[Samba] Root user shows up as "administrator"

Rowland penny rpenny at samba.org
Tue Feb 16 15:54:16 UTC 2021 

On 16/02/2021 15:23, Matthias Kühne | Ellerhold AG wrote:
> Hello,
>
> I thought I needed "security = USER" in order to SSH into my DC with my
> AD-user credentials.
>
> I've removed the uidNumber from "Administrator" and the gidNumber from
> "Domain Admins".
>
> SSH works, but the problem still exists:
>
> desktop $ ssh matthias.kuehne at DC-2
> matthias.kuehne at DC-2's password:
>
> DOMAIN\matthias.kuehne at DC-2:~ $ sudo -i
> [sudo] password for DOMAIN\matthias.kuehne:


try running 'net cache flush' ,it should look like this:

rowland at devstation:~$ ssh rowland at dc4
Password:
SAMDOM\rowland at dc4:~$ sudo -i
[sudo] password for SAMDOM\rowland:
root at dc4:~#

>
> DOMAIN\administrator at DC-2:~ # whoami
> DOMAIN\administrator


root at dc4:~# whoami
root

>
> DOMAIN\administrator at DC-2:~ # id
> uid=0(DOMAIN\administrator) gid=0(root) groups=0(root)


root at dc4:~# id
uid=0(root) gid=0(root) groups=0(root)

>
> Should be "root" I guess? I'd could accept this state if it weren't for
> saltstack frantically wanting to chown a lot files back to "root". The
> chown works (exits 0) but the check after fails because the files / dirs
> are still owned by "DOMAIN\administrator".
>
> Plus there is now another crontab for "DOMAIN\administrator" thats
> different from the root crontab.


Once you do get 'root', delete Administrators crontab

>
> Seems like I'm missing the "username map" but afaik this only works on
> domain members and not on DCs?


Yes, you only use the username map on a Unix domain member, the mapping 
on  a DC is done in idmap.ldb (or at least it is stored there)

>
> Funny enough... this only happens on the DC-2, not on the Primary DC
> (DC-1) nor on the DC-3...

net cache flush 😁

Rowland


>
>
> Ive demoted the DC on DC-2, deleted all *.ldb and *.tdb files in
> /var/lib/samba/ and rejoined it into the domain - still the same 
> behavior!
>
>
> Next Ive demoted the DC-2 again, purged all samba packages incl. apt
> autoremove --purge. I deleted all DC-2 objects in LDAP (the user and the
> computer). After that I reinstalled from scratch.
>
> The error still happens although it took some time until it presented
> itself.
>
>
> Thanks for your help!
>
> Any other lines in my smb.conf I should purge? I've tried to minimize
> them while also trying to keep every functionality I want...
>
>

More information about the samba mailing list