[Samba] administrator does not have permission
Rowland Penny
rpenny at samba.org
Mon Nov 20 19:07:03 UTC 2017
On Mon, 20 Nov 2017 12:18:14 -0600
Robert Wooden via samba <samba at lists.samba.org> wrote:
> While attempting to check 'profiles' user permissions on my member
> server I discovered that (for some reason) I did not have a krb5.conf
> file (on member.) Resolved that issue. Then find that the keytab file
> is missing. Fixed that.
You usually get a krb5.conf created when you install the kerberos
client packages, it is usually more that what you need though.
You only get the /etc/krb5.keytab created at join if you have these two
lines in smb.conf:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
>
> I wanted to check profile user permissions and have discovered that
> the administrator does not have permission to "view or edit this
> object's permission settings." WHAT?? Is there a linux way to correct
> this issue?
Have you mapped Administrator to the Unix user 'root' in a user.map ?
>
> Further digging and I find that the administrator (the
> DOMAIN\administrator) does have rights to see permissions of anything
> on the member server.
>
> I am puzzled . . . how could missing krb5.conf and keytab files allow
> access when missing. Clearly replacing the missing files and kerberos
> is blocking something.
Ah, but Samba uses a keytab in memory and whilst I have always created
the krb5.conf myself, it is possible that Samba can use the Realm found
in smb.conf if there is no /etc/krb5.conf.
>
> So, the question is is there a way to correct this on the linux side?
>
> I am at a loose as how to proceed?
Please check if you have a user.map and report back.
Rowland
More information about the samba
mailing list