
do what the DC does and maps Administrator to the root user.

> I will make this adjustments 
> tonight and update you along with the results of that getfacl command
> you requested.
> I have applied ACLs to all shares already.

More information about the samba mailing list