[Samba] Samba 4.6.0 - Domain admin can't list nor access shares on file server

Rowland Penny rpenny at samba.org
Wed May 10 17:04:16 UTC 2017 

On Wed, 10 May 2017 18:44:33 +0200
Olaf Frączyk via samba <samba at lists.samba.org> wrote:

> 
> 
> On 5/10/2017 6:06 PM, Rowland Penny via samba wrote:
> > On Wed, 10 May 2017 17:47:37 +0200
> > Olaf Frączyk via samba <samba at lists.samba.org> wrote:
> >
> >> Hello,
> >>
> >> I have domain NAVIDOM.
> >>
> >> There is also a fileserver that has joined the domain (both file
> >> server and DC are samba 4.6.0).
> >>
> >> If I try to connect as NAVIDOM\Administrator, I cannot access the
> >> file server (from Linux and Windows):
> >>
> >> [root at dc var]# smbclient -U Administrator -L fileserv
> >> Enter NAVIDOM\Administrator's password:
> >> session setup failed: NT_STATUS_ACCESS_DENIED
> >>
> >> I can do it as a regular user:
> >>
> >> [root at fileserv samba]# smbclient -U olaf -L fileserv
> >> Enter NAVIDOM\olaf's password:
> >>
> >>       Sharename       Type      Comment
> >>       ---------       ----      -------
> >>
> >> .......
> >>
> >> Is this normal or do I have a problem with my setup?
> >>
> > Possibly normal, but it depends on your smb.conf on the Unix domain
> > member, so can you post the smb.conf from the Unix domain member
> > (the thing you call a fileserver)
> >
> > Rowland
> >
> >
> [global]
>      security = ADS
>      workgroup = NAVIDOM
>      realm = NAVIDOM.OFFICE.NAVI.PL
>      log file = /var/log/samba/%m.log
>      log level = 1
>      idmap config * : backend = tdb
>      idmap config * : range = 20000-20999
>      idmap config NAVIDOM:backend = ad
>      idmap config NAVIDOM:schema_mode = rfc2307
>      idmap config NAVIDOM:range = 1000-9999
>      idmap config NAVIDOM:unix_nss_info = yes
>      idmap config NAVIDOM:unix_primary_group = yes
>      winbind use default domain = yes
>      winbind nss info = rfc2307
>      winbind refresh tickets = yes
>      template shell = /bin/bash
>      template homedir = /home/%U
>      create mask = 0666
>      directory mask= 0777
>      store dos attributes = yes
> 
> Is this because of NAVIDOM:range = 1000-9999, so it doesn't include
> uid 0?
> 
> 

No, it is because your Unix OS has no idea who the Windows user
'Administrator' is ;-)

You need to map it to the 'root' user by adding this line to smb.conf:

username map = /etc/samba/user.map

and then create the user.map containing this:

!root = NAVIDOM\Administrator NAVIDOM\administrator Administrator
administrator

Restart Samba, you will then be able connect from a windows machine to
your Unix machine and do maintenance.

You will still find that the OS still doesn't know who 'Administrator'
is, but this doesn't really matter.

Rowland

More information about the samba mailing list