Alex Matthews
2013-May-31 11:56 UTC
[Samba] 'Administrator' account (UID 0) on Samba member of a Samba4 AD DC
Hi all, I have a samba server as member of an AD DC. In said AD DC there is the 'administrator' user which has the default UID of 0 (the same as root) from the ADDC: # id administrator uid=0(root) gid=513(SMC\Domain Users) groups=0(root),513(SMC\Domain Users),3000005(SMC\Group Policy Creator Owners),3000009(SMC\Enterprise Admins),512(SMC\Domain Admins),3000007(SMC\Schema Admins) from the member server: # id administrator id: administrator: no such user It also does not appear in wbinfo -u or getent passwd The issue is that if I log on to a windows machine as the administrator user I cannot access a share on the member server as it does not authenticate. my smb.conf is pretty simple: [global] workgroup = SMC realm = internal.stmaryscollege.co.uk netbios name = PVE-ARCH-S3-02 security = ADS encrypt passwords = yes server role = MEMBER SERVER idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config SMC:backend = ad idmap config SMC:schema_mode = rfc2307 idmap config SMC:range = 0-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes (Note: I changed the idmap config SMC:range to include '0' as I thought this might encourage samba to idmap the root user... but no dice...) Thanks, Alex
steve
2013-May-31 12:12 UTC
[Samba] 'Administrator' account (UID 0) on Samba member of a Samba4 AD DC
On Fri, 2013-05-31 at 12:56 +0100, Alex Matthews wrote:> Hi all, > > I have a samba server as member of an AD DC. > In said AD DC there is the 'administrator' user which has the default > UID of 0 (the same as root) > from the ADDC: > > # id administrator > uid=0(root) gid=513(SMC\Domain Users) groups=0(root),513(SMC\Domain > Users),3000005(SMC\Group Policy Creator Owners),3000009(SMC\Enterprise > Admins),512(SMC\Domain Admins),3000007(SMC\Schema Admins) > > from the member server: > # id administrator > id: administrator: no such userMap it to root: [global] ... username map = /path/to/usermap ... with /path/to/usermap having something like: root = SMC\\administrator SMC\administrator (not sure about the backslashes so I've put both possibilities)