[Samba] member domain idmap config ad/rid

Elias Pereira empbilly at gmail.com
Tue May 30 20:53:19 UTC 2017


>
> If you run getent passwd administrator on a DC, you should get
> something like this:
> root at dc1:~# getent passwd administrator
> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash


On my DC getent passwd administrator show nothing. :(

Is it necessary to map the root user to ADDC as well?

There is however a gotcha, on any domain
> joined windows machine there are two 'Administrators'. One is the local
> Administrator and will not be mapped to 'root' and the other is
> 'Domain\Administrator', this is the one that is mapped to the Unix user
> 'root'. So, if you logged in as just 'Administrator, this is very
> likely to be your problem.


No, I logged in with user ADDC\administrator

On Tue, May 30, 2017 at 5:38 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Tue, 30 May 2017 17:19:04 -0300
> Elias Pereira <empbilly at gmail.com> wrote:
>
> > >
> > > Simple answer:
> > > Administrator, No
> > > Domain Admins, Yes
> >
> >
> > Ok. It was already that way.
> >
> > root at fileserver:/etc/samba# getent group
> > ...
> > domain admins:x:10004:
> > domain users:x:10000:
> > dap:x:10003:
> > dti:x:10001:
> >
> > For some reason with the administrator user is not working, I put my
> > user as domain admin and include him as a member of unix and now I
> > can access the security tab.
> >
> > http://i.imgur.com/tNBj8dal.png
> >
> > root at fileserver:/etc/samba# getent passwd elias.pereira
> > elias.pereira:*:10001:10000:Elias Pereira:/home/elias.pereira:/bin/sh
> > root at fileserver:/etc/samba# getent passwd administrator
> > root at fileserver:/etc/samba# getent passwd ADDC\administrator
> >
> > In the *getent passwd administrator* nothing appears. According to
> > your explanation, it should contain the value "0" !?
> >
> > What permissions that user.map file should have?
> >
> > root at fileserver:/etc/samba# getfacl user.map
> > # file: user.map
> > # owner: root
> > # group: root
> > user::rw-
> > group::r--
> > other::r--
> >
> >
>
> Bit more explaining ;-)
>
> If you run getent passwd administrator on a DC, you should get
> something like this:
>
> root at dc1:~# getent passwd administrator
> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
>
> But on a Unix domain member, you will get this:
>
> rowland at devstation:~$ getent passwd administrator
> rowland at devstation:~$
>
> Yes, nothing ;-)
>
> This is because Administrator is 'mapped' to root and the OS doesn't
> know who Administrator is, but you should be able to do things from
> windows as Administrator. There is however a gotcha, on any domain
> joined windows machine there are two 'Administrators'. One is the local
> Administrator and will not be mapped to 'root' and the other is
> 'Domain\Administrator', this is the one that is mapped to the Unix user
> 'root'. So, if you logged in as just 'Administrator, this is very
> likely to be your problem.
>
> getfacl against my user.map returns the same results as yours and
> everything works for me.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Elias Pereira


More information about the samba mailing list