[Samba] Domain Member Server: Domain Users cannot access shares
Jason Secord
it at plymouthhistory.org
Thu Sep 22 23:21:53 UTC 2016
Hi Rowland,
*Apparently I accidentally replied directly to you instead of the list,
this is from a couple days ago...*
First off, thanks again for your help, your insight is invaluable.
I have completed the changes you suggested:
I've used ADUC to remove the NIS Domain and UID/GID number from the
following Users/Groups:
- group policy creator owners
- enterprise admins
- schema admins
- dnsadmins
- Administrator
I've added "username map = /etc/samba/user.map" to my smb.conf
I've created /etc/samba/user.map
ls -la /etc/samba/user.map
-rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
cat /etc/samba/user.map
!root = PHM\Administrator PHM\administrator Administrator administrator
Here is the output of the getfacl command you requested I run:
sudo getfacl /mnt/md0/samba_shares/Accounts
getfacl: Removing leading '/' from absolute path names
# file: mnt/md0/samba_shares/Accounts
# owner: itwerks
# group: domain\040admins
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::rwx
Regards,
JS
On Thu, Sep 22, 2016 at 1:35 AM, Jason Secord <it at plymouthhistory.org>
wrote:
> I ran another test of a share on the raid array after making the changes
> you suggested Rowland. I reset the ACLs on /mnt/md0/samba_shares/test as
> outlined in the wiki and set the default group to domain admins. I
> executed setfacl commands g=rwx and chgrp domain admins, then added the
> directory to my smb.conf and ran "smbcontrol all reload-config". I then
> logged in to a Windows box as administrator and set ACLs for my test domain
> user account, allowing full control in both share permissions and the
> security tabs, applied settings and closed the snap-in.
>
> I then logged in to another machine as my test user and tried to access
> the new share and still received access denied.
>
> I'd be oh so happy if this thread ends and the raid controller isn't the
> root cause of this issue, but my gut says it must be as shares that I
> copied from the array to the system drive retained the ACLs I had set
> previously and we're accessible without modification. I just wish I could
> find some indication that this is a known issue, my Google fu fails to
> reveal any evidence supporting the theory.
>
> JS
>
> On Sep 21, 2016 9:02 PM, "Jason Secord" <it at plymouthhistory.org> wrote:
>
>> Hi Rowland,
>>
>> First off, thanks again for your help, your insight is invaluable.
>>
>> I have completed the changes you suggested:
>>
>> I've used ADUC to remove the NIS Domain and UID/GID number from the
>> following Users/Groups:
>>
>> - group policy creator owners
>> - enterprise admins
>> - schema admins
>> - dnsadmins
>> - Administrator
>>
>> I've added "username map = /etc/samba/user.map" to my smb.conf
>>
>> I've created /etc/samba/user.map
>>
>> ls -la /etc/samba/user.map
>> -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
>>
>> cat /etc/samba/user.map
>> !root = PHM\Administrator PHM\administrator Administrator administrator
>>
>> Here is the output of the getfacl command you requested I run:
>>
>> sudo getfacl /mnt/md0/samba_shares/Accounts
>> getfacl: Removing leading '/' from absolute path names
>> # file: mnt/md0/samba_shares/Accounts
>> # owner: itwerks
>> # group: domain\040admins
>> user::rwx
>> group::rwx
>> other::rwx
>> default:user::rwx
>> default:group::rwx
>> default:group:domain\040admins:rwx
>> default:mask::rwx
>> default:other::rwx
>>
>> Regards,
>>
>> JS
>>
>>
>> On Wed, Sep 21, 2016 at 12:06 PM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On Wed, 21 Sep 2016 11:09:15 -0400
>>> Jason Secord <it at plymouthhistory.org> wrote:
>>>
>>> > Hi Rowland,
>>> >
>>> > I've already removed all "admin users" and "valid users" entries from
>>> > my smb.conf, they ended up there after hours of confusion trying to
>>> > drill down to the root of the problem.
>>> >
>>> > To remove the aforementioned UID/GIDs, I can do that via the tab in
>>> > ADUC, correct? Is there a document best practices when applying UNIX
>>> > attributes to accounts?
>>>
>>> You can do it with ADUC, or you can use ldb or ldap tools or ADSI edit.
>>>
>>> >
>>> > I haven't encountered any mention of creating a user.map in the
>>> > documentation, nor have I ever created one in the past. Is this
>>> > something that is considered a best practice a well? Can you point
>>> > me to any documentation on user.maps?
>>>
>>> Not too sure about the documentation, There is some in 'man smb.conf',
>>> but it is easier to describe it to you.
>>>
>>> On a Samba AD DC, Administrator gets mapped to root automatically, but
>>> on a domain member it isn't. There are two schools of thought here,
>>> one is to give Administrator a uidNumber, but I don't recommend this.
>>> If you do give Administrator a uidNumber, it becomes just another
>>> Unix user with just the same permissions as any other user and it
>>> breaks the DC. The other option is to use a 'username map', this will
>>> do what the DC does and maps Administrator to the root user.
>>>
>>> > I will make this adjustments
>>> > tonight and update you along with the results of that getfacl command
>>> > you requested.
>>> >
>>> > I have applied ACLs to all shares already.
>>> >
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
More information about the samba
mailing list