[Samba] Usrname map and Windows ACLs question
Luis Peromarta
lperoma at icloud.com
Tue May 28 17:38:07 UTC 2024
Hola Iván,
Good that you use MJT repo, but you probably don’t need it, bookworm back ports provides the same version these days.
http://samba.bigbird.es/doku.php?id=samba:installing-from-backports
https://buildd.debian.org/status/package.php?p=samba&suite=bookworm-backports
Regarding your member server, may I suggest you check out my notes, based on official samba wiki:
http://samba.bigbird.es/doku.php?id=samba:file-server
Also for your ACLs:
http://samba.bigbird.es/doku.php?id=samba:configuring-shares
Un saludo,
LP
On May 28, 2024 at 18:09 +0100, Ivan Lopez via samba <samba at lists.samba.org>, wrote:
> Hi, people. I hope you are doing well
>
> Could you help me please?. I've a question about "username map" in SAMBA
> File Servers
>
> We have DCs and File Servers based on Samba 4.19.6 (from MJT
> repository http://www.corpit.ru/mjt/packages/samba bookworm/samba-4.19/
> ) running over Debian 12.5.
>
> When we were configuring file servers, we've followed first the guide
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
> There, it is advised:
>
> /You should map the domain Administrator account to the local root
> account on a Unix domain member. Configuring the mapping allows the
> domain Administrator to execute file operations as root on the Unix
> domain member/
>
> /Add the following parameter to the [global] section of your smb.conf file:
> username map = /usr/local/samba/etc/user.map
> Create the /usr/local/samba/etc/user.map file with the following content:
> !root = SAMDOM\Administrator/
>
> /If you are using samba v4.13.14 or later you will also need to add the
> following to allow mapping to the root user: min domain uid = 0/
>
> Actually, our user.map file contains:
>
> /!root = OURDOM\Administrator OURDOM\administrator Administrator
> administrator/
>
> After the server was joined, we used
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
> Shares could be configured and used correctly.
>
> But, with "/username map"/ option setted, RSAT "Sessions" and "Open
> Files" stop working saying "You don't have permissions to view the list
> ...." (the message was translated from spanish). However, we can manage
> shares' permissions vía RSAT without any problem. By the way, RSAT runs
> in windows 10 PC and the user who runs it is logged in as
> OURDOM\administrator. Shares can be accessed by clients as they should.
>
> In the File Server's log we can see:
>
> /2024/05/27 14:09:59.132155, 3]
> source3/rpc_server/rpc_server.c:261(ncacn_terminate_connection)
> ncacn_terminate_connection: Terminating connection - 'dcesrv:
> NT_STATUS_CONNECTION_DISCONNECTED'
> [2024/05/27 14:10:03.953721, 1]
> source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1639(_srvsvc_NetSessEnum)
> *Enumerating sessions only allowed for administrators*
> [2024/05/27 14:10:03.984777, 3]
> source3/rpc_server/rpc_server.c:261(ncacn_terminate_connection)/
>
> When we disable "username map" option, RSAT behaves as it should.
> Besides that, we can manage and access the shares without problems, so
> the question is:
>
> What kind of file operations (or operations in general) could be
> affected without that mapping, considering that que manage file
> permissions using windows ACLs and access the shares via SAMBA and
> Windows only?
>
> Thanks in advance.
>
> Best Regards.
>
> --
> Ing Iván López
> Sistemas - ENRESS
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list