[Samba] Expected behaviour of domain\administrator on Linux AD domain member
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 21 08:02:22 UTC 2020
Hai,
Few things.
The Share Permissions, add SYSTEM Full controll.
Which rights did you set on : /samba ? ( show getfacl of that one. )
And try changing "default:group:unix\040admins:--- " To BUILTIN\Administrators
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rob
> Tho via samba
> Verzonden: maandag 20 april 2020 23:51
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Expected behaviour of domain\administrator
> on Linux AD domain member
>
> Dear all,
>
> I have set a small test domain in virtualbox.
>
> 1. Samba AD DC on Debian bullseye testing 4.11.6
> 2. Samba domain member Debian Stretch 4.10.14
> 3. Windows 10 Enterprise evaluation version 1909
>
> Roaming profiles with folder redirection setup.
> PAM working.
>
> The above was setup basically using guides in wiki.samba.org,
> with nearly
> the only thing changed was SAMDOM to SAMBA. "Unix Admins"
> group added as
> per guide.
>
> Everything works the way I expect apart from:
>
> SAMBA\Administrator account cannot access or modify the
> shares on the Samba
> domain member from the windows 10 machine. If I add share access to
> "Everyone, Full control" *, then the administrator account
> can change the
> share and security properties.
>
> * From Computer Management console connected to the domain
> member in the
> windows 10 machine, logged as SAMBA\Administrator
>
> If I add my test domain user to the "Domain Admins" group,
> that user can
> modify the shares on the domain member (as expected).
>
> Domain member smb.conf
> [global]
> workgroup = SAMBA
> security = ADS
> realm = SAMBA.RTNET
> netbios name = LAU-FILES
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind use default domain = yes
>
> winbind enum users = yes
> winbind enum groups = yes
>
> log file = /var/log/samba/%m.log
> log level = 3
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config SAMBA:backend = ad
> idmap config SAMBA:schema_mode = rfc2307
> idmap config SAMBA:range = 10000-999999
> idmap config SAMBA:unix_nss_info = yes
> idmap config SAMBA: unix_primary_group = yes
>
>
> username map = /etc/samba/user.map
>
>
> [Profiles]
> path=/samba/profiles
> read only = no
>
>
> Window ACL:
> Share Permissions
> Domain Admins (SAMBA\Domain Admins) -- Full Control
> Domain Admins (SAMBA\Domain Users) -- Change
>
> Security
> Creator Owner
> System
> Domain Admins
> Domain Users
> as per samba wiki
>
> filesystem:
>
> drwxrwx---+ 3 root unix admins 4096 Apr 18 23:38 profiles
> getfattr profiles
> # file: profiles
> user.SAMBA_PAI
>
> # getfacl profiles
> # file: profiles
> # owner: root
> # group: unix\040admins
> user::rwx
> user:root:rwx
> group::---
> group:NT\040Authority\134system:rwx
> group:domain\040users:rwx
> group:unix\040admins:---
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:NT\040Authority\134system:rwx
> default:group:unix\040admins:---
> default:mask::rwx
> default:other::---
>
>
> With usermap ! root = SAMBA\Administrator SAMBA\administrator, the
> administrator account can list the shares on the domain
> member, but can't
> access them.
> Log level 3 shows this:
>
> Mapped user SAMBA\administrator to root
>
> check_user_share_access: user root connection to Profiles
> denied due to
> share security descriptor.
>
>
> With no usermap, the administrator account can't access the
> domain member
> at all.
> Logs show this:
> Kerberos ticket principal name is [Administrator at SAMBA.RTNET]
> [2020/04/20 22:35:34.532127, 3]
> ../../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> get_user_from_kerberos_info: Username SAMBA\Administrator
> is invalid on
> this system
> [2020/04/20 22:35:34.532154, 3]
> ../../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
> auth3_generate_session_info_pac: Failed to map kerberos principal to
> system user (NT_STATUS_LOGON_FAILURE)
>
>
> Is this the expected behaviour of the domain\administrator acccount?
> I would preferably want to do all domain admin from the
> domain\administrator account logged into a windows 10 machine
> if that is possible.
Thats what i do also yes.
Greetz,
Louis
More information about the samba
mailing list