[Samba] Root user shows up as "administrator"

Matthias Kühne | Ellerhold AG matthias.kuehne at ellerhold.de
Mon Feb 15 14:55:12 UTC 2021


Hello,

we're in the process of migrating our Open Directory to Samba 4.13 in 
Debian 10. Our setup will be 8 DCs (1 for each location + 1 primary) and 
a few dozen more linux machines. Each of these machine should grant 
domain users rights to auth via SSH and samba. This should be true for 
our DCs too! So I want to ssh my-domain-user at dc-1 and manage the machine.

Our test scenario worked really good (thx for such an awesome suite and 
the how-tos in the wiki!) but there is a minor problem in our live setup 
now.

Sometimes (when exactly idk!) if I switch to the root user via "su" or 
"sudo -i" it wont display the "root" as active user but 
"DOMAIN\administrator". "whoami" spits out "DOMAIN\administrator", "id" 
gives "uid=0(DOMAIN\administrator) gid=0(root) groups=0(root)".

The administrator user has a UID (10372) but "id DOMAIN\\administrator" 
gives

uid=0(DOMAIN\administrator) gid=10072(DOMAIN\domain users) 
groups=10072(DOMAIN\domain users),100000512(DOMAIN\domain 
admins),100000519(DOMAIN\enterprise admins),100000520(DOMAIN\group 
policy creator owners),100000518(DOMAIN\schema 
admins),100000572(DOMAIN\denied rodc password replication 
group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)

This is the smb.conf of the server in question:

[global]
     workgroup  = DOMAIN
     realm      = DOMAIN
     dns proxy  = no
     load printers           = no
     printing                = bsd
     printcap name           = /dev/null
     disable spoolss         = Yes
     show add printer wizard = no
     max log size            = 1000
     panic action            = /usr/share/samba/panic-action %d
     server role             = active directory domain controller
     netbios name            = DC-2
     server services         = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
     idmap_ldb:use rfc2307   = Yes
     tls enabled             = Yes
     tls keyfile             = /etc/samba/certificates/dc-2.key
     tls certfile            = /etc/samba/certificates/dc-2.crt
     tls cafile              = /usr/local/share/ca-certificates/ca.crt
     security                = USER
     template shell          = /bin/bash
     template homedir        = /home/DOMAIN/%U
[netlogon]
     path      = /var/lib/samba/sysvol/DOMAIN/scripts
     read only = No

[sysvol]
     path      = /var/lib/samba/sysvol
     read only = No

My nssswitch.conf is setup like this:

passwd:    compat winbind
group:     compat winbind
shadow:    compat
gshadow:   files
hosts:     files mdns4_minimal [NOTFOUND=return] dns
networks:  files
protocols: db files
services:  db files
ethers:    db files
rpc:       db files
netgroup:  nis

I've used "https://apt.van-belle.nl/debian buster-samba413" as source 
repository to install this Samba version:

Samba 2:4.13.2+dfsg-0.1buster1
libnss-winbind:amd64  2:4.13.2+dfsg-0.1buster1

Any help on fixing this issue is very much appreciated! Thank you in 
advance and have a nice day!

-- 
Matthias Kühne
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold




 
----------------
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/




More information about the samba mailing list