[Samba] Expected behaviour of domain\administrator on Linux AD domain member
Rob Tho
rtsamba10 at gmail.com
Mon Apr 20 21:50:55 UTC 2020
Dear all,
I have set a small test domain in virtualbox.
1. Samba AD DC on Debian bullseye testing 4.11.6
2. Samba domain member Debian Stretch 4.10.14
3. Windows 10 Enterprise evaluation version 1909
Roaming profiles with folder redirection setup.
PAM working.
The above was setup basically using guides in wiki.samba.org, with nearly
the only thing changed was SAMDOM to SAMBA. "Unix Admins" group added as
per guide.
Everything works the way I expect apart from:
SAMBA\Administrator account cannot access or modify the shares on the Samba
domain member from the windows 10 machine. If I add share access to
"Everyone, Full control" *, then the administrator account can change the
share and security properties.
* From Computer Management console connected to the domain member in the
windows 10 machine, logged as SAMBA\Administrator
If I add my test domain user to the "Domain Admins" group, that user can
modify the shares on the domain member (as expected).
Domain member smb.conf
[global]
workgroup = SAMBA
security = ADS
realm = SAMBA.RTNET
netbios name = LAU-FILES
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
log file = /var/log/samba/%m.log
log level = 3
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMBA:backend = ad
idmap config SAMBA:schema_mode = rfc2307
idmap config SAMBA:range = 10000-999999
idmap config SAMBA:unix_nss_info = yes
idmap config SAMBA: unix_primary_group = yes
username map = /etc/samba/user.map
[Profiles]
path=/samba/profiles
read only = no
Window ACL:
Share Permissions
Domain Admins (SAMBA\Domain Admins) -- Full Control
Domain Admins (SAMBA\Domain Users) -- Change
Security
Creator Owner
System
Domain Admins
Domain Users
as per samba wiki
filesystem:
drwxrwx---+ 3 root unix admins 4096 Apr 18 23:38 profiles
getfattr profiles
# file: profiles
user.SAMBA_PAI
# getfacl profiles
# file: profiles
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
group::---
group:NT\040Authority\134system:rwx
group:domain\040users:rwx
group:unix\040admins:---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:NT\040Authority\134system:rwx
default:group:unix\040admins:---
default:mask::rwx
default:other::---
With usermap ! root = SAMBA\Administrator SAMBA\administrator, the
administrator account can list the shares on the domain member, but can't
access them.
Log level 3 shows this:
Mapped user SAMBA\administrator to root
check_user_share_access: user root connection to Profiles denied due to
share security descriptor.
With no usermap, the administrator account can't access the domain member
at all.
Logs show this:
Kerberos ticket principal name is [Administrator at SAMBA.RTNET]
[2020/04/20 22:35:34.532127, 3]
../../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
get_user_from_kerberos_info: Username SAMBA\Administrator is invalid on
this system
[2020/04/20 22:35:34.532154, 3]
../../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Failed to map kerberos principal to
system user (NT_STATUS_LOGON_FAILURE)
Is this the expected behaviour of the domain\administrator acccount?
I would preferably want to do all domain admin from the
domain\administrator account logged into a windows 10 machine if that is
possible.
Many thanks for your help,
RT
More information about the samba
mailing list