[Samba] Root user shows up as "administrator"
Matthias Kühne | Ellerhold AG
matthias.kuehne at ellerhold.de
Mon Feb 15 14:55:12 UTC 2021
Hello,
we're in the process of migrating our Open Directory to Samba 4.13 in
Debian 10. Our setup will be 8 DCs (1 for each location + 1 primary) and
a few dozen more linux machines. Each of these machine should grant
domain users rights to auth via SSH and samba. This should be true for
our DCs too! So I want to ssh my-domain-user at dc-1 and manage the machine.
Our test scenario worked really good (thx for such an awesome suite and
the how-tos in the wiki!) but there is a minor problem in our live setup
now.
Sometimes (when exactly idk!) if I switch to the root user via "su" or
"sudo -i" it wont display the "root" as active user but
"DOMAIN\administrator". "whoami" spits out "DOMAIN\administrator", "id"
gives "uid=0(DOMAIN\administrator) gid=0(root) groups=0(root)".
The administrator user has a UID (10372) but "id DOMAIN\\administrator"
gives
uid=0(DOMAIN\administrator) gid=10072(DOMAIN\domain users)
groups=10072(DOMAIN\domain users),100000512(DOMAIN\domain
admins),100000519(DOMAIN\enterprise admins),100000520(DOMAIN\group
policy creator owners),100000518(DOMAIN\schema
admins),100000572(DOMAIN\denied rodc password replication
group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
This is the smb.conf of the server in question:
[global]
workgroup = DOMAIN
realm = DOMAIN
dns proxy = no
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = Yes
show add printer wizard = no
max log size = 1000
panic action = /usr/share/samba/panic-action %d
server role = active directory domain controller
netbios name = DC-2
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = Yes
tls enabled = Yes
tls keyfile = /etc/samba/certificates/dc-2.key
tls certfile = /etc/samba/certificates/dc-2.crt
tls cafile = /usr/local/share/ca-certificates/ca.crt
security = USER
template shell = /bin/bash
template homedir = /home/DOMAIN/%U
[netlogon]
path = /var/lib/samba/sysvol/DOMAIN/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
My nssswitch.conf is setup like this:
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
I've used "https://apt.van-belle.nl/debian buster-samba413" as source
repository to install this Samba version:
Samba 2:4.13.2+dfsg-0.1buster1
libnss-winbind:amd64 2:4.13.2+dfsg-0.1buster1
Any help on fixing this issue is very much appreciated! Thank you in
advance and have a nice day!
--
Matthias Kühne
Senior Webentwickler
Datenschutzbeauftragter
Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul
Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99
Web www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe
Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold
----------------
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
More information about the samba
mailing list