[Samba] samba 4 ad member - idmap = ad for machine accounts

Mon Nov 20 15:43:49 UTC 2017

On Mon, 20 Nov 2017 07:59:14 -0700 (MST)
tomict via samba <samba at lists.samba.org> wrote:

> Below is relevant info (I think) for my case
> 
> What I did/tried: 
> -With ADUC (WS 2012) I added NIS domain 'samdom' to the Unix
> attributes of users, groups, and also to computers (is the latter
> nesecary?) -I test the connection to the shares as system user on the
> win10  machine by using "psexec.exe -s cmd.exe", and then "dir
> \\fs1\datasys" (see smb.conf below) or any other share name. Access
> is denied. The startup script has the same problem.
> -I can get AD groups and users on FS1 with getent group and getent
> passwd. -The windows 10 machine account can succesfully access the
> the sysvol share on the domain controller DC ("dir \\dc1\sysvol")
> -The three shares in the conf file below are inaccessible to the
> machine account. The third share is the one I am testing with. I
> tried the suggesion above to add "acl_xattr:ignore system acls = yes"
> to the share. This did not solve the problem, so I probably missed
> something. -I do not want to make an other fileserver with backend =
> rid if I can avoid it.
> -If i map the PC050$ name to root i can access the shares, but i don
> not want that permanently (security). I think I could add another
> user and map computers to that name but that still seems awkward to
> me.
> 
> 
> Configuration info: 
> -The DC and the fileserver (FS1, the domain member) run centos 7,
> samba 4.6.10. 
> 
> smb.conf on FS1:
> [global]
>        security = ADS
>        workgroup = SAMDOM
>        realm = AD.EXAMPLE.NL 
> 	ntlm auth = yes
> 	log level = 3 passdb:5 auth:5
> 
>       idmap config * : backend = tdb
>       idmap config * : range = 3000-9999
> 	idmap config SAMDOM : backend = ad
> 	idmap config SAMDOM : schema_mode = rfc2307
> 	idmap config SAMDOM : range = 10000-999999
> 	idmap config SAMDOM : default = yes
> 	winbind nss info = template
> 	template shell = /bin/bash
> 	template homedir = /data/home/%U
> 	winbind use default domain = yes
> 	allow dns updates = nonsecure
> 	username map = /etc/samba/user.map
> 	spoolss: architecture = Windows x64
> 	dedicated keytab file = /etc/krb5.keytab
> 	kerberos method = secrets and keytab
> 	winbind refresh tickets = Yes
> 
> 	# shares
> 	[datatest]
> 	vfs objects = acl_xattr
> 	map acl inherit = yes
> 	store dos attributes = yes
>      		path = /data/datatest
>     		read only = no
> 
> 	[datasys]
> 	vfs objects = acl_xattr
> 	map acl inherit = yes
> 	store dos attributes = yes
>      		path = /data/datasys
>     		read only = no
> 
> 	# testfolder
> 	[testfolfder]
> 	vfs objects = acl_xattr
> 	acl_xattr:ignore system acls = yes
> 		# I used: mkdir /data/testfolder ; chmod
> 0770 /data/testfolder ; chown root."domain admins" /data/testfolder
>      		path = /data/testfolder
>     		read only = no
> 
> 
> smb.conf on DC1
> [global]
> 	workgroup = SAMDOM
> 	realm = AD.EXAMPLE.NL
> 	netbios name = DC1
> 	server role = active directory domain controller
> 	dns forwarder = 192.168.3.2
> 	idmap_ldb:use rfc2307 = yes
> 	allow dns updates = nonsecure
> 	winbind enum users = yes
> 	winbind enum groups = yes
> 	ldap server require strong auth = no
>         username map = /etc/samba/user.map
> 	log level = 3 
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/ad.example.nl/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 
> 
> 
> 

Can I suggest you read these wikipages:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

https://wiki.samba.org/index.php/The_SYSTEM_Account

Can I also suggest you remove the 'winbind enum' lines, you do not need
these.

And finally, definitely remove the user.map line from the DC.

Rowland