Sorry for my mistake. It resolve the groupmap problem : [root at fileserver ~]# net groupmap list Administrators (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users But i still have the administrator problem. I have follow the wiki.samba doc and i have set the SeDiskOperatorPrivilege : net rpc rights list accounts -U'DOMAIN\administrator' DOMAIN\Domain Admins SeDiskOperatorPrivilege but administrator is still the only user of the group 'domain admins' who can't manage the security tab of my shares on windows when i remove "everyone" to the "share permissions" tab. Even if i add directly the administrator "account" in this tab. ________________________________________ De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com> Envoyé : vendredi 7 août 2015 11:53 À : samba at lists.samba.org Objet : Re: [Samba] Problems with administrator account On 07/08/15 09:37, Aurélien Blachet wrote:> Oh thank you > > Just to be sure to understand : > -getent passwd | grep administrator and id administrator didn't work on Fileserver because administrator account didn't have uidNumberIf Administrator doesn't have a uidNumber, it will not be known to the Unix host, this is why you either have to give Administrator a uidNumber OR as you are doing, map Administrator to root. You should be able to change the settings using Administrator (as a member of Domain Admins) from windows, providing you have set the required disk operating privileges. See here for more info: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs> > -it also why administrator account can't manage filserver with windows permissions > > Just one more thing please : > > Why my administrators group is mapped on unix users ? > [root#fileserver ~]# net groupmap list > Administrators (S-1-5-32-544) -> users > Users (S-1-5-32-545) -> BUILTIN\usersEr, it shouldn't be: rowland at ThinkPad ~ $ sudo net groupmap list Administrators (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users I would change this, try: net groupmap modify ntgroup="Administrators" unixgroup="BUILTIN\administrators" One other thing I noticed was your use of 'sanitizing', you use 'XXX', 'LAN' and 'DOMAIN' . As long as these are all replacements for your workgroup, this shouldn't be a problem. Lastly, this is my usermap, replace 'EXAMPLE' with your uppercase workgroup name, this works for me. !root = EXAMPLE\Administrator Administrator administrator Note: I also have this line in smb.conf: winbind normalize names = Yes Rowland> > [root at massy01 ~]# net groupmap list verbose > Administrators > SID : S-1-5-32-544 > Unix gid : 100 > Unix group: users > Group type: Local Group > Comment : > Users > SID : S-1-5-32-545 > Unix gid : 101 > Unix group: BUILTIN\users > Group type: Local Group > Comment : > > > ________________________________________ > De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com> > Envoyé : jeudi 6 août 2015 17:51 > À : samba at lists.samba.org > Objet : Re: [Samba] Problems with administrator account > > On 06/08/15 15:32, Aurélien Blachet wrote: >> I still have the same problem with : >> [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping >> !root = DOMAIN\Administrator DOMAIN\\Administrator DOMAIN\administrator Administrator adm >> inistrator >> >> ________________________________________ >> De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com> >> Envoyé : jeudi 6 août 2015 16:06 >> À : samba at lists.samba.org >> Objet : Re: [Samba] Problems with administrator account >> >> On 06/08/15 12:57, Aurélien Blachet wrote: >>> Hello, >>> >>> >>> >>> I just went to migrate my fileserver from samba3 to samba4 but i have problem with the administrator account. >>> >>> >>> >>> The group "domain admins" have the permission to manage all my shares >>> >>> >>> >>> Administrator is member of the group "domain admins" but he can't manage the security tab of all my shares when i remove "full control" to share permissions tab. >>> >>> >>> >>> While all the member of "Domain admins",except administrator, didn't have this problem. >>> >>> >>> >>> I think the problem appear when we map "administrator" to "root" in the smb.conf. >>> >>> >>> >>> Moreover the "administrator" account didn't appear with a getent passwd >>> >>> >>> >>> [root at fileserver ~]# getent passwd |grep dministrator >>> >>> >>> >>> [root at fileserver ~]# wbinfo -u |grep dministrator >>> administrator >>> >>> >>> my smb.conf : >>> [global] >>> >>> netbios name = XXX >>> workgroup = XXX >>> security = ADS >>> realm = XXX.XXX >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >>> username map = /usr/local/samba/etc/samba_usermapping >>> >>> idmap config *:backend = tdb >>> idmap config *:range = 300000-400000 >>> idmap config XXX:backend = ad >>> idmap config XXX:schema_mode = rfc2307 >>> idmap config XXX:range = 500-200000 >>> >>> winbind nss info = rfc2307 >>> winbind trusted domains only = no >>> winbind use default domain = yes >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind refresh tickets = Yes >>> vfs objects = acl_xattr >>> map acl inherit = Yes >>> store dos attributes = Yes >>> template homedir = /home/%U >>> ... >>> >>> [shareA] >>> path =/xxx/shareA >>> comment >>> hosts allow = X.X.X. >>> writable = Yes >>> read only = No >>> >>> Local permissions >>> [root at fileserver]# getfacl /xxx/shareA >>> # file: alp-exp >>> # owner: root >>> # group: root >>> user::rwx >>> user:root:rwx >>> group::rwx >>> group:root:rwx >>> group:domain\040admins:rwx >>> group:domain\040users:rwx >>> mask::rwx >>> other::rwx >>> default:user::rwx >>> default:user:root:rwx >>> default:group::r-x >>> default:group:root:r-x >>> default:group:domain\040users:rwx >>> default:mask::rwx >>> default:other::r-x >>> And the mapping between root and administrator >>> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping >>> !root = LAN\Administrator LAN\\Administrator LAN\administrator >> Try adding 'Administrator administrator' to the line in 'samba_usermapping' >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > Ah, I think you are mixing up Unix permissions and windows permissions. > You will only get 'Administrator' to show up with getent if you give the > Administrator user a uidNumber and use the 'ad' backend. As you are > mapping 'Administrator' to root it will get the UID of '0' which is also > the UID of 'root'. From windows you will set the permissions of > 'Administrator' , but on the unix side using getfacl it will show as 'root' > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 07/08/15 13:25, Aurélien Blachet wrote:> Sorry for my mistake. > > It resolve the groupmap problem : > [root at fileserver ~]# net groupmap list > Administrators (S-1-5-32-544) -> BUILTIN\administrators > Users (S-1-5-32-545) -> BUILTIN\users > > But i still have the administrator problem. I have follow the wiki.samba doc and i have set the SeDiskOperatorPrivilege : > net rpc rights list accounts -U'DOMAIN\administrator' > DOMAIN\Domain Admins > SeDiskOperatorPrivilege > > but administrator is still the only user of the group 'domain admins' who can't manage the security tab of my shares on windows when i remove "everyone" to the "share permissions" tab. > Even if i add directly the administrator "account" in this tab. > ________________________________________ > De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com> > Envoyé : vendredi 7 août 2015 11:53 > À : samba at lists.samba.org > Objet : Re: [Samba] Problems with administrator account > > On 07/08/15 09:37, Aurélien Blachet wrote: >> Oh thank you >> >> Just to be sure to understand : >> -getent passwd | grep administrator and id administrator didn't work on Fileserver because administrator account didn't have uidNumber > If Administrator doesn't have a uidNumber, it will not be known to the > Unix host, this is why you either have to give Administrator a uidNumber > OR as you are doing, map Administrator to root. > You should be able to change the settings using Administrator (as a > member of Domain Admins) from windows, providing you have set the > required disk operating privileges. > See here for more info: > https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs > >> -it also why administrator account can't manage filserver with windows permissions >> >> Just one more thing please : >> >> Why my administrators group is mapped on unix users ? >> [root#fileserver ~]# net groupmap list >> Administrators (S-1-5-32-544) -> users >> Users (S-1-5-32-545) -> BUILTIN\users > Er, it shouldn't be: > rowland at ThinkPad ~ $ sudo net groupmap list > Administrators (S-1-5-32-544) -> BUILTIN\administrators > Users (S-1-5-32-545) -> BUILTIN\users > > I would change this, try: > > net groupmap modify ntgroup="Administrators" > unixgroup="BUILTIN\administrators" > > One other thing I noticed was your use of 'sanitizing', you use 'XXX', > 'LAN' and 'DOMAIN' . As long as these are all replacements for your > workgroup, this shouldn't be a problem. > > Lastly, this is my usermap, replace 'EXAMPLE' with your uppercase > workgroup name, this works for me. > > !root = EXAMPLE\Administrator Administrator administrator > > Note: I also have this line in smb.conf: winbind normalize names = Yes > > Rowland >> [root at massy01 ~]# net groupmap list verbose >> Administrators >> SID : S-1-5-32-544 >> Unix gid : 100 >> Unix group: users >> Group type: Local Group >> Comment : >> Users >> SID : S-1-5-32-545 >> Unix gid : 101 >> Unix group: BUILTIN\users >> Group type: Local Group >> Comment : >> >> >> ________________________________________ >> De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com> >> Envoyé : jeudi 6 août 2015 17:51 >> À : samba at lists.samba.org >> Objet : Re: [Samba] Problems with administrator account >> >> On 06/08/15 15:32, Aurélien Blachet wrote: >>> I still have the same problem with : >>> [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping >>> !root = DOMAIN\Administrator DOMAIN\\Administrator DOMAIN\administrator Administrator adm >>> inistrator >>> >>> ________________________________________ >>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com> >>> Envoyé : jeudi 6 août 2015 16:06 >>> À : samba at lists.samba.org >>> Objet : Re: [Samba] Problems with administrator account >>> >>> On 06/08/15 12:57, Aurélien Blachet wrote: >>>> Hello, >>>> >>>> >>>> >>>> I just went to migrate my fileserver from samba3 to samba4 but i have problem with the administrator account. >>>> >>>> >>>> >>>> The group "domain admins" have the permission to manage all my shares >>>> >>>> >>>> >>>> Administrator is member of the group "domain admins" but he can't manage the security tab of all my shares when i remove "full control" to share permissions tab. >>>> >>>> >>>> >>>> While all the member of "Domain admins",except administrator, didn't have this problem. >>>> >>>> >>>> >>>> I think the problem appear when we map "administrator" to "root" in the smb.conf. >>>> >>>> >>>> >>>> Moreover the "administrator" account didn't appear with a getent passwd >>>> >>>> >>>> >>>> [root at fileserver ~]# getent passwd |grep dministrator >>>> >>>> >>>> >>>> [root at fileserver ~]# wbinfo -u |grep dministrator >>>> administrator >>>> >>>> >>>> my smb.conf : >>>> [global] >>>> >>>> netbios name = XXX >>>> workgroup = XXX >>>> security = ADS >>>> realm = XXX.XXX >>>> dedicated keytab file = /etc/krb5.keytab >>>> kerberos method = secrets and keytab >>>> username map = /usr/local/samba/etc/samba_usermapping >>>> >>>> idmap config *:backend = tdb >>>> idmap config *:range = 300000-400000 >>>> idmap config XXX:backend = ad >>>> idmap config XXX:schema_mode = rfc2307 >>>> idmap config XXX:range = 500-200000 >>>> >>>> winbind nss info = rfc2307 >>>> winbind trusted domains only = no >>>> winbind use default domain = yes >>>> winbind enum users = yes >>>> winbind enum groups = yes >>>> winbind refresh tickets = Yes >>>> vfs objects = acl_xattr >>>> map acl inherit = Yes >>>> store dos attributes = Yes >>>> template homedir = /home/%U >>>> ... >>>> >>>> [shareA] >>>> path =/xxx/shareA >>>> comment >>>> hosts allow = X.X.X. >>>> writable = Yes >>>> read only = No >>>> >>>> Local permissions >>>> [root at fileserver]# getfacl /xxx/shareA >>>> # file: alp-exp >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:root:rwx >>>> group::rwx >>>> group:root:rwx >>>> group:domain\040admins:rwx >>>> group:domain\040users:rwx >>>> mask::rwx >>>> other::rwx >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:group::r-x >>>> default:group:root:r-x >>>> default:group:domain\040users:rwx >>>> default:mask::rwx >>>> default:other::r-x >>>> And the mapping between root and administrator >>>> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping >>>> !root = LAN\Administrator LAN\\Administrator LAN\administrator >>> Try adding 'Administrator administrator' to the line in 'samba_usermapping' >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> Ah, I think you are mixing up Unix permissions and windows permissions. >> You will only get 'Administrator' to show up with getent if you give the >> Administrator user a uidNumber and use the 'ad' backend. As you are >> mapping 'Administrator' to root it will get the UID of '0' which is also >> the UID of 'root'. From windows you will set the permissions of >> 'Administrator' , but on the unix side using getfacl it will show as 'root' >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >OK, I think you may be having a similar problem to another user on here, Domain Admins is unknown to the underlying Unix OS, what does 'getent passwd Domain\ Admins' produce when run on the Unix machine? can you also post the outcome of these two commands: ls -la /path/to/shared/directory getfacl /path/to/shared/directory Rowland
I guess you want getent group, so i give you both. But administrator is the only user of "domain admin" group with problems. [root at fileserver ~]# getent passwd Domain\ Admins [root at fileserver ~]# getent group Domain\ Admins domain admins:x:512: [root at fileserver ~]# ls -la /partages/share total 181260 drwxrwxrwx+ 2 root root 4096 26 mars 2013 . drwxr-xr-x 13 root root 4096 5 août 13:14 .. -rwxrwxrw-+ 1 37313 domain users 185597486 26 mars 2013 fichier.rar The user with uid 37313 has been deleted. [root at fileserver ~]# getfacl /partages/share getfacl : suppression du premier « / » des noms de chemins absolus # file: partages/share # owner: root # group: root user::rwx user:root:rwx group::rwx group:root:rwx group:domain\040admins:rwx group:domain\040users:rwx mask::rwx other::rwx default:user::rwx default:user:root:rwx default:group::rwx default:group:root:r-x default:group:domain\040admins:rwx default:group:domain\040users:rwx default:mask::rwx default:other::rwx -----Message d'origine----- De : samba [mailto:samba-bounces at lists.samba.org] De la part de Rowland Penny Envoyé : vendredi 7 août 2015 14:52 À : samba at lists.samba.org Objet : Re: [Samba] Problems with administrator account On 07/08/15 13:25, Aurélien Blachet wrote:> Sorry for my mistake. > > It resolve the groupmap problem : > [root at fileserver ~]# net groupmap list Administrators (S-1-5-32-544) > -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users > > But i still have the administrator problem. I have follow the wiki.samba doc and i have set the SeDiskOperatorPrivilege : > net rpc rights list accounts -U'DOMAIN\administrator' > DOMAIN\Domain Admins > SeDiskOperatorPrivilege > > but administrator is still the only user of the group 'domain admins' who can't manage the security tab of my shares on windows when i remove "everyone" to the "share permissions" tab. > Even if i add directly the administrator "account" in this tab. > ________________________________________ > De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny > <rowlandpenny241155 at gmail.com> Envoyé : vendredi 7 août 2015 11:53 À : > samba at lists.samba.org Objet : Re: [Samba] Problems with administrator > account > > On 07/08/15 09:37, Aurélien Blachet wrote: >> Oh thank you >> >> Just to be sure to understand : >> -getent passwd | grep administrator and id administrator didn't work >> on Fileserver because administrator account didn't have uidNumber > If Administrator doesn't have a uidNumber, it will not be known to the > Unix host, this is why you either have to give Administrator a > uidNumber OR as you are doing, map Administrator to root. > You should be able to change the settings using Administrator (as a > member of Domain Admins) from windows, providing you have set the > required disk operating privileges. > See here for more info: > https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_ > Windows_ACLs > >> -it also why administrator account can't manage filserver with >> windows permissions >> >> Just one more thing please : >> >> Why my administrators group is mapped on unix users ? >> [root#fileserver ~]# net groupmap list Administrators (S-1-5-32-544) >> -> users Users (S-1-5-32-545) -> BUILTIN\users > Er, it shouldn't be: > rowland at ThinkPad ~ $ sudo net groupmap list Administrators > (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) -> > BUILTIN\users > > I would change this, try: > > net groupmap modify ntgroup="Administrators" > unixgroup="BUILTIN\administrators" > > One other thing I noticed was your use of 'sanitizing', you use 'XXX', > 'LAN' and 'DOMAIN' . As long as these are all replacements for your > workgroup, this shouldn't be a problem. > > Lastly, this is my usermap, replace 'EXAMPLE' with your uppercase > workgroup name, this works for me. > > !root = EXAMPLE\Administrator Administrator administrator > > Note: I also have this line in smb.conf: winbind normalize names = Yes > > Rowland >> [root at massy01 ~]# net groupmap list verbose Administrators >> SID : S-1-5-32-544 >> Unix gid : 100 >> Unix group: users >> Group type: Local Group >> Comment : >> Users >> SID : S-1-5-32-545 >> Unix gid : 101 >> Unix group: BUILTIN\users >> Group type: Local Group >> Comment : >> >> >> ________________________________________ >> De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com> >> Envoyé : jeudi 6 août 2015 17:51 >> À : samba at lists.samba.org >> Objet : Re: [Samba] Problems with administrator account >> >> On 06/08/15 15:32, Aurélien Blachet wrote: >>> I still have the same problem with : >>> [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping >>> !root = DOMAIN\Administrator DOMAIN\\Administrator DOMAIN\administrator Administrator adm >>> inistrator >>> >>> ________________________________________ >>> De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com> >>> Envoyé : jeudi 6 août 2015 16:06 >>> À : samba at lists.samba.org >>> Objet : Re: [Samba] Problems with administrator account >>> >>> On 06/08/15 12:57, Aurélien Blachet wrote: >>>> Hello, >>>> >>>> >>>> >>>> I just went to migrate my fileserver from samba3 to samba4 but i have problem with the administrator account. >>>> >>>> >>>> >>>> The group "domain admins" have the permission to manage all my shares >>>> >>>> >>>> >>>> Administrator is member of the group "domain admins" but he can't manage the security tab of all my shares when i remove "full control" to share permissions tab. >>>> >>>> >>>> >>>> While all the member of "Domain admins",except administrator, didn't have this problem. >>>> >>>> >>>> >>>> I think the problem appear when we map "administrator" to "root" in the smb.conf. >>>> >>>> >>>> >>>> Moreover the "administrator" account didn't appear with a getent passwd >>>> >>>> >>>> >>>> [root at fileserver ~]# getent passwd |grep dministrator >>>> >>>> >>>> >>>> [root at fileserver ~]# wbinfo -u |grep dministrator >>>> administrator >>>> >>>> >>>> my smb.conf : >>>> [global] >>>> >>>> netbios name = XXX >>>> workgroup = XXX >>>> security = ADS >>>> realm = XXX.XXX >>>> dedicated keytab file = /etc/krb5.keytab >>>> kerberos method = secrets and keytab >>>> username map = /usr/local/samba/etc/samba_usermapping >>>> >>>> idmap config *:backend = tdb >>>> idmap config *:range = 300000-400000 >>>> idmap config XXX:backend = ad >>>> idmap config XXX:schema_mode = rfc2307 >>>> idmap config XXX:range = 500-200000 >>>> >>>> winbind nss info = rfc2307 >>>> winbind trusted domains only = no >>>> winbind use default domain = yes >>>> winbind enum users = yes >>>> winbind enum groups = yes >>>> winbind refresh tickets = Yes >>>> vfs objects = acl_xattr >>>> map acl inherit = Yes >>>> store dos attributes = Yes >>>> template homedir = /home/%U >>>> ... >>>> >>>> [shareA] >>>> path =/xxx/shareA >>>> comment >>>> hosts allow = X.X.X. >>>> writable = Yes >>>> read only = No >>>> >>>> Local permissions >>>> [root at fileserver]# getfacl /xxx/shareA >>>> # file: alp-exp >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:root:rwx >>>> group::rwx >>>> group:root:rwx >>>> group:domain\040admins:rwx >>>> group:domain\040users:rwx >>>> mask::rwx >>>> other::rwx >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:group::r-x >>>> default:group:root:r-x >>>> default:group:domain\040users:rwx >>>> default:mask::rwx >>>> default:other::r-x >>>> And the mapping between root and administrator >>>> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping >>>> !root = LAN\Administrator LAN\\Administrator LAN\administrator >>> Try adding 'Administrator administrator' to the line in 'samba_usermapping' >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> Ah, I think you are mixing up Unix permissions and windows permissions. >> You will only get 'Administrator' to show up with getent if you give the >> Administrator user a uidNumber and use the 'ad' backend. As you are >> mapping 'Administrator' to root it will get the UID of '0' which is also >> the UID of 'root'. From windows you will set the permissions of >> 'Administrator' , but on the unix side using getfacl it will show as 'root' >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >OK, I think you may be having a similar problem to another user on here, Domain Admins is unknown to the underlying Unix OS, what does 'getent passwd Domain\ Admins' produce when run on the Unix machine? can you also post the outcome of these two commands: ls -la /path/to/shared/directory getfacl /path/to/shared/directory Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba