Juan Ignacio
2022-Nov-28 16:11 UTC
[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
I didn't log into unix directly, I logged on a windows machine. The problem is I needed the administrator account to manage some gpos and move the files from one member server to another and rewrite the permissions, timestamp and file ownership on windows. If I write a file on the member it shows as root what seems correct for me because I don't want anyone accessing that share right now. At least until I finish migrating the files. Administrator is the Windows> administrator with thr RID '500', so with your DOMAIN low range it will > have the Unix ID 10500, it is just a normal Unix user. >How can I know that? We are not mapping administrator to root? OURDOMAIN\administrator is not equal to root and the uid=0? Sorry im trying to understand better. El lun, 28 nov 2022 a las 12:53, Rowland Penny via samba (< samba at lists.samba.org>) escribi?:> > > On 28/11/2022 15:40, Juan Ignacio wrote: > > I'm on a windows client, logged in with the OURDOMAIN\administrator > account. > > > > The content of /etc/samba/user.map > > > > !root = OURDOMAIN\Administrator > > > > The smb.conf. > > > > [global] > > log file = /var/log/samba/%m.log > > log level = 1 > > realm = OURDOMAIN.ORG <http://OURDOMAIN.ORG> > > security = ADS > > server role = member server > > username map = /etc/samba/user.map > > workgroup = OURDOMAIN > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > idmap config kennedy : backend = rid > > idmap config kennedy : range = 10000-9999999 > > > > > > On unix. > > > > I checked the shares with smbclient and i got Invalid Token > > > > root at memberdc:/etc/samba# smbclient -L \\\\10.20.1.55 -U administrator > > Password for [OURDOMAIN\administrator]: > > session setup failed: NT_STATUS_INVALID_TOKEN > > > > if i do the same with other domain user i got the shares correctly. > > > > smbclient -L \\\\10.20.1.55 -U pepito > > Password for [OURDOMAIN\pepito]: > > > > Sharename Type Comment > > --------- ---- ------- > > sharetest Disk > > test Disk > > IPC$ IPC IPC Service (Samba 4.17.3-Debian) > > SMB1 disabled -- no workgroup available > > > > NEVER use Administrator on a Unix machine. Administrator is the Windows > administrator with thr RID '500', so with your DOMAIN low range it will > have the Unix ID 10500, it is just a normal Unix user. > However that isn't your real problem, try adding this line: > > min domain uid = 0 > > Restart Samba and try again, but only for test purposes, after that > never use Administrator directly on Unix. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2022-Nov-28 16:44 UTC
[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
On 28/11/2022 16:11, Juan Ignacio wrote:> I didn't log into unix directly, I logged on a windows machine. > The problem is I needed the administrator account to manage some gpos > and move the files from one member server to?another and rewrite the > permissions, timestamp and file ownership on windows. > If I write a file on the member it shows as root what seems correct for > me because I don't want anyone accessing that share right now. > At least until I finish migrating the files. > > Administrator is the Windows > administrator with thr RID '500', so with your DOMAIN low range it will > have the Unix ID 10500, it is just a normal Unix user. > > > How can I know that? > > We are not mapping administrator to root? > > OURDOMAIN\administrator is not equal to root and the uid=0? > > Sorry im trying to understand better. >You are (or were) mapping Administrator to root, you had in smb.conf this line: username map = /etc/samba/user.map which should contain one line: !root = OURDOMAIN\Administrator This would, when Administrator connects via Samba have mapped the Windows user 'Administrator' to the Unix user 'root' However, due to a recent change, any RID under '1000' is ignored unless you also set 'min uid = 0' in smb.conf If you run 'getent passwd Administrator' on a Unix machine, you should get something like this: administrator:*:10500:10513::/home/administrator:/bin/bash This is using the 'rid' idmap backend. As you can see, Unix knows 'Administrator by the ID '10500'. '10500' != '0' ('0' being the Unix ID for 'root') Do not do anything directly on Unix as Administrator, If you want to use Administrator on Unix, use the 'root' user instead. I hope this helps. Rowland