samba - Mar 2009 - root ownership on all new files for admin users

Hello,
I have samba server on windows domain, in ADS mode but have problem
tracking files that belong to admin users, anytime new file created
the default owner is root. For non-admin users its normal, newly
created files have correct ownership permissions. Its possible for a
user to go and take ownership manually from windows machine but its
just inconvenient. Is there anyway to change default behavior to
create files with correct ownership of original user rather than
mapping to root for admin users?

Thank you,
Vladimir Shved

My setup:
Ubuntu 8.04 Hardy
Samba 3.0.28a
ext3 fs w/ ACLs

censored smb.conf:
[global]
        workgroup = MYDOMAIN
        realm = MYDOMAIN.LOCAL
        server string = File Server
        security = ADS
        syslog = 0
        log file = /var/log/samba/log.%m
        log level = 1 ads:10 auth:10 sam:10 rpc:10
        max log size = 1000
        local master = No
        dns proxy = No
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        wins server = 192.168.1.2
        winbind enum users = no
        winbind enum groups = no
        winbind use default domain = yes
        winbind nested groups = yes
        passdb backend = tdbsam

        ldap ssl = on

        idmap domains = MYDOMAIN
        idmap config MYDOMAIN:backend = ldap
        idmap config MYDOMAIN:readonly = yes
        idmap config MYDOMAIN:default = yes
        idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=mydomain,dc=local
        idmap config MYDOMAIN:ldap_url = ldaps://ldapmachine
        idmap config MYDOMAIN:ldap_anon = yes

        idmap alloc backend = tdb
        idmap alloc config:range = 30000-49999

        template shell = /bin/bash

        admin users = @"BUILTIN\administrators"
        write list = @"BUILTIN\administrators"
        client use spnego = yes
        domain master = no
        load printers = no
        printing = bsd
        printcap name = /dev/null
        show add printer wizard = no
        disable spoolss = yes

        guest account = nobody
        map to guest = bad user
        invalid users = root
        map to guest = bad password

[share]
        path = /share
        guest ok = Yes
        create mask = 0664
        directory mode = 0775

On Thu, Mar 19, 2009 at 03:28:07PM -0600, Vladimir Shved
wrote:
> I have samba server on windows domain, in ADS mode but have problem
> tracking files that belong to admin users, anytime new file created
> the default owner is root. For non-admin users its normal, newly
> created files have correct ownership permissions. Its possible for a
> user to go and take ownership manually from windows machine but its
> just inconvenient. Is there anyway to change default behavior to
> create files with correct ownership of original user rather than
> mapping to root for admin users?
Remove the

@"BUILTIN\administrators"

line from your smb.conf.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20090319/5b4177bc/attachment.bin

Hi,

I'm dealing with the same issue so I thought I'd share a few ideas
I've
found so far.

"write users=" should just be letting those users write as themselves.
Its the "admin users=" line that is intervening and mapping them to
root.

If its just the need for admin rights, I know that there is a privileges 
system built into samba. Most of the things you would want for an admin 
user to be able to do can actually be enabled for that user instead of 
mapping them to root. I've read that while no account has any privileges 
by default, the Domain Admins group is automatically given the right to 
hand out new privileges. Just search for "samba privileges" online, I 
think this is the preferred way to accomplish what you want, removing 
the need for the admin users parameter.

Another thing you may consider is just make a new user in AD, and then 
change the "admin users" line so that it only lists that account. I 
don't even imagine that account would have to be an admin as far as 
Windows is concerned, but it could be made one if the situation arises 
to warrant it. Then your write list can write as themselves, and the new 
user can be mapped to root and not used to edit user's files. They could 
share the password if more than one person needs access, which is no 
worse than having them all mapped to root anyway (possibly better).

I don't quite have it figured yet so double check me if you go with one 
of those, but I HTH.

-Mark




Vladimir Shved wrote:
> Hello,
> I have samba server on windows domain, in ADS mode but have problem
> tracking files that belong to admin users, anytime new file created
> the default owner is root. For non-admin users its normal, newly
> created files have correct ownership permissions. Its possible for a
> user to go and take ownership manually from windows machine but its
> just inconvenient. Is there anyway to change default behavior to
> create files with correct ownership of original user rather than
> mapping to root for admin users?
>
> Thank you,
> Vladimir Shved
>
> My setup:
> Ubuntu 8.04 Hardy
> Samba 3.0.28a
> ext3 fs w/ ACLs
>
> censored smb.conf:
> [global]
>         workgroup = MYDOMAIN
>         realm = MYDOMAIN.LOCAL
>         server string = File Server
>         security = ADS
>         syslog = 0
>         log file = /var/log/samba/log.%m
>         log level = 1 ads:10 auth:10 sam:10 rpc:10
>         max log size = 1000
>         local master = No
>         dns proxy = No
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         wins server = 192.168.1.2
>         winbind enum users = no
>         winbind enum groups = no
>         winbind use default domain = yes
>         winbind nested groups = yes
>         passdb backend = tdbsam
>
>         ldap ssl = on
>
>         idmap domains = MYDOMAIN
>         idmap config MYDOMAIN:backend = ldap
>         idmap config MYDOMAIN:readonly = yes
>         idmap config MYDOMAIN:default = yes
>         idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=mydomain,dc=local
>         idmap config MYDOMAIN:ldap_url = ldaps://ldapmachine
>         idmap config MYDOMAIN:ldap_anon = yes
>
>         idmap alloc backend = tdb
>         idmap alloc config:range = 30000-49999
>
>         template shell = /bin/bash
>
>         admin users = @"BUILTIN\administrators"
>         write list = @"BUILTIN\administrators"
>         client use spnego = yes
>         domain master = no
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         show add printer wizard = no
>         disable spoolss = yes
>
>         guest account = nobody
>         map to guest = bad user
>         invalid users = root
>         map to guest = bad password
>
> [share]
>         path = /share
>         guest ok = Yes
>         create mask = 0664
>         directory mode = 0775
>

Looks like removing `admin users = @"BUILTIN\administrators"` helped,
so its solved. The only reason I've added that line so non-domain
admins can manage groups on that machine but it seems simply adding
them to BUILTIN\administrators is sufficient. Thank you for helping me
with this.

--Vlad

On Thu, Mar 19, 2009 at 3:56 PM, Mark Casey <markc@unifiedgroup.com>
wrote:
> Hi,
>
> I'm dealing with the same issue so I thought I'd share a few ideas
I've
> found so far.
>
> "write users=" should just be letting those users write as
themselves. Its
> the "admin users=" line that is intervening and mapping them to
root.
>
> If its just the need for admin rights, I know that there is a privileges
> system built into samba. Most of the things you would want for an admin
user
> to be able to do can actually be enabled for that user instead of mapping
> them to root. I've read that while no account has any privileges by
default,
> the Domain Admins group is automatically given the right to hand out new
> privileges. Just search for "samba privileges" online, I think
this is the
> preferred way to accomplish what you want, removing the need for the admin
> users parameter.
>
> Another thing you may consider is just make a new user in AD, and then
> change the "admin users" line so that it only lists that account.
I don't
> even imagine that account would have to be an admin as far as Windows is
> concerned, but it could be made one if the situation arises to warrant it.
> Then your write list can write as themselves, and the new user can be
mapped
> to root and not used to edit user's files. They could share the
password if
> more than one person needs access, which is no worse than having them all
> mapped to root anyway (possibly better).
>
> I don't quite have it figured yet so double check me if you go with one
of
> those, but I HTH.
>
> -Mark
>
>
>
>
> Vladimir Shved wrote:
>>
>> Hello,
>> I have samba server on windows domain, in ADS mode but have problem
>> tracking files that belong to admin users, anytime new file created
>> the default owner is root. For non-admin users its normal, newly
>> created files have correct ownership permissions. Its possible for a
>> user to go and take ownership manually from windows machine but its
>> just inconvenient. Is there anyway to change default behavior to
>> create files with correct ownership of original user rather than
>> mapping to root for admin users?
>>
>> Thank you,
>> Vladimir Shved
>>
>> My setup:
>> Ubuntu 8.04 Hardy
>> Samba 3.0.28a
>> ext3 fs w/ ACLs
>>
>> censored smb.conf:
>> [global]
>> ? ? ? ?workgroup = MYDOMAIN
>> ? ? ? ?realm = MYDOMAIN.LOCAL
>> ? ? ? ?server string = File Server
>> ? ? ? ?security = ADS
>> ? ? ? ?syslog = 0
>> ? ? ? ?log file = /var/log/samba/log.%m
>> ? ? ? ?log level = 1 ads:10 auth:10 sam:10 rpc:10
>> ? ? ? ?max log size = 1000
>> ? ? ? ?local master = No
>> ? ? ? ?dns proxy = No
>> ? ? ? ?socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> ? ? ? ?wins server = 192.168.1.2
>> ? ? ? ?winbind enum users = no
>> ? ? ? ?winbind enum groups = no
>> ? ? ? ?winbind use default domain = yes
>> ? ? ? ?winbind nested groups = yes
>> ? ? ? ?passdb backend = tdbsam
>>
>> ? ? ? ?ldap ssl = on
>>
>> ? ? ? ?idmap domains = MYDOMAIN
>> ? ? ? ?idmap config MYDOMAIN:backend = ldap
>> ? ? ? ?idmap config MYDOMAIN:readonly = yes
>> ? ? ? ?idmap config MYDOMAIN:default = yes
>> ? ? ? ?idmap config MYDOMAIN:ldap_base_dn =
ou=idmap,dc=mydomain,dc=local
>> ? ? ? ?idmap config MYDOMAIN:ldap_url = ldaps://ldapmachine
>> ? ? ? ?idmap config MYDOMAIN:ldap_anon = yes
>>
>> ? ? ? ?idmap alloc backend = tdb
>> ? ? ? ?idmap alloc config:range = 30000-49999
>>
>> ? ? ? ?template shell = /bin/bash
>>
>> ? ? ? ?admin users = @"BUILTIN\administrators"
>> ? ? ? ?write list = @"BUILTIN\administrators"
>> ? ? ? ?client use spnego = yes
>> ? ? ? ?domain master = no
>> ? ? ? ?load printers = no
>> ? ? ? ?printing = bsd
>> ? ? ? ?printcap name = /dev/null
>> ? ? ? ?show add printer wizard = no
>> ? ? ? ?disable spoolss = yes
>>
>> ? ? ? ?guest account = nobody
>> ? ? ? ?map to guest = bad user
>> ? ? ? ?invalid users = root
>> ? ? ? ?map to guest = bad password
>>
>> [share]
>> ? ? ? ?path = /share
>> ? ? ? ?guest ok = Yes
>> ? ? ? ?create mask = 0664
>> ? ? ? ?directory mode = 0775
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>