[Samba] Cannot get DOMAIN\administrator mapped to root on domain member

Ken McDonald ken at generation.tech
Wed Feb 21 03:39:50 UTC 2018

On a domain member, I cannot get DOMAIN\administrator to login mapped to 
root. On my Samba AD DC, this does work and when I login there, I get a 
# prompt.

Here is my smb.conf on the domain member

        security = ADS
        workgroup = SUBDOMAIN
        realm = SUBDOMAIN.DOMAIN.COM

        log file = /usr/local/samba/var/%m.log
        log level = 3

        bind interfaces only = yes
        interfaces = lo ens3

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config SUBDOMAIN:backend = ad
        idmap config SUBDOMAIN:schema_mode = rfc2307
        idmap config SUBDOMAIN:range = 10000-999999

        idmap config SUBDOMAIN : unix_nss_info = no

        template shell = /bin/bash
        template homedir = /home/%U

        username map = /usr/local/samba/etc/user.map

And the user.map file

!root = SUBDOMAIN\Administrator SUBDOMAIN\administrator Administrator 

My /usr/share/pam-configs/winbind file is

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
         [success=end default=ignore]    pam_winbind.so use_first_pass
         [success=end default=ignore]    pam_winbind.so cached_login
Account-Type: Primary
         [success=end user_unknown=ignore default=bad] pam_winbind.so
Password-Type: Primary
         [success=end default=ignore]    pam_winbind.so use_authtok
         [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
         optional                        pam_winbind.so

And I've got the PAM & winbind links to libraries

On my Windows desktop ADUC, I have tried blanking <not set> the 
uidNumber & guidNumber in the "Attribute Editor" tab. I've also tried 
with just the gidNumber defined and uidNumber blank. Nothing works. I am 
testing on the console of a Linux Mint desktop. I get a quick flash of 
an "authentication denied" (I think) and back to login prompt

If I do have uidNumber & gidNumber defined, I can get Administrator to 
login but it just uses those numbers and I don't get a # prompt.

I'm lost on where to go next. Help?

More information about the samba mailing list