[Samba] How to fix mapping Administrator to root

adam_xu at adagene.com.cn adam_xu at adagene.com.cn
Mon Jun 3 15:09:21 UTC 2019 

Hi Rowland,

 Yes. all users primary group is "domain users". 

my "domain admins" has a gidNumber.

Best,


yours Adam
 
From: Rowland penny via samba
Date: 2019-06-03 22:44
To: sambalist
Subject: Re: [Samba] How to fix mapping Administrator to root
On 03/06/2019 15:29, adam_xu at adagene.com.cn wrote:
> Hi Rowland,
>
> I have checked that Adinistrator is a member of "Domain Admins" in ADUC.
> Base Permission of the share folder is 0770 and  own is root  and the 
> groups is "domain admins" in linux.
> since "smbstatus -b" show that administrator's group is root. Is this 
> related to my previous configuration? I once give a uidNumber to 
> administrator.
I wouldn't think so, whilst Administrator is mapped to the user 'root' 
in idmap.ldb and in your user.map on the Unix domain member, its primary 
group is (like every other AD user) is Domain Users
>
> here's full contant in my smb.conf
> [global]
>         security = ADS
>         workgroup = NTBAOBEI
>         realm = NTBAOBEI.COM
>
>         log file = /var/log/samba/%m.log
>         log level = 3 passdb:5 auth:5 winbind:5
>
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>         idmap config NTBAOBEI:backend = ad
>         idmap config NTBAOBEI:schema_mode = rfc2307
>         idmap config NTBAOBEI:range = 10000-999999
>         idmap config NTBAOBEI:unix_nss_info = yes
>
>         winbind use default domain = Yes
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind offline logon = yes
>         winbind refresh tickets = yes
>         access based share enum = yes
>         hide unreadable = yes
>
>         username map = /etc/samba/user.map
>
>         load printers = no
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
> [IT]
>         path = /srv/samba/IT/
>         read only = no
>
>
> cat /etc/samba/user.map
> !root = NTBAOBEI\Administrator
>
There doesn't seem to be anything wrong there, are you sure that you 
have followed this:
 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
 
Does 'Domain Admins' have a gidNumber ?
 
Rowland
 
 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list