[Samba] Administrator User Has no access to Remote File Server
ralph strebbing
blackbirdralph at gmail.com
Mon Dec 6 19:58:35 UTC 2021
Hi All,
I'm attempting to diagnose an issue brought to my attention. Right
now, our setup consists of:
2 Domain Controllers (DC1, DC2), and 2 File Servers (Filesrv1,
Filesrv2). I'm attempting to access the samba shares that utilize
posix ACLs on Filesrv1 from both a windows and linux client. In both
instances, it refuses the login and/or tells me permission denied.
On filesrv1, I've created and dictated a usermap file, and in that
file is the following line:
!root = DOMAIN\Administrator
[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.COM
username map = /etc/samba/user.map
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 10000-17999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config DOMAIN : backend = ad
idmap config DOMAIN : schema_mode = rfc2307
idmap config DOMAIN : range = 900-5000
idmap config DOMAIN : unix_nss_info = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
inherit acls = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
follow symlinks = yes
winbind enum users = yes
winbind enum groups = yes
include = /etc/samba/shares.conf
A snippet of the specific share I'm testing with:
[MIS]
path = /storage/netfiles/mis
browseable = no
writeable = yes
inherit acls = yes
inherit permissions = yes
#force user = root
#force group = domadmins
#valid users = root,administrator
The Force User, Group and Valid Users configs were moved from an old
setup, but have been commented out since before I started here.
I've refollowed the instructions here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
and on the POSIX ACL page, and for normal users it works just fine, I
feel I'm missing something very stupid, but I'm at a loss since most
searches seem to return help articles and responses from 2014 and no
later than 2017. Appreciate any help/advice!
Regards,
Ralph
More information about the samba
mailing list