[Samba] More on sysvol maintenance

Rowland Penny rpenny at samba.org
Thu May 25 20:27:33 UTC 2023 


On 25/05/2023 21:03, Luis Peromarta via samba wrote:
> Update:
> 
> MAD\Administrator can change permissions on the “share” tab.

Please stop trying to alter the 'share' tab, you need to use the 
'security' tab, which really should be called 'This is where you set the 
NTFS permission' tab, but that's a bit long.

> MAD\Luis (a domain admin) can not.

Administrator is being mapped to root, luis is not.

> 
> Should this be like so ?
> 
> On the other hand, I have built another domain member for testing.
> 
> [global]
> 	apply group policies = Yes
> 	dedicated keytab file = /etc/krb5.keytab
> 	kerberos method = secrets and keytab
> 	log file = /var/log/samba/%m.log
> 	netbios name = SERVER2
> 	realm = MAD.MATER.INT
> 	security = ADS
> 	server min protocol = SMB2
> 	server role = member server
> 	username map = /etc/samba/user.map
> 	winbind refresh tickets = Yes
> 	winbind use default domain = Yes
> 	workgroup = MAD
> 	acl_xattr:ignore system acls = yes
> 	idmap config mad : unix_nss_info = yes
> 	idmap config mad : range = 10000-999999
> 	idmap config mad : schema_mode = rfc2307
> 	idmap config mad : backend = ad
> 	idmap config * : range = 3000-7999
> 	idmap config * : backend = tdb
> 	fruit:delete_empty_adfiles = yes
> 	fruit:wipe_intentionally_left_blank_rfork = yes
> 	fruit:veto_appledouble = yes
> 	fruit:posix_rename = yes
> 	fruit:model = RackMac
> 	fruit:metadata = stream
> 	fruit:aapl = yes
> 	delete veto files = Yes
> 	ea support = Yes
> 	hosts deny = 0.0.0.0/0
> 	map acl inherit = Yes
> 	vfs objects = acl_xattr
> 
> [personales]
> 	hide unreadable = Yes
> 	path = /data/users/
> 	read only = No
> 	acl_xattr:ignore system acls = yes
> 
> 
> 
> 
> It has the
> username map = /etc/samba/user.map
> 
> And contains:
> !root = MAD\Administrator
> 
> MAD\Administrator has no uidNumber
> 
> However
> 
> root at server2:~# getent passwd Administrator
> 
> root at server2:~# wbinfo -i Administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user Administrator
> 
> When MAD\Administrator tries to access the share via \\server2 I get a “Windows can not access \\Server2"
> 
> On the server :
> 
> root at server2:/var/log/samba# tail 192.168.0.9.log
> [2023/05/25 17:32:47.622065,  0] ../../source3/auth/auth_util.c:1927(check_account)
>    check_account: Failed to convert SID S-1-5-21-2152908145-95474353-1514027631-500 to a UID (dom_user[MAD\administrator])
> 
> I guess root mapping is not quite right. What am I missing ?
> 

Try adding 'min domain uid = 0' to global in your smb.conf to fix that.

There is also the problem that adding 'acl_xattr:ignore system acls = 
yes' does strange things. From my testing, if I remember correctly, with 
it, only Administrator can do things. I do not use it.

Rowland

More information about the samba mailing list