samba - Oct 2014 - domain user mapped to unix/root via smbmap

Hi list,

I am experimenting with two member servers (both samba4). I am using following
configuration:

membersrv:/etc/samba/smb.conf:
=========================[...]
username map = /etc/samba/smbmap
[...]

membersrv:/etc/samba/smbmap:
========================!root = MYDOM\johndoe MYDOM\foo MYDOM\bar
MYDOM\Administrator
Administrator

So the domain users from my AD called "John Doe", "Foo" and
"Bar" as well as the default samba4 AD "Administrator"
account all are mapped to the local "root" account on that particular
memberserver. That takes effect, I tested it. When I am logged in with
"John Doe" and creating a directory or file, it has owner=root and
group=root. If I don't user smbmap the owner would be "johndoe"
and group would be "domain users". So far so good ...

Note: the ad users "johndoe", "foo", "bar" and
"administrator" are members of the group "MYDOM\Domain
Admins"

Now I create a [test] share in smb.conf and the directory on my member server
with "mkdir -p /some/dir". This directory has file mode 0755 and
owner=root group=root. Through my windows machine I right-click on
"Computer", choose "Manage" and "Connect to..." my
member server where I can see all the shares. I double-click on that new created
share called [test]. On the top of the window properties I choose the tab
{Sharing} and setup following objects:

MYDOM\Domain Admins ==> Full
MYDOM\Domain Users ==> Full
SYSTEM ==> Full

But with these share settings, the user "JohnDoe", "Foo" or
"Bar" *cannot* access the [test] share because he's not allowed
to.

When I use "EVERYONE" as a standalone setting in the {sharing} tab...

EVERYONE ==> Full

*it works* ! JohnDoe, Foo or Bar can access the share. But let's go ahead
...
 
When I replace "Domain Admins" from the initial example with
"Authenticated Users":

Authenticated Users ==> Full
MYDOM\Domain Users ==> Full
SYSTEM ==> Full

*it works* ! That means the {sharing} tab *needs* to have authenticated users
in, else the mapped root account is not recognized and takes no effect. I'd
like to know, why it doesn't work on the first example, where I have
MYDOM\Domain Admins in the list??? Any please anyone also explain to me what
SYSTEM is good for and what exactly it is related to.

Thanks in advance,
Mirco

Great, you found it. 
it was the 
>Authenticated Users ==> Full 
yes ! 

Good job. 
>MYDOM\Domain Admins ==> Full
>MYDOM\Domain Users ==> Full
>SYSTEM ==> Full
In the above example, you computer account cannot access the share. 
the computer is not in "Domain Admin" "Domain Users" or
SYSTEM.
BUT 

Your computer account is a member of "Authenicated users" 
thats the only explanation im having, if its right.. no
The first example should work also imo, but it does not. 

Louis

 
>-----Oorspronkelijk bericht-----
>Van: micromegas at mail333.com 
>[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS
>Verzonden: donderdag 30 oktober 2014 0:30
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] domain user mapped to unix/root via smbmap
>
>Hi list,
>
>I am experimenting with two member servers (both samba4). I am 
>using following configuration:
>
>membersrv:/etc/samba/smb.conf:
>=========================>[...]
>username map = /etc/samba/smbmap
>[...]
>
>membersrv:/etc/samba/smbmap:
>========================>!root = MYDOM\johndoe MYDOM\foo MYDOM\bar
MYDOM\Administrator
>Administrator
>
>So the domain users from my AD called "John Doe", "Foo"
and
>"Bar" as well as the default samba4 AD "Administrator"
account
>all are mapped to the local "root" account on that particular 
>memberserver. That takes effect, I tested it. When I am logged 
>in with "John Doe" and creating a directory or file, it has 
>owner=root and group=root. If I don't user smbmap the owner 
>would be "johndoe" and group would be "domain users". So
far
>so good ...
>
>Note: the ad users "johndoe", "foo", "bar" and
"administrator"
>are members of the group "MYDOM\Domain Admins"
>
>Now I create a [test] share in smb.conf and the directory on 
>my member server with "mkdir -p /some/dir". This directory has 
>file mode 0755 and owner=root group=root. Through my windows 
>machine I right-click on "Computer", choose "Manage" and
>"Connect to..." my member server where I can see all the 
>shares. I double-click on that new created share called 
>[test]. On the top of the window properties I choose the tab 
>{Sharing} and setup following objects:
>
>MYDOM\Domain Admins ==> Full
>MYDOM\Domain Users ==> Full
>SYSTEM ==> Full
>
>But with these share settings, the user "JohnDoe", "Foo"
or
>"Bar" *cannot* access the [test] share because he's not
allowed to.
>
>When I use "EVERYONE" as a standalone setting in the {sharing}
tab...
>
>EVERYONE ==> Full
>
>*it works* ! JohnDoe, Foo or Bar can access the share. But 
>let's go ahead ...
> 
>When I replace "Domain Admins" from the initial example with 
>"Authenticated Users":
>
>Authenticated Users ==> Full
>MYDOM\Domain Users ==> Full
>SYSTEM ==> Full
>
>*it works* ! That means the {sharing} tab *needs* to have 
>authenticated users in, else the mapped root account is not 
>recognized and takes no effect. I'd like to know, why it 
>doesn't work on the first example, where I have MYDOM\Domain 
>Admins in the list??? Any please anyone also explain to me 
>what SYSTEM is good for and what exactly it is related to.
>
>Thanks in advance,
>Mirco
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 29/10/14 23:30, ?icro MEGAS wrote:
> Hi list,
>
> I am experimenting with two member servers (both samba4). I am using
following configuration:
>
> membersrv:/etc/samba/smb.conf:
> =========================> [...]
> username map = /etc/samba/smbmap
> [...]
>
> membersrv:/etc/samba/smbmap:
> ========================> !root = MYDOM\johndoe MYDOM\foo MYDOM\bar
MYDOM\Administrator
> Administrator
>
> So the domain users from my AD called "John Doe", "Foo"
and "Bar" as well as the default samba4 AD "Administrator"
account all are mapped to the local "root" account on that particular
memberserver. That takes effect, I tested it. When I am logged in with
"John Doe" and creating a directory or file, it has owner=root and
group=root. If I don't user smbmap the owner would be "johndoe"
and group would be "domain users". So far so good ...
>
> Note: the ad users "johndoe", "foo", "bar"
and "administrator" are members of the group "MYDOM\Domain
Admins"
>
> Now I create a [test] share in smb.conf and the directory on my member
server with "mkdir -p /some/dir". This directory has file mode 0755
and owner=root group=root. Through my windows machine I right-click on
"Computer", choose "Manage" and "Connect to..." my
member server where I can see all the shares. I double-click on that new created
share called [test]. On the top of the window properties I choose the tab
{Sharing} and setup following objects:
>
> MYDOM\Domain Admins ==> Full
> MYDOM\Domain Users ==> Full
> SYSTEM ==> Full
>
> But with these share settings, the user "JohnDoe",
"Foo" or "Bar" *cannot* access the [test] share because
he's not allowed to.
>
> When I use "EVERYONE" as a standalone setting in the {sharing}
tab...
>
> EVERYONE ==> Full
>
> *it works* ! JohnDoe, Foo or Bar can access the share. But let's go
ahead ...
>   
> When I replace "Domain Admins" from the initial example with
"Authenticated Users":
>
> Authenticated Users ==> Full
> MYDOM\Domain Users ==> Full
> SYSTEM ==> Full
>
> *it works* ! That means the {sharing} tab *needs* to have authenticated
users in, else the mapped root account is not recognized and takes no effect.
I'd like to know, why it doesn't work on the first example, where I have
MYDOM\Domain Admins in the list??? Any please anyone also explain to me what
SYSTEM is good for and what exactly it is related to.
>
> Thanks in advance,
> Mirco
OK, when you map somebody to 'root', they become 'root', so it
doesn't
matter that the original users are members of 'Domain Admins', root 
isn't. When you use 'EVERYONE' this does what it says on the tin, it
lets anybody connect, it is similar for 'Authenticated Users'

Rowland