[Samba] smb.conf username map entry does not work
Peter Milesson
miles at atmos.eu
Sun Oct 7 10:05:09 UTC 2018
Hi folks,
I have got the following setup:
OS: CentOS 7.5 1804 in a HP DL120 server
Samba AD member server with standard Samba 4.7.1 from the CentOS 7.5
distribution.
I have got a problem that the "username map" entry in smb.conf does not
seem to have any effect at all. In the mapping file there is a mapping
from Administrator to root. But when I run id Administrator I do not get
the mapping to root. The result of the id command looks like:
uid=10500(administrator) gid=10513(domain_users)
groups=10513(domain_users), 10500(administrator), 10512(domain_admins),
10572(denied_rodc_password_replication_group),
10518(schema_admins),10519(enterprise_admins),
10520(group_policy_creator_owners),
3001(BUILTIN\users),3000(BUILTIN\administrators)
and getent passwd Administrator gives:
administrator:*:10500:10513::/dev/null:/sbin/nologin
This in turn give problems when setting up a share with the RSAT tools.
It is not possible to use the administrator account, as it seems to
behave like any user account, and not an Administrator account. Also,
for example setting permissions on a file, and using Administrator, sets
permission to the user Administrator, and not root.
I wiped all files under /var/lib/samba and /run/samba, and rejoined the
server, but it did not change things at all. I also tried to set the
uidNumber=0 in the ADUC tool, but that did not help either.
I would be very grateful for any ideas.
Best regards,
Peter
smb.conf
======
[global]
workgroup = SAMDOM
realm = SAMDOM.LOCAL
security = ads
netbios name = KONSRV
server string = Samdom server %h
username map = /etc/samba/user.map
template homedir = /dev/null
template shell = /sbin/nologin
winbind use default domain = true
winbind offline logon = true
winbind normalize names = Yes
idmap config * : backend = tdb
idmap config * : range = 3000-9999
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
local master = no
domain master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
client signing = mandatory
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 4
printing = bsd
printcap name = /dev/null
load printers = no
disable spoolss = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
inherit acls = yes
acl group control = yes
hide unreadable = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
user.map
======
!root = administrator Administrator SAMDOM\Administrator
SAMDOM\\Administrator SAMDOM\administrator SAMDOM\\administrator
More information about the samba
mailing list