[Samba] How to fix mapping Administrator to root

adam_xu at adagene.com.cn adam_xu at adagene.com.cn
Mon Jun 3 11:38:32 UTC 2019 

Thanks, Rowland , 'net cache flush' solved my problem. but I found that I can't access any share in \\myshare.
some related configurations  in my smb,conf
....
access based share enum = yes
hide unreadable = yes

username map = /etc/samba/user.map

I can't see  any share folder of my fileserver in fsmgmt.msc. and I run "smbstatus -b"
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
5936    root         root         192.168.42.144 (ipv4:192.168.42.144:61733) SMB2_10           -                    -     
seems that the administor is not in "Domain admins" group. since I have grant  "Domain Admins" the "SeDiskOperatorPrivilege" privielges. So I can's acess any share folder useing the Administrator account.
so what should I do, could you give me a suggestion, Thanks.

 

Best,


yours Adam
 
From: Rowland penny via samba
Date: 2019-06-03 17:33
To: samba
Subject: Re: [Samba] How to fix mapping Administrator to root
On 03/06/2019 10:09, adam_xu--- via samba wrote:
> Hi sambalist,
>
>   I'm using samba ad dc for about 2 years. I have 2 DCs and One file server. I didn't map the Administrator to root because the wiki said:
>
> "Mapping the domain administrator to the local root account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using root permissions. You should be aware that mapping Administrator to the root account will not allow you to log onto Unix domain members as Administrator."
>
> so I give the Administrator user a uidNumber and it seem like a unix user. I can get the user info via "getent passwd administrator"
 
But you have mapped Administrator, just not to root.
 
On a DC, Administrator is automatically mapped to root in idmap.ldb, on 
a Unix domain member to do the same, you add a user.map. When you gave 
Administrator a uidNumber, you turned it into a normal Unix user with 
the lack of authority this entails.
 
>
> It seems that everything works fine these years. but I saw some suggestions in the maillist said we "should not give Administrator a uidNumber".
>   So Is there any disvantage if I give a uidNumber to Administrator? and How could I fix that if I already did that? I tries to set the uidNumber to none. but it didn;t make sense. I still got user info like
> getent passwd administrator
> administrator:*:10000:10001:....
>
If you had tried to do something as Administrator on a Unix domain 
member, you would have found the disadvantages, but as it seems you 
haven't, then I would leave things alone, except for removing the 
uidNumber from Administrator and running 'net cache flush' on every Unix 
domain member.
 
I will rewrite that wikipage.
 
Rowland
 
 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list