[Samba] Authenticating Samba Share with Domain Administrator

Rowland penny rpenny at samba.org
Thu Aug 22 07:04:10 UTC 2019


On 21/08/2019 22:47, Mark Foley via samba wrote:
> I have a NAS (Linux/Slackware 14.2) that is a domain member. "Normal" AD Windows users can map
> shared directories just fine without having to enter Credentials. If I try doing that with the
> domain Administrator it prompts me for the credentials, then fails. On the NAS I can get an
> "OK" status with ntlm_auth using the administrator credentials. I cannot 'su -' to the
> administrator account on the NAS, nor can I do so on the AD/DC. On the latter I get
> "Authentication Failure".
>
> On the NAS, a getent for a normal user gives:
>
> # getent passwd mark
> mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
>
> I cannot getent for the administrator on the NAS (comes back blank), but I can do so on the AD/DC:
>
> getent passwd Administrator
> HPRS\administrator:*:0:10000:Administrator:/home/HPRS/administrator:/bin/bash
>
> Is there some setting in the NAS smb.conf that will fix this?
>
> Here is my smb.conf on the NAS:
>
> # Global parameters
> [global]
> netbios name = OHPRSSTORAGE
>
>     server string = HPRS NAS server
>
> domain master = no
> prefered master = no
>
> realm = HPRS.LOCAL
> workgroup = HPRS
> usershare allow guests = Yes
> usershare max shares = 10
> security = ADS
> template shell = /bin/bash
>
> max log size = 10000
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>                  
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-10099
>
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
>
> [Backups]
> comment = HPRS domain current backup respository
> path = /mnt/RAID/Backups
> public = yes
> guest ok = yes
> guest only = yes
> writeable = yes
> browseable= yes
> printable = no
> force user = ohprso
> force group = ohprs
> create mask = 0660
> directory mask = 2771
>
Mark, from a quick search, slackware 14.2 uses Samba 4.6.16 at maximum, 
this is EOL as far as Samba is concerned.

There is nothing you can do to get Administrator to log into a Unix 
domain member, but you can map Administrator to the root user. Add this 
line to your smb.conf:

      username map = /etc/samba/user.map

Create /etc/samba/user.map containing just this:

!root = HPRS\Administrator

Coming back to your smb.conf and the [Backups] share in particular, you 
should remove 'public = yes', it means the same as 'guest ok = yes'. 
However, you might as well also remove 'guest ok = yes' and 'guest only 
= yes' because you do not have 'map to guest = bad user' set in 
[global], so you will not get any guest access ;-)

Rowland






More information about the samba mailing list