[Samba] Usrname map and Windows ACLs question

Ivan Lopez ilopez at enress.gov.ar
Wed May 29 12:40:42 UTC 2024 

Hi!. I've already read that really useful notebook. Thanks for it. 
Sadly, I couldn't find any differences.

All seems work OK without "username map" but as soon as I map 
OURDOM\Administrator to root vía "username map",  I lost "Sessions" and 
"Open files" in RSAT, so I would like to know if I miss something 
without that mapping.

Does RSAT sessions and Open Files work with YOURDOM\Administrator mapped 
to root in your infraestructure?

Thanks.

Ing Iván López
Sistemas - ENRESS

El 28/5/24 a las 14:38, Luis Peromarta via samba escribió:
> Hola Iván,
>
> Good that you use MJT repo, but you probably don’t need it, bookworm back ports provides the same version these days.
>
> http://samba.bigbird.es/doku.php?id=samba:installing-from-backports
>
> https://buildd.debian.org/status/package.php?p=samba&suite=bookworm-backports
>
>
> Regarding your member server, may I suggest you check out my notes, based on official samba wiki:
>
> http://samba.bigbird.es/doku.php?id=samba:file-server
>
> Also for your ACLs:
>
> http://samba.bigbird.es/doku.php?id=samba:configuring-shares
>
> Un saludo,
>
> LP
> On May 28, 2024 at 18:09 +0100, Ivan Lopez via samba<samba at lists.samba.org>, wrote:
>> Hi, people. I hope you are doing well
>>
>> Could you help me please?. I've a question about "username map" in SAMBA
>> File Servers
>>
>> We have DCs and File Servers based on Samba  4.19.6  (from MJT
>> repositoryhttp://www.corpit.ru/mjt/packages/samba  bookworm/samba-4.19/
>> ) running over Debian 12.5.
>>
>> When we were configuring file servers, we've followed first the guide
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
>> There, it is advised:
>>
>> /You should map the domain Administrator account to the local root
>> account on a Unix domain member. Configuring the mapping allows the
>> domain Administrator to execute file operations as root on the Unix
>> domain member/
>>
>> /Add the following parameter to the [global] section of your smb.conf file:
>> username map = /usr/local/samba/etc/user.map
>> Create the /usr/local/samba/etc/user.map file with the following content:
>> !root = SAMDOM\Administrator/
>>
>> /If you are using samba v4.13.14 or later you will also need to add the
>> following to allow mapping to the root user: min domain uid = 0/
>>
>> Actually, our user.map file contains:
>>
>> /!root = OURDOM\Administrator OURDOM\administrator Administrator
>> administrator/
>>
>> After the server was joined, we used
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
>> Shares could be configured and used correctly.
>>
>> But, with  "/username map"/ option setted, RSAT "Sessions" and "Open
>> Files"  stop working saying "You don't have permissions to view the list
>> ...." (the message was translated from spanish). However, we can manage
>> shares' permissions vía RSAT without any problem. By the way, RSAT runs
>> in windows 10 PC and the user who runs it is logged in as
>> OURDOM\administrator.  Shares can be accessed by clients as they should.
>>
>> In the File Server's log we can see:
>>
>> /2024/05/27 14:09:59.132155,  3]
>> source3/rpc_server/rpc_server.c:261(ncacn_terminate_connection)
>>    ncacn_terminate_connection: Terminating connection - 'dcesrv:
>> NT_STATUS_CONNECTION_DISCONNECTED'
>> [2024/05/27 14:10:03.953721,  1]
>> source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1639(_srvsvc_NetSessEnum)
>> *Enumerating sessions only allowed for administrators*
>> [2024/05/27 14:10:03.984777,  3]
>> source3/rpc_server/rpc_server.c:261(ncacn_terminate_connection)/
>>
>> When we disable "username map" option, RSAT behaves as it should.
>> Besides that, we can manage and access the shares without problems, so
>> the question is:
>>
>> What kind of file operations (or operations in general) could be
>> affected without that mapping, considering that que manage file
>> permissions using windows ACLs and access the shares via SAMBA and
>> Windows only?
>>
>> Thanks in advance.
>>
>> Best Regards.
>>
>> --
>> Ing Iván López
>> Sistemas - ENRESS
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:https://lists.samba.org/mailman/options/samba

More information about the samba mailing list