samba - Aug 2019 - Authenticating Samba Share with Domain Administrator

I have a NAS (Linux/Slackware 14.2) that is a domain member. "Normal"
AD Windows users can map
shared directories just fine without having to enter Credentials. If I try doing
that with the
domain Administrator it prompts me for the credentials, then fails. On the NAS I
can get an
"OK" status with ntlm_auth using the administrator credentials. I
cannot 'su -' to the
administrator account on the NAS, nor can I do so on the AD/DC. On the latter I
get
"Authentication Failure".

On the NAS, a getent for a normal user gives:

# getent passwd mark
mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

I cannot getent for the administrator on the NAS (comes back blank), but I can
do so on the AD/DC:

getent passwd Administrator
HPRS\administrator:*:0:10000:Administrator:/home/HPRS/administrator:/bin/bash

Is there some setting in the NAS smb.conf that will fix this?

Here is my smb.conf on the NAS:

# Global parameters
[global]
netbios name = OHPRSSTORAGE

   server string = HPRS NAS server

domain master = no
prefered master = no

realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes
usershare max shares = 10
security = ADS
template shell = /bin/bash

max log size = 10000

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
                
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099

winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

[Backups]
comment = HPRS domain current backup respository
path = /mnt/RAID/Backups
public = yes
guest ok = yes
guest only = yes
writeable = yes
browseable= yes
printable = no
force user = ohprso
force group = ohprs
create mask = 0660
directory mask = 2771

On 21/08/2019 22:47, Mark Foley via samba wrote:
> I have a NAS (Linux/Slackware 14.2) that is a domain member.
"Normal" AD Windows users can map
> shared directories just fine without having to enter Credentials. If I try
doing that with the
> domain Administrator it prompts me for the credentials, then fails. On the
NAS I can get an
> "OK" status with ntlm_auth using the administrator credentials. I
cannot 'su -' to the
> administrator account on the NAS, nor can I do so on the AD/DC. On the
latter I get
> "Authentication Failure".
>
> On the NAS, a getent for a normal user gives:
>
> # getent passwd mark
> mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
>
> I cannot getent for the administrator on the NAS (comes back blank), but I
can do so on the AD/DC:
>
> getent passwd Administrator
>
HPRS\administrator:*:0:10000:Administrator:/home/HPRS/administrator:/bin/bash
>
> Is there some setting in the NAS smb.conf that will fix this?
>
> Here is my smb.conf on the NAS:
>
> # Global parameters
> [global]
> netbios name = OHPRSSTORAGE
>
>     server string = HPRS NAS server
>
> domain master = no
> prefered master = no
>
> realm = HPRS.LOCAL
> workgroup = HPRS
> usershare allow guests = Yes
> usershare max shares = 10
> security = ADS
> template shell = /bin/bash
>
> max log size = 10000
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>                  
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-10099
>
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
>
> [Backups]
> comment = HPRS domain current backup respository
> path = /mnt/RAID/Backups
> public = yes
> guest ok = yes
> guest only = yes
> writeable = yes
> browseable= yes
> printable = no
> force user = ohprso
> force group = ohprs
> create mask = 0660
> directory mask = 2771
>
Mark, from a quick search, slackware 14.2 uses Samba 4.6.16 at maximum, 
this is EOL as far as Samba is concerned.

There is nothing you can do to get Administrator to log into a Unix 
domain member, but you can map Administrator to the root user. Add this 
line to your smb.conf:

 ???? username map = /etc/samba/user.map

Create /etc/samba/user.map containing just this:

!root = HPRS\Administrator

Coming back to your smb.conf and the [Backups] share in particular, you 
should remove 'public = yes', it means the same as 'guest ok =
yes'.
However, you might as well also remove 'guest ok = yes' and 'guest
only
= yes' because you do not have 'map to guest = bad user' set in 
[global], so you will not get any guest access ;-)

Rowland

On Thu, 22 Aug 2019 08:04:10 +0100 Rowland penny <rpenny at samba.org>
wrote:
>
> On 21/08/2019 22:47, Mark Foley via samba wrote:
> > I have a NAS (Linux/Slackware 14.2) that is a domain member.
"Normal" AD Windows users can map
> > shared directories just fine without having to enter Credentials. If I
try doing that with the
> > domain Administrator it prompts me for the credentials, then fails. On
the NAS I can get an
> > "OK" status with ntlm_auth using the administrator
credentials. I cannot 'su -' to the
> > administrator account on the NAS, nor can I do so on the AD/DC. On the
latter I get
> > "Authentication Failure".
> >
> > On the NAS, a getent for a normal user gives:
> >
> > # getent passwd mark
> > mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> >
> > I cannot getent for the administrator on the NAS (comes back blank),
but I can do so on the AD/DC:
> >
> > getent passwd Administrator
> >
HPRS\administrator:*:0:10000:Administrator:/home/HPRS/administrator:/bin/bash
> >
> > Is there some setting in the NAS smb.conf that will fix this?
> >
> > Here is my smb.conf on the NAS:
> >
> > # Global parameters
> > [global]
> > netbios name = OHPRSSTORAGE
> >
> >     server string = HPRS NAS server
> >
> > domain master = no
> > prefered master = no
> >
> > realm = HPRS.LOCAL
> > workgroup = HPRS
> > usershare allow guests = Yes
> > usershare max shares = 10
> > security = ADS
> > template shell = /bin/bash
> >
> > max log size = 10000
> >
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >                  
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> > idmap config HPRS:backend = ad
> > idmap config HPRS:schema_mode = rfc2307
> > idmap config HPRS:range = 10000-10099
> >
> > winbind enum groups = Yes
> > winbind enum users = Yes
> > winbind nss info = rfc2307
> > winbind offline logon = Yes
> > winbind refresh tickets = Yes
> > winbind use default domain = Yes
> >
> > [Backups]
> > comment = HPRS domain current backup respository
> > path = /mnt/RAID/Backups
> > public = yes
> > guest ok = yes
> > guest only = yes
> > writeable = yes
> > browseable= yes
> > printable = no
> > force user = ohprso
> > force group = ohprs
> > create mask = 0660
> > directory mask = 2771
> >
> Mark, from a quick search, slackware 14.2 uses Samba 4.6.16 at maximum, 
> this is EOL as far as Samba is concerned.
>
> There is nothing you can do to get Administrator to log into a Unix 
> domain member, but you can map Administrator to the root user. Add this 
> line to your smb.conf:
>
>  ???? username map = /etc/samba/user.map
>
> Create /etc/samba/user.map containing just this:
>
> !root = HPRS\Administrator
>
> Coming back to your smb.conf and the [Backups] share in particular, you 
> should remove 'public = yes', it means the same as 'guest ok =
yes'.
> However, you might as well also remove 'guest ok = yes' and
'guest only
> = yes' because you do not have 'map to guest = bad user' set in
> [global], so you will not get any guest access ;-)
>
> Rowland
>
Thanks for the feedback. I am removed 'public = yes', 'guest ok =
yes' and 'guest only = yes'
from my [Backups] section, but problem ...

While Windows users could still map the [Backups] mount, the Acronis Backup on
ALL office
workstations failed. Acronis has the destination as a sub-folder of [Backups].
When I put those
directives back, the backups succeeded.

I'm no expert at smb.conf by any stretch. I adapted these settings from
kjhambrick's smb.conf
at LinuxQuestions.org. These public/guest setting must be needed for some
reason.

Before I go to the trouble of adding that 'user map' directive, how will
that work? Will the
remote samba client have to use 'root' as the login credential or
'Administrator'? If, when
mapping the drive, the (WIN7) client can use Administrator's credentials,
that will work for
what I want. If the client has to use root, that's probably not going to
work.

Please advise.

Also, this Slackware 14.2 NAS system is running Samba 4.6.16. The Slackware 14.2
AD/DC is running 4.8.2.
For my purposes, does that matter? Should I upgrade the NAS to 4.8.2?