[Samba] Domain Member Server: Domain Users cannot access shares

Jason Secord it at plymouthhistory.org
Thu Sep 22 23:21:53 UTC 2016 

Hi Rowland,


*Apparently I accidentally replied directly to you instead of the list,
this is from a couple days ago...*

First off, thanks again for your help, your insight is invaluable.

I have completed the changes you suggested:

I've used ADUC to remove the NIS Domain and UID/GID number from the
following Users/Groups:

   - group policy creator owners
   - enterprise admins
   - schema admins
   - dnsadmins
   - Administrator

I've added "username map = /etc/samba/user.map" to my smb.conf

I've created /etc/samba/user.map

ls -la /etc/samba/user.map
-rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map

cat /etc/samba/user.map
!root = PHM\Administrator PHM\administrator Administrator administrator

Here is the output of the getfacl command you requested I run:

sudo getfacl /mnt/md0/samba_shares/Accounts
getfacl: Removing leading '/' from absolute path names
# file: mnt/md0/samba_shares/Accounts
# owner: itwerks
# group: domain\040admins
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::rwx

Regards,

JS

On Thu, Sep 22, 2016 at 1:35 AM, Jason Secord <it at plymouthhistory.org>
wrote:

> I ran another test of a share on the raid array after making the changes
> you suggested Rowland.  I reset the ACLs on /mnt/md0/samba_shares/test as
> outlined in the wiki and set the default group to domain admins.  I
> executed setfacl commands g=rwx and chgrp domain admins, then added the
> directory to my smb.conf and ran "smbcontrol all reload-config".  I then
> logged in to a Windows box as administrator and set ACLs for my test domain
> user account, allowing full control in both share permissions and the
> security tabs, applied settings and closed the snap-in.
>
> I then logged in to another machine as my test user and tried to access
> the new share and still received access denied.
>
> I'd be oh so happy if this thread ends and the raid controller isn't the
> root cause of this issue, but my gut says it must be as shares that I
> copied from the array to the system drive retained the ACLs I had set
> previously and we're accessible without modification.  I just wish I could
> find some indication that this is a known issue, my Google fu fails to
> reveal any evidence supporting the theory.
>
> JS
>
> On Sep 21, 2016 9:02 PM, "Jason Secord" <it at plymouthhistory.org> wrote:
>
>> Hi Rowland,
>>
>> First off, thanks again for your help, your insight is invaluable.
>>
>> I have completed the changes you suggested:
>>
>> I've used ADUC to remove the NIS Domain and UID/GID number from the
>> following Users/Groups:
>>
>>    - group policy creator owners
>>    - enterprise admins
>>    - schema admins
>>    - dnsadmins
>>    - Administrator
>>
>> I've added "username map = /etc/samba/user.map" to my smb.conf
>>
>> I've created /etc/samba/user.map
>>
>> ls -la /etc/samba/user.map
>> -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
>>
>> cat /etc/samba/user.map
>> !root = PHM\Administrator PHM\administrator Administrator administrator
>>
>> Here is the output of the getfacl command you requested I run:
>>
>> sudo getfacl /mnt/md0/samba_shares/Accounts
>> getfacl: Removing leading '/' from absolute path names
>> # file: mnt/md0/samba_shares/Accounts
>> # owner: itwerks
>> # group: domain\040admins
>> user::rwx
>> group::rwx
>> other::rwx
>> default:user::rwx
>> default:group::rwx
>> default:group:domain\040admins:rwx
>> default:mask::rwx
>> default:other::rwx
>>
>> Regards,
>>
>> JS
>>
>>
>> On Wed, Sep 21, 2016 at 12:06 PM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On Wed, 21 Sep 2016 11:09:15 -0400
>>> Jason Secord <it at plymouthhistory.org> wrote:
>>>
>>> > Hi Rowland,
>>> >
>>> > I've already removed all "admin users" and "valid users" entries from
>>> > my smb.conf, they ended up there after hours of confusion trying to
>>> > drill down to the root of the problem.
>>> >
>>> > To remove the aforementioned UID/GIDs, I can do that via the tab in
>>> > ADUC, correct?  Is there a document best practices when applying UNIX
>>> > attributes to accounts?
>>>
>>> You can do it with ADUC, or you can use ldb or ldap tools or ADSI edit.
>>>
>>> >
>>> > I haven't encountered any mention of creating a user.map in the
>>> > documentation, nor have I ever created one in the past.  Is this
>>> > something that is considered a best practice a well?  Can you point
>>> > me to any documentation on user.maps?
>>>
>>> Not too sure about the documentation, There is some in 'man smb.conf',
>>> but it is easier to describe it to you.
>>>
>>> On a Samba AD DC, Administrator gets mapped to root automatically, but
>>> on a domain member it isn't. There are two schools of thought here,
>>> one is to give Administrator a uidNumber, but I don't recommend this.
>>> If you do give Administrator a uidNumber, it becomes just another
>>> Unix user with just the same permissions as any other user and it
>>> breaks the DC. The other option is to use a 'username map', this will
>>> do what the DC does and maps Administrator to the root user.
>>>
>>> > I will make this adjustments
>>> > tonight and update you along with the results of that getfacl command
>>> > you requested.
>>> >
>>> > I have applied ACLs to all shares already.
>>> >
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>

More information about the samba mailing list