[Samba] Expected behaviour of domain\administrator on Linux AD domain member

Rob Tho rtsamba10 at gmail.com
Mon Apr 20 21:50:55 UTC 2020

Dear all,

I have set a small test domain in virtualbox.

1. Samba AD DC on Debian bullseye testing 4.11.6
2. Samba domain member Debian Stretch 4.10.14
3. Windows 10 Enterprise evaluation version 1909

Roaming profiles with folder redirection setup.
PAM working.

The above was setup basically using guides in wiki.samba.org, with nearly
the only thing changed was SAMDOM to SAMBA. "Unix Admins" group added as
per guide.

Everything works the way I expect apart from:

SAMBA\Administrator account cannot access or modify the shares on the Samba
domain member from the windows 10 machine. If I add share access to
"Everyone, Full control" *, then the administrator account can change the
share and security properties.

* From Computer Management console connected to the domain member in the
windows 10 machine, logged as SAMBA\Administrator

If I add my test domain user to the "Domain Admins" group, that user can
modify the shares on the domain member (as  expected).

Domain member smb.conf
  workgroup = SAMBA
  security = ADS
  realm = SAMBA.RTNET
  netbios name = LAU-FILES

  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

   winbind use default domain = yes

   winbind enum users = yes
   winbind enum groups = yes

   log file = /var/log/samba/%m.log
   log level = 3

   # Default ID mapping configuration for local BUILTIN accounts
   # and groups on a domain member. The default (*) domain:
   # - must not overlap with any domain ID mapping configuration!
   # - must use a read-write-enabled back end, such as tdb.
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   # - You must set a DOMAIN backend configuration
   # idmap config for the SAMDOM domain
   idmap config SAMBA:backend = ad
   idmap config SAMBA:schema_mode = rfc2307
   idmap config SAMBA:range = 10000-999999
   idmap config SAMBA:unix_nss_info = yes
   idmap config SAMBA: unix_primary_group = yes

 username map = /etc/samba/user.map

read only = no

Window ACL:
Share Permissions
Domain Admins (SAMBA\Domain Admins) -- Full Control
Domain Admins (SAMBA\Domain Users) -- Change

Creator Owner
Domain Admins
Domain Users
as per samba wiki


drwxrwx---+ 3 root unix admins 4096 Apr 18 23:38 profiles
 getfattr profiles
# file: profiles

# getfacl profiles
# file: profiles
# owner: root
# group: unix\040admins

With usermap ! root = SAMBA\Administrator SAMBA\administrator, the
administrator account can list the shares on the domain member, but can't
access them.
Log level 3 shows this:

   Mapped user SAMBA\administrator to root

 check_user_share_access: user root connection to Profiles denied due to
share security descriptor.

With no usermap, the administrator account can't access the domain member
at all.
Logs show this:
 Kerberos ticket principal name is [Administrator at SAMBA.RTNET]
[2020/04/20 22:35:34.532127,  3]
  get_user_from_kerberos_info: Username SAMBA\Administrator is invalid on
this system
[2020/04/20 22:35:34.532154,  3]
  auth3_generate_session_info_pac: Failed to map kerberos principal to

Is this the expected behaviour of the domain\administrator acccount?
I would preferably want to do all domain admin from the
domain\administrator account logged into a windows 10 machine if that is

Many thanks for your help,


More information about the samba mailing list