[Samba] Ongoing internal DNS discrepancies: !root = SAMDOM\Administrator

Michael Tokarev mjt at tls.msk.ru
Sat Feb 12 14:07:14 UTC 2022


12.02.2022 16:57, Patrick Goetz via samba wrote:
> 
> I just noticed another DNS discrepancy involving the use of
> 
> /etc/samba/smb.conf:
> -------------------
> [global]
> username map = /etc/samba/user.map
> 
> 
> archives at data2:/$ cat /etc/samba/user.map
> !root = SAMDOM\Administrator
> 
> When this is set, the root user can just do stuff:
> 
>    root at samba-dc:~# samba-tool computer list
>    IBS100$

I think you're mixing things here.  root can do many samba-tool commands
on the DC just fine without any username.map. But some commands are
implemented by logging in to services over network instead of doing
stuff directly against files in /var/lib/samba/. This has nothing do
do with username.map.

Also, username.map works the other way around, - to map someone logged
as EA\Administrator to root, not to map root to EA\Administrator.

..

> root at samba-dc:~# samba-tool dns query samba-dc ea.linuxcs.com data2 A
> Password for [EA\root]:

Give it -U Administrator option. username.map does works other way around.

/mjt



More information about the samba mailing list