[Samba] Cannot get DOMAIN\administrator mapped to root on domain member

Wed Feb 21 08:51:56 UTC 2018

On Tue, 20 Feb 2018 22:39:50 -0500
Ken McDonald via samba <samba at lists.samba.org> wrote:

> On a domain member, I cannot get DOMAIN\administrator to login mapped
> to root. On my Samba AD DC, this does work and when I login there, I
> get a # prompt.
> 
> Here is my smb.conf on the domain member
> 
> [global]
>         security = ADS
>         workgroup = SUBDOMAIN
>         realm = SUBDOMAIN.DOMAIN.COM
> 
>         log file = /usr/local/samba/var/%m.log
>         log level = 3
> 
>         bind interfaces only = yes
>         interfaces = lo ens3
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
> 
>         idmap config SUBDOMAIN:backend = ad
>         idmap config SUBDOMAIN:schema_mode = rfc2307
>         idmap config SUBDOMAIN:range = 10000-999999
> 
>         idmap config SUBDOMAIN : unix_nss_info = no
> 
>         template shell = /bin/bash
>         template homedir = /home/%U
> 
>         username map = /usr/local/samba/etc/user.map
> 
> 
> And the user.map file
> 
> !root = SUBDOMAIN\Administrator SUBDOMAIN\administrator Administrator 
> administrator
> 
> 
> My /usr/share/pam-configs/winbind file is
> 
> Name: Winbind NT/Active Directory authentication
> Default: yes
> Priority: 192
> Auth-Type: Primary
> Auth:
>          [success=end default=ignore]    pam_winbind.so use_first_pass
> Auth-Initial:
>          [success=end default=ignore]    pam_winbind.so cached_login
> Account-Type: Primary
> Account:
>          [success=end user_unknown=ignore default=bad] pam_winbind.so
> Password-Type: Primary
> Password:
>          [success=end default=ignore]    pam_winbind.so use_authtok
> Password-Initial:
>          [success=end default=ignore]    pam_winbind.so
> Session-Type: Additional
> Session:
>          optional                        pam_winbind.so
> 
> 
> And I've got the PAM & winbind links to libraries
> 
> 
> On my Windows desktop ADUC, I have tried blanking <not set> the 
> uidNumber & guidNumber in the "Attribute Editor" tab. I've also tried 
> with just the gidNumber defined and uidNumber blank. Nothing works. I
> am testing on the console of a Linux Mint desktop. I get a quick
> flash of an "authentication denied" (I think) and back to login prompt
> 
> If I do have uidNumber & gidNumber defined, I can get Administrator
> to login but it just uses those numbers and I don't get a # prompt.
> 
> I'm lost on where to go next. Help?
> 

You are misunderstanding how mapping Administrator to root works ;-)

If you map Administrator to root, then when you connect from windows, as
Administrator, you can manage share permissions etc as root.

As you have found out, if you do give Administrator a uidNumber, it
just becomes a normal user and you can log into a Unix machine. If you
'map' Administrator, you cannot login, but the fix for this is a bit
obvious, login as root ;-)

Rowland