[Samba] member domain idmap config ad/rid
Rowland Penny
rpenny at samba.org
Tue May 30 20:38:38 UTC 2017
On Tue, 30 May 2017 17:19:04 -0300
Elias Pereira <empbilly at gmail.com> wrote:
> >
> > Simple answer:
> > Administrator, No
> > Domain Admins, Yes
>
>
> Ok. It was already that way.
>
> root at fileserver:/etc/samba# getent group
> ...
> domain admins:x:10004:
> domain users:x:10000:
> dap:x:10003:
> dti:x:10001:
>
> For some reason with the administrator user is not working, I put my
> user as domain admin and include him as a member of unix and now I
> can access the security tab.
>
> http://i.imgur.com/tNBj8dal.png
>
> root at fileserver:/etc/samba# getent passwd elias.pereira
> elias.pereira:*:10001:10000:Elias Pereira:/home/elias.pereira:/bin/sh
> root at fileserver:/etc/samba# getent passwd administrator
> root at fileserver:/etc/samba# getent passwd ADDC\administrator
>
> In the *getent passwd administrator* nothing appears. According to
> your explanation, it should contain the value "0" !?
>
> What permissions that user.map file should have?
>
> root at fileserver:/etc/samba# getfacl user.map
> # file: user.map
> # owner: root
> # group: root
> user::rw-
> group::r--
> other::r--
>
>
Bit more explaining ;-)
If you run getent passwd administrator on a DC, you should get
something like this:
root at dc1:~# getent passwd administrator
SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
But on a Unix domain member, you will get this:
rowland at devstation:~$ getent passwd administrator
rowland at devstation:~$
Yes, nothing ;-)
This is because Administrator is 'mapped' to root and the OS doesn't
know who Administrator is, but you should be able to do things from
windows as Administrator. There is however a gotcha, on any domain
joined windows machine there are two 'Administrators'. One is the local
Administrator and will not be mapped to 'root' and the other is
'Domain\Administrator', this is the one that is mapped to the Unix user
'root'. So, if you logged in as just 'Administrator, this is very
likely to be your problem.
getfacl against my user.map returns the same results as yours and
everything works for me.
Rowland
More information about the samba
mailing list