[Samba] How to fix mapping Administrator to root

Rowland penny rpenny at samba.org
Mon Jun 3 12:21:05 UTC 2019

On 03/06/2019 12:38, adam_xu at adagene.com.cn wrote:
> Thanks, Rowland , 'net cache flush' solved my problem. but I found 
> that I can't access any share in \\myshare.
> some related configurations  in my smb,conf
> ....
> access based share enum = yes
Having the above means your shares will only be accessible to users that 
have read or write permissions on the shares
> hide unreadable = yes
The above requires the user has read permissions on the shares.
> username map = /etc/samba/user.map
> I can't see  any share folder of my fileserver in fsmgmt.msc. and I 
> run "smbstatus -b"
> PID     Username     Group        Machine                   Protocol 
> Version  Encryption Signing
> ----------------------------------------------------------------------------------------------------------------------------------------
> 5936    root         root 
> (ipv4: SMB2_10           -        -
> seems that the administor is not in "Domain admins" group. since I 
> have grant  "Domain Admins" the "SeDiskOperatorPrivilege" privielges. 
> So I can's acess any share folder useing the Administrator account.
> so what should I do, could you give me a suggestion,

Try checking in idmap.ldb on a DC, you should find something like this:

dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
xidNumber: 0
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500

This is what maps 'Administrator' to UID '0' (root)

If it isn't there, try restarting the DC.

By default, 'Administrator' is a member of 'Domain Admins'


> ------------------------------------------------------------------------

More information about the samba mailing list