Hello,
I just went to migrate my fileserver from samba3 to samba4 but i have problem
with the administrator account.
The group "domain admins" have the permission to manage all my shares
Administrator is member of the group "domain admins" but he can't
manage the security tab of all my shares when i remove "full control"
to share permissions tab.
While all the member of "Domain admins",except administrator,
didn't have this problem.
I think the problem appear when we map "administrator" to
"root" in the smb.conf.
Moreover the "administrator" account didn't appear with a getent
passwd
[root at fileserver ~]# getent passwd |grep dministrator
[root at fileserver ~]# wbinfo -u |grep dministrator
administrator
my smb.conf :
[global]
netbios name = XXX
workgroup = XXX
security = ADS
realm = XXX.XXX
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
username map = /usr/local/samba/etc/samba_usermapping
idmap config *:backend = tdb
idmap config *:range = 300000-400000
idmap config XXX:backend = ad
idmap config XXX:schema_mode = rfc2307
idmap config XXX:range = 500-200000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
template homedir = /home/%U
...
[shareA]
path =/xxx/shareA
comment hosts allow = X.X.X.
writable = Yes
read only = No
Local permissions
[root at fileserver]# getfacl /xxx/shareA
# file: alp-exp
# owner: root
# group: root
user::rwx
user:root:rwx
group::rwx
group:root:rwx
group:domain\040admins:rwx
group:domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040users:rwx
default:mask::rwx
default:other::r-x
And the mapping between root and administrator
[root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
!root = LAN\Administrator LAN\\Administrator LAN\administrator
On 06/08/15 12:57, Aurélien Blachet wrote:> Hello, > > > > I just went to migrate my fileserver from samba3 to samba4 but i have problem with the administrator account. > > > > The group "domain admins" have the permission to manage all my shares > > > > Administrator is member of the group "domain admins" but he can't manage the security tab of all my shares when i remove "full control" to share permissions tab. > > > > While all the member of "Domain admins",except administrator, didn't have this problem. > > > > I think the problem appear when we map "administrator" to "root" in the smb.conf. > > > > Moreover the "administrator" account didn't appear with a getent passwd > > > > [root at fileserver ~]# getent passwd |grep dministrator > > > > [root at fileserver ~]# wbinfo -u |grep dministrator > administrator > > > my smb.conf : > [global] > > netbios name = XXX > workgroup = XXX > security = ADS > realm = XXX.XXX > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > username map = /usr/local/samba/etc/samba_usermapping > > idmap config *:backend = tdb > idmap config *:range = 300000-400000 > idmap config XXX:backend = ad > idmap config XXX:schema_mode = rfc2307 > idmap config XXX:range = 500-200000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > template homedir = /home/%U > ... > > [shareA] > path =/xxx/shareA > comment > hosts allow = X.X.X. > writable = Yes > read only = No > > Local permissions > [root at fileserver]# getfacl /xxx/shareA > # file: alp-exp > # owner: root > # group: root > user::rwx > user:root:rwx > group::rwx > group:root:rwx > group:domain\040admins:rwx > group:domain\040users:rwx > mask::rwx > other::rwx > default:user::rwx > default:user:root:rwx > default:group::r-x > default:group:root:r-x > default:group:domain\040users:rwx > default:mask::rwx > default:other::r-x > And the mapping between root and administrator > [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping > !root = LAN\Administrator LAN\\Administrator LAN\administratorTry adding 'Administrator administrator' to the line in 'samba_usermapping' Rowland
I still have the same problem with : [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping !root = DOMAIN\Administrator DOMAIN\\Administrator DOMAIN\administrator Administrator adm inistrator ________________________________________ De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com> Envoyé : jeudi 6 août 2015 16:06 À : samba at lists.samba.org Objet : Re: [Samba] Problems with administrator account On 06/08/15 12:57, Aurélien Blachet wrote:> Hello, > > > > I just went to migrate my fileserver from samba3 to samba4 but i have problem with the administrator account. > > > > The group "domain admins" have the permission to manage all my shares > > > > Administrator is member of the group "domain admins" but he can't manage the security tab of all my shares when i remove "full control" to share permissions tab. > > > > While all the member of "Domain admins",except administrator, didn't have this problem. > > > > I think the problem appear when we map "administrator" to "root" in the smb.conf. > > > > Moreover the "administrator" account didn't appear with a getent passwd > > > > [root at fileserver ~]# getent passwd |grep dministrator > > > > [root at fileserver ~]# wbinfo -u |grep dministrator > administrator > > > my smb.conf : > [global] > > netbios name = XXX > workgroup = XXX > security = ADS > realm = XXX.XXX > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > username map = /usr/local/samba/etc/samba_usermapping > > idmap config *:backend = tdb > idmap config *:range = 300000-400000 > idmap config XXX:backend = ad > idmap config XXX:schema_mode = rfc2307 > idmap config XXX:range = 500-200000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > template homedir = /home/%U > ... > > [shareA] > path =/xxx/shareA > comment > hosts allow = X.X.X. > writable = Yes > read only = No > > Local permissions > [root at fileserver]# getfacl /xxx/shareA > # file: alp-exp > # owner: root > # group: root > user::rwx > user:root:rwx > group::rwx > group:root:rwx > group:domain\040admins:rwx > group:domain\040users:rwx > mask::rwx > other::rwx > default:user::rwx > default:user:root:rwx > default:group::r-x > default:group:root:r-x > default:group:domain\040users:rwx > default:mask::rwx > default:other::r-x > And the mapping between root and administrator > [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping > !root = LAN\Administrator LAN\\Administrator LAN\administratorTry adding 'Administrator administrator' to the line in 'samba_usermapping' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba