[Samba] Usrname map and Windows ACLs question

Luis Peromarta lperoma at icloud.com
Sat Jun 8 16:58:48 UTC 2024 

Guys,

I have been playing around with this with the ad idmap. These are may findings:

smb.conf:

# Global parameters
[global]
        security = ADS
        workgroup = MAD
        realm = MAD.CAPONATO.ES
        netbios name = MEMBER
        server role = member server
        log file = /var/log/samba/%m.log


# Disable Netbios
        disable netbios = yes

# Enforce minimum protolo SMB3
#       server min protocol = SMB3

# To enable Group Policy application in winbind,
        apply group policies = yes

# Default ID mapping configuration for local BUILTIN accounts
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

# idmap config for the MAD domain
        idmap config MAD : backend = ad
        idmap config MAD : schema_mode = rfc2307
        idmap config MAD : range = 10000-999999
        idmap config MAD : unix_nss_info = yes

# winbind config:
        winbind use default domain = yes

# renew the kerberos ticket
        winbind refresh tickets = yes
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

# Map Administrator to root
#       username map = /etc/samba/user.map
#       min domain uid = 0

# To configure shares using extended access control lists (ACL)
        vfs objects = acl_xattr
        map acl inherit = yes
#       acl_xattr:ignore system acls = yes


[test]
        hide unreadable = Yes
        path = /test
        read only = No


Prerequisites:

Domain Adminst has no gidNumber
Administrator has no uidNumber
No root mapping in smb.conf
"Unix admins" has a gidNumber and is a member of Domain Admins (MAD\luis)

Steps:
Join domain using a user who is member of Unix Admins ->OK
Create share folder and chown root:”unix admins” and chmod 0700
Restart smbd. Or just reboot.
I have *not* granted any privileges on the member server.
Used Windows to set permissions on new share. No issues.


Does this make sense ? No mapping and no permissions granted ?


LP
On May 29, 2024 at 15:22 +0100, samba at lists.samba.org <samba at lists.samba.org>, wrote:
>
> I really must update that wikipage, I carried out some tests last
> November and found that it appears you no longer need the usermap, see
> here:
>
> https://lists.samba.org/archive/samba/2023-November/247267.html
>
> If you are using the 'ad' idmap config backend, then you must not give
> 'Administrator' a uidNumber attribute or give 'Domain Admins' a
> gidNumber attribute, to do either will break SYSVOL.
>
> So yes, whilst I do not understand why RSAT doesn't work with the
> usermap, you no longer require the usermap.
>
> Rowland

More information about the samba mailing list