[Samba] Usrname map and Windows ACLs question

Ivan Lopez ilopez at enress.gov.ar
Tue May 28 16:49:57 UTC 2024 

Hi, people. I hope you are doing well

Could you help me please?. I've a question about "username map" in SAMBA 
File Servers

We have DCs and File Servers based on Samba  4.19.6  (from MJT 
repository http://www.corpit.ru/mjt/packages/samba bookworm/samba-4.19/ 
) running over Debian 12.5.

When we were configuring file servers, we've followed first the guide 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. 
There, it is advised:

/You should map the domain Administrator account to the local root 
account on a Unix domain member. Configuring the mapping allows the 
domain Administrator to execute file operations as root on the Unix 
domain member/

/Add the following parameter to the [global] section of your smb.conf file:
username map = /usr/local/samba/etc/user.map
Create the /usr/local/samba/etc/user.map file with the following content:
!root = SAMDOM\Administrator/

/If you are using samba v4.13.14 or later you will also need to add the 
following to allow mapping to the root user: min domain uid = 0/

Actually, our user.map file contains:

/!root = OURDOM\Administrator OURDOM\administrator Administrator 
administrator/

After the server was joined, we used 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs. 
Shares could be configured and used correctly.

But, with  "/username map"/ option setted, RSAT "Sessions" and "Open 
Files"  stop working saying "You don't have permissions to view the list 
...." (the message was translated from spanish). However, we can manage 
shares' permissions vía RSAT without any problem. By the way, RSAT runs 
in windows 10 PC and the user who runs it is logged in as 
OURDOM\administrator.  Shares can be accessed by clients as they should.

In the File Server's log we can see:

/2024/05/27 14:09:59.132155,  3] 
source3/rpc_server/rpc_server.c:261(ncacn_terminate_connection)
   ncacn_terminate_connection: Terminating connection - 'dcesrv: 
NT_STATUS_CONNECTION_DISCONNECTED'
[2024/05/27 14:10:03.953721,  1] 
source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1639(_srvsvc_NetSessEnum)
*Enumerating sessions only allowed for administrators*
[2024/05/27 14:10:03.984777,  3] 
source3/rpc_server/rpc_server.c:261(ncacn_terminate_connection)/

When we disable "username map" option, RSAT behaves as it should. 
Besides that, we can manage and access the shares without problems, so 
the question is:

What kind of file operations (or operations in general) could be 
affected without that mapping, considering that que manage file 
permissions using windows ACLs and access the shares via SAMBA and 
Windows only?

Thanks in advance.

Best Regards.

-- 
Ing Iván López
Sistemas - ENRESS

More information about the samba mailing list